Not too long ago, Richard Clarke, a key advisor on intelligence and counterterrorism who worked within the administrations of Presidents Reagan, Clinton and George H. W. Bush, famously joked that there were “only two kinds of companies, those who’ve been hacked and know it and those who’ve been hacked and don’t know it.”
So it was a surprise to many of those at this year’s Cyber Risk Board Forum, hosted by Corporate Board Member in partnership with RSA Conference, when Clarke said that he no longer believed that to be the case. Advances in technology and security expertise have led him to revise his thinking. Companies can now stop meaningful cyber breaches—and, he said, board members should think about changing their view on the issue as well.
In researching his latest book, The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats (Penguin, 2019), he said he discovered a large number of well-known companies that have never been hacked significantly in the past 11 years. “That’s a new phenomenon. It means it’s possible to do it. And the question we asked was, ‘what’s different about those companies?’”
He found three things: A culture of security, a strong governance model and large overall spending. “Companies that are spending 8 percent, 9 percent, 10 percent, 12 percent of the IT budget can achieve a level of security today—that’s new,” he said.
In the past, according to Clarke, companies had been spending about 3 percent of their overall IT budget on security. The reason, he explained, was that back in the ’90s you just couldn’t spend much more than that. There were only a handful of potential products available to protect yourself.
“Today,” said Clarke, “major Wall Street banks we interviewed had 75, 80 different cybersecurity hardware and software programs running on their networks, from almost as many vendors. That’s a real challenge to integrate. But if you don’t have new products all the time that are keeping up with the evolution of the risk, of the evolution of threat, if you’re not keeping up with the defensive technology, you quickly get into a condition where you can be hacked.”
When it comes to determining the right amount to spend, Clarke says the key is to find the right CISO, set up a committee of the board to work with them, figure out what the risks are and design a three-year plan to minimize them.
Hyatt Hotels is one of the companies Clarke discovered that hasn’t been hacked. There, the CISO has a direct reporting line to the chairman of the board. He has no budget. When he needs something, he gets it. “Now, I know you can’t do that in every company, and you can’t do that if you have a profligate CISO. But to say, ‘I’m going to spend X amount of dollars or X percentage of my IT budget,’ that’s not the way you start. You start by figuring out the risks and your goal” and developing the budget from there.
Besides, he said, “the real difficulty in this business is people. Even if you had infinite amounts of money to spend, you couldn’t because you can’t have enough trained people to implement new programs.”
Building a Better Cyber Culture: Learning From the Transformation at Equifax
Jamil Farshchi became chief information security officer for Equifax in the wake of one of the most high-profile cyber breaches in American history. It was a blessing and a curse. On the one hand, the level of scrutiny—from regulators, lawmakers and customers—was unpredicted. On the other, the damage to the company had been so severe that Farshchi found little resistance to making the changes necessary to turn Equifax into a cyber leader.
“I used to be the CISO at Los Alamos National Laboratory,” said Farshchi. “I used to think at the time that we were the most heavily regulated organization under the sun—until I started at Equifax.”
On Farshchi’s watch, the company made a commitment of $1.25 billion to improve their security technology infrastructure and hired more than 1,000 people in the first eight months of the transformation. They also immediately underwent an extensive analysis to figure out the key controls and processes and aggregated them into an index score that they can have an independent party come in and validate every year—“a very quantifiable, measurable target for us to be able to achieve,” he said. This allows his board to benchmark performance against peers and sets off a competitive desire to best them.
“Culture is hands down the most important component,” said Farshchi, who joined in February 2018 after a stint as CISO of Home Depot. “One of the things I was encouraged by coming into Equifax was that they, in the wake of the breach, had changed the reporting structure so that security reported directly to the CEO. That is an outstanding sign of commitment to security.”
Equifax has made cyber a component of employees’ compensation, establishing metrics for measuring cybersecurity across various parts of the business and planning for how they would mature those benchmarks—and reward people accordingly. “We believe that security isn’t just security’s job. Security is everyone in the entire company’s responsibility,” he said.
Dominic Keller, global team leader for cyber risk solutions for Willis Towers Watson, agreed. “When we’re talking about culture, instituting performance management objectives in a positive way would be my recommendation. It’s an encouragement as well as a management process. And there’s no reason that can’t be done.”
The Business of Business Continuity
When it comes to board-level business continuity planning and cyber risk, Shawn Edwards, chief security officer for RSA and head of Dell’s Business Unit Security Organization, looks to see first and foremost: Is there a plan? And is it focused on the right things? “It sounds silly, but you’d be surprised sometimes,” he said. “It’ll be picking out a specific area of the business and not looking at it holistically. And I think it’s important that the continuity plan covers all of your operations.”
In a panel moderated by Phil Neiswender, president of Center for Board Excellence, now part of Nasdaq Governance Solutions, both Edwards and Colleen Birdnow Brown, a director at of the TrueBlue, Spark and Big 5 Sporting Goods, said that when it comes to resiliency, practice, such as tabletop exercises, is key. “From the board’s perspective, you see how management approaches it, how they discuss it, how they handle tone at the top with their decisions, and how they communicate it out,” said Birdnow Brown.
Edwards’s trick for tabletops: Keep adding twists and turns to the scenario to see what the team does. “Never stop. Don’t let it actually ever finish, just keep going and picking it apart. The idea is to kind of see how the thought process works and really look at how the organization works together.”
Beyond Compliance: Making Data Privacy a Competitive Differentiator
There’s a famous cartoon, at least among privacy experts, jokes Alisa Bergman, vice president and chief privacy officer for Adobe, where people go around saying what their superpower is, and one person has a t-shirt that says GDPR. “My superpower is that I can get board-level people to pay attention to privacy.”
True enough. But many boards are starting to see that there’s another compelling reason to protect customer data: Customers are demanding it. “If you think about the last decade as kind of grabbing as much [data] as you can, you don’t know whether or not you’re going to need it, or what you’ll need it for,” said Bergman. “Now there’s more focus on if you collect it, it becomes a responsibility. You have to be sure that you protect it. We’re seeing it as a corporate social responsibility issue… I think we’re seeing sort of a huge evolution and a seismic shift.”
As Susan Hintze, moderator and managing partner at Hintze Law and former in-house privacy counsel for Microsoft, put it: “Even the younger folks who people claim, ‘they don’t care about privacy,’ they do care about privacy.”
To accompany the shift, more companies are embracing what’s known as “privacy by design,” thinking about data privacy throughout the product-design lifecycle, instead of simply bolting it on at the end. For directors, this is a fairly niche conversation that may not surface. So, what should board members be asking?
“The first question I would want to be asked is, ‘How well are you evaluating how the company is handling data?’” said Hilary Wandall, GC and chief data governance officer for TrustArc, a role in which she serves Fortune 100 companies and SMEs overseeing the design, development and integration of privacy intelligence capabilities. “Do you have a process for that space? What levels of people are involved in that process, and how well do you monitor whether things are being appropriately addressed and timely remediated?”
Bergman said directors should ask management if data privacy is being built in ways that can adapt with agility to the fast-changing regulatory and consumer requirements around the world. And they should also be asking the most important new question: “How can privacy enhance the customer experience? How can it be a competitive differentiator for us? Where are there places that we think people will make choices based on privacy?”
Blockchain and Machine Learning: Changing the Game for Cybersecurity
At $110 billion Comcast, cybersecurity means protecting not just a network of millions of set-top boxes, but the explosion of IoT devices connected to them. To do it, Noopur Davis, executive vice president and chief product and information security officer, turned to blockchain and machine learning. There was just no other way.
After two and a half years of work, Comcast’s systems allow for making an association between a device and identity of an owner, the application that they use to manage those devices and the account that those devices are tied to. That means Comcast can know that your housekeeper has been allowed access on Tuesday between noon and four, holding that rule locally in an immutable, non-distributed ledger. “The blockchain allows us to do that,” she said.
They turned to machine learning to solve for similar complexity analyzing for anomalies the petabytes of data they generate daily. “The numbers are pretty mind-boggling,” she said. “Today, we’re doing half a million events per second.”
Machine learning revealed many issues that weren’t cyber-related as well. “I’m not even going to tell you what those are because my lawyers will kill me,” she said. “But when we did find pings that had nothing to do with cybersecurity, it took enormous resources to fix them. Once you know about it, you have to fix it. So just be prepared for that.”
Cyber Resiliency from the Inside Out
For all the concern about ransom-ware scamsters and state-sponsored hackers, the seeds of most security breaches are actually planted far closer to home. For most organizations—companies and governments—insiders, not outsiders, are the biggest threat.
Just ask Jackie Atiles, director of the Insider Threat Program for the U.S. Department of State, whose job was created in the wake of two of America’s most infamous data breaches—both at the hands of insiders. “You’ve all probably heard of a little incident called WikiLeaks and Private Manning, which required the U.S. government to have a response,” said Atiles. At any given time, some 276,000 people are under the Insider Threat Program.
“We focus clearly on deterrence,” said Atiles. “The best way for us to attack this problem was literally to look at deterring it from the get-go. And the number one way we do that is teaching people indicators of what insider-threat behavior is. People are seeing it in the office before you ever see it at an IT system. That human element is huge and is often missed.”
Atiles adopted the “see something, say something, do something” mantra. It’s odd when somebody is emailing at 3 a.m. Does their boss know? Is someone using reams of paper to print out documents? Is someone suddenly hungover all the time, or depressed? “Those are kind of things that you’ll want to pay attention to.”
Jadee Hanson, chief information security officer and vice president of information systems for Code42, said independent research found 66 percent of security breaches involved insiders. “And yet, on the flip side, we look at like how much money is spent on insider-threat programs, and it’s only roughly10 percent of the security team’s budget,” she said. “We should be thinking of this as a much bigger problem than we are.”
Emily Heath, chief trust and security officer for DocuSign, said the time to pay particular attention is when your organization shifts or closes offices or lays people off. At times like these, her advice is to monitor behavior extra closely—and tell employees you’re doing it. “It’s very important to have great relationships with legal and with human resources,” she said. “My approach to these kinds of things is always to be extremely transparent and to say, ‘We are going to be putting in some additional monitoring on your machines. And here are all of the reasons why.’”