Cyberthreats are on the rise. According to a recent study, damage from cybercrime will have a worldwide cost of US$6 trillion annually by 2021, which is double the cost incurred in 2015. There is no doubt that security concerns are top of mind for any organization with a digital footprint.
We took advantage of this year’s WSJPro Cybersecurity Executive Summit in London to ask several leading companies, security consultants, and industry analysts about their biggest security concerns. Here’s what we heard:
We Don’t Know What We Should Be Doing—or Why
“What I often find with the companies I'm working with is that they don't really have a defined concern. They see a lot of reporting around data breaches, around security, and they're not really sure what they need to be doing,” said Nic Miller of cybersecurity firm Aedile Consulting, which focuses on the small business sector. “We often get the question, ‘Why would anyone be interested in targeting us?’ The truth is, all businesses are at risk. Some are high risks, some are lower risks, but there is a common thread—what I call the universal background noise of cyber. It affects every company. If you have a website, if you have an email address, [attackers] will send malicious emails.”
We Aren’t Innovating as Fast as the Bad Guys
“Our biggest concerns are whether we are innovating as fast as the people attacking us are innovating,” said Tom Ilube CBE, CEO for Crossword Cybersecurity, a UK-based cybersecurity technology and consulting firm. “There's a whole community out there that is constantly innovating different ways to attack your company, and I'm not sure the security industry is keeping up with them.” For one thing, cybercriminals cooperate informally and share ideas, all the time –a direct contrast to the silo’ed approach to cybersecurity that many companies take. “There’s a culture out there in which the CSO at one company doesn’t want to share dirty laundry with the CSO at another company,” Ilube said. “So we don’t share nearly as much as the people who are attacking us. I think if we did, we could innovate a lot faster.”
We Don’t Balance Need for Speed with Need for Proper Code Review
“As a technology company, one of my biggest concerns is the code we write,” said Chris Wallis, founder of security company Intruder. “Because of the open source movement, many companies reuse code, and a lot of that code is not subject to the same level of review as it would be if we'd written it internally. So you end up with this balance between moving quickly, which you have to do to be competitive, and having this risk that someone could insert a weakness into your code. This is a real challenge that I think pretty much every company is facing, and I'm still waiting to see a solution to the problem.”
There Aren’t Enough Security Professionals
Ensuring the security of products is a major focus for many within the technology industry. “As a company, Cisco Systems is helping customers through their digital transformation. Our biggest concern is to make sure that security is in the DNA of everything that we do, which means our product, our processes, and even the way we train our people,” explained Lorena Marciano, Cisco’s EMEAR data protection and privacy officer. “Security needs to become part of the equation when it comes to selling a product, as well as creating the next generation of leaders. There must be greater investment in educating students in university today, encouraging them to come into the field of security. The reality is that there is a big shortage of security professionals.”
What About Reputational Risk?
“Beyond financial risk is reputational risk. Customers today want to know that the company they're doing business with is a safe organization,” said Cultursys Chairman John Childress. “A hidden risk is employee trust. Employees wonder, am I working for a secure organization? Am I going to be secure? This type of risk directly impacts productivity, performance, and so on.”
Our Supply Chain May Not Be Secure
“For many companies, supply chain security is a top concern. Our customers have lots of things they want from us,” said Bridget Kenyon, global CISO for Thales eSecurity. “So, the question becomes, how do we balance that against our own risk appetite, and how do we then look at complying with contractual concerns, as well legal obligations. The threats are getting bigger, but we still have these requirements we have to meet in this rapidly changing business landscape.”
We Need a Holistic Approach
Addressing security concerns should go beyond putting specific controls in place. “I personally think security requires a companywide collaboration in order to understand the cyber risks faced by an organization. It’s important to ask what sort of risks we are facing in terms of business continuity or impact to the ability to provide a service or a product to customers,” said Inga Schorno, head of information security at Tandem Bank, a digital bank based in the UK. “So the biggest challenge, and maybe opportunity at the same time, is to always have those really broad conversations with all parts of the business, not just IT security operations. Taking a holistic approach is vital.”
David Pitlik is a long-time technology and business writer and frequent contributor to NETSCOUT’s blog.
Note: The information above is based on interviews conducted at the juin 2019 WSJ Pro Cybersecurity Executive Forum by Wall Street Journal reporters on behalf of NETSCOUT
Watch interviews with WSJPro Cybersecurity Executive Summit attendees here.