Tag Archives: cybersecurity ventures

It’s Time for the Cyber 101 Discussion

In my role as a sales and business development consultant, I come in contact with sales professionals and business executives across numerous industries. I understand the trends involved with the integration of physical security, IT infrastructure and cyber solutions. The emergence of the Internet of Things (IoT), perhaps more appropriately described as the “Integration of Things,” has created more visibility to the convergence model generally and cyber threats specifically. That said, I see a fundamental problem with sales organizations, outside of the cyber industry, with initiating a cyber discussion. This is the first step in aligning cyber threats in the context of overall business risk, and for providing the managed services and secure products that the industry increasingly requires.

This Cyber 101 discussion is more of an informal conversation than a deep technical discussion. Cybersecurity is a confusing topic to many people and is at times assumed to be overly complex. In reality, it is a crime and espionage discussion with a rich history and interesting as a business case study. Put into this context, it is actually a compelling narrative and promotes a lively conversation that inevitably turns to the topic of operational risk and specific business issues.

See also: Best Practices for Cyber Threats  

The first step is to know your cyber history. This does not have to entail a debate as to when and how hacking evolved. I believe an appropriate starting point would be the first Gulf War. Perhaps the 1990s are ancient history for some, but most senior executives can identify. The important fact was the ease with which the U.S. military demonstrated technical dominance over the Iraqi army. Nightly newscasts of American generals proudly showing video clips of guided missiles accurately striking buildings and vehicles was enough to send chills down the spines of our nation-state adversaries, and jump start their offensive cyber commands.

“I believe the Chinese concluded from the Desert Storm experience that their counter approach had to be to challenge America’s control of the battle space by building capabilities to knock out our satellites and invading our cyber networks. In the name of the defense of China in this new world, the Chinese feel they have to remove that advantage of the U.S. in the event of a war.” –Adm. Mike McConnell (ret.), former Director NSA, and Director National Intelligence

Not to be left out, the Russian military also accelerated its cyber capabilities (post-Gulf War I), as well. In fact, many “retired” military cyber warriors established the early Russian cyber criminal syndicates and promoted global cybercrime as a business model.

As a result, cybercrime evolved, and Cyber Crime as a Service eventually exploded.  It is a well-known operational fact that you only exist as a significant Russian cybercriminal if you abide by three hard and fast rules:

  1. You are not allowed to hack anything within the country;
  2. If you find anything of interest to the government, you share it;
  3. When called upon for “patriotic cyber activities,” you serve.

In exchange, you are “untouchable” and immune from prosecution.

Tom Kellermann, CEO of Strategic Cyber Ventures, is a cyber intelligence expert, author, professor and leader in the field of cybersecurity serving as a global fellow for the Wilson Center. He is the previous chief cybersecurity officer for Trend Micro and vice president for security at Core Security. Kellermann has told me there are approximately 200 “cyber ninjas” globally: truly elite hackers. This select group of black hat ninjas realized they could produce “malware for dummies,” (or criminals with average skill sets), along with online “how to hack” support services, in return for a cut of the profits. This business model returned more personal revenue at scale, compared with individual hacking activities, with much less risk. These operations created the original “Malware as a Service” business models, and, as a result, cybercrime has since exploded. (By the way, the model provides a recurring monthly revenue stream.)

According to the Serious Organized Crime Agency (SOCA), global cybercrime has surpassed narcotics trafficking in illicit revenues, and in the U.K., more than 50% of all crime is now cyber-related. Kellerman added that cybercrime has moved from traditional burglary to digital home invasion: “The economic security of the West is in jeopardy.  Civilizing cyberspace must become a national priority.”

Research firm Cybersecurity Ventures (not to be confused with Strategic Cyber Ventures) produced a report that predicts that cybercrime worldwide will grow from $3 trillion in 2016 to more than $6 trillion annually by 2021! As a comparison, the entire gross domestic product (GDP) for the U.S. was $14 trillion in 2016.

Cybercrime today is professional, organized, sophisticated and most importantly “relentless.” These are not personal attacks. If you have any digital footprint, you are a target, period. The entire internet can be scanned for open ports within a few days, and IP cameras being activated on the internet are normally pinged within 90 seconds. You can’t hide very long. When it comes to security, the adage that “offense informs defense” is appropriate when protecting your specific business operation. A former client of mine, John Watters, CEO of iSIGHT PARTNERS (now FireEye), used an example: “A burglar and an assassin can use the same tools and tradecraft to gain entry to a location, but the intent, once inside, is very different. One wants your property; the other wants to kill your family. Prepare yourself accordingly.”

Another challenge is that the risk of cyber attack is growing. This is a dual-edged sword in many regards. IoT and the Industrial Internet of Things (IIoT) open a much wider attack surface of many more devices. However, the operational efficiencies and human productivity advances cannot be denied and will move forward. This situation creates a new reality; essentially, cyber threats are morphing from a virtual threat into a physical danger. Matt Rosenquist, cyber security strategist, Intel Security Group, explained in his 2017 ISC West Keynote address that the same controls that provide auto assist to parallel park your vehicle can be hacked to force a car (or hundreds of cars) to accelerate to high speeds and turn abruptly, causing fatal accidents. Imagine for a moment what that hack does to that specific automobile manufacturer’s reputation? Would the corporation even hope to survive?

Planes, trains and automobiles are just the beginning. Intelligent buildings, campuses, hospitals, retail outlets, branch offices and mobile emergency services, etc., all need to be secured. Security, followed closely by privacy protections, will be at the top of all buying requirements to win business.

The bottom line is that cybersecurity, like terrorism or tornados, is about risk management. This is a discussion that owners, managements and boards of directors know well. It is the responsibility of the sales professional to educate prospects and customer organizations to the sophisticated level of cyber risk that exists today and into the future. This is why understanding and explaining the evolving cybercrime business model is so important as an initial discussion.

See also: How to Anticipate Cyber Surprises  

In 2017, I have had the “Cyber 101 Discussion” with sales leadership and executives from many companies and industries:

  1. The regional insurance firm in Texas (1,000 employees) that recognizes a huge and expanding cyber insurance market opportunity generating more than $3.5 billion in 2016, and growing at 70% annually! Yet the sales organization does not know the first thing about starting the cyber dialogue with potential clients. ‘‘We know insurance, not cybersecurity.”
  2. The global video camera distributor that needs assistance in aligning marketing and sales messaging to answer customer concerns about cybersecurity. The industry needs a response to the Mirai botnet attacks that virtually guarantee that the internet will be flooded by hacks of new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.
  3. The physical security integrator that recognizes the need to provide secure solutions and endpoints for enterprise customers, but needs to provide internal cyber education while recruiting strategic partners offering cyber solutions and support resources.
  4. The domestic security monitoring company that now offers cyber managed solutions to the SMB market but struggles with positioning a compelling ROI and explains that customers cannot “quantify” the cyber risk to their business? (Hint: That’s the job of your sales organization; your customers need cyber education.)

It begins with a cyber sales comfort level within your own organization. Cyber education allows you to pass knowledge on to others as a trusted adviser. Get the Cyber 101 discussion started as a first step. Additional education and specific solutions can always be provided to secure passwords, mobile devices, access control, VMS, encryption and backups, etc. It’s a long list, but security managed services are providing recurring revenues and need to be positioned correctly.

Whether providing cyber insurance, hardening physical security equipment or selling secure managed services, the Cyber 101 discussion starts with understanding cyber history and the evolution of adversary intent. Today’s cyber threat is a component in the new definition of digital business risk. Not always overly technically complicated, but essential to be countered and monitored constantly.

Quest for Reliable Cyber Security

As we still struggle to improve physical security in the brick and mortar world, we are also greatly challenged by security issues in the cyber world. The layers of cyber protections are melting away quickly (Figure 1) as evidenced by an exponential growth in cyber crime. We are all racing rapidly away from the shores of the brick and mortar world, chasing after irresistible and addictive internet-based technology.

The Cyber War Statistics and Projections

Figure 2 shows the Lloyd’s of London estimated worldwide cyber damages in U.S. dollars for 2013 (100 Billion) and 2015 (400 Billion). The Jupiter Research projection for 2019 is $2 trillion. Cybersecurity Ventures projects $6 trillion of damage for 2021. If these projections become reality, that represents a 60-fold increase in cyber damages for the eight-year period between 2013 and 2021.

An independent Ponemon Institute study sponsored by Hewlett Packard said that, in 2016, the average U.S. firm reported cybercrime damages of $17 million. The average cyber damages were much less in non-U.S. countries, but the growth in such crimes is also increasing exponentially. The U.S. National Small Business Association study said that, on average, small businesses that had their bank accounts hacked lost an average of $32,000.

See also: 10 Cyber Security Predictions for 2017  

The Cyber War Defender Sentiment

Various IT expert surveys tell us that the majority of defenders feel that we are losing this cyber war. Here are some key disturbing sentiments:

  • An iSense Solutions survey of 250 IT professionals was conducted for Bitdefender among companies that were breached. Those that suffered cyber breaches in the last year convey the disturbing news that 74% of those that were breached don’t know how the breach happened.
  • A survey by the Ponemon Institute revealed that it took between 98 and 197 days to detect the fact that a security breach has happened.
  • An AT&T (Cybersecurity Insights) report surveyed 5,000 companies worldwide that were launching Internet of Things (IoT) devices. Only 10% of IoT developers felt that they could secure those devices against hackers. It is estimated that 10 billion devices were connected to the internet in early 2016 and that the number will grow to 30 billion devices by 2020.
  • Another Ponemon Institute survey in 2016 consisting of 643 IT experts revealed that only one-third of the IT experts surveyed consider the cloud safe from cyber attacks.
  • Cyberventures estimates that $1 trillion will be spent on cyber security products and services between 2017 and 2021.
  • Cyber experts tell us that just meeting compliance is the beginning of cyber security and not the end.
  • The World Economic Forum (WEF) stated that a “significant” amount of cybercrime and espionage still goes undetected.
  • Hacker tools are cheap, fast and becoming easier to use, providing disturbing attacker advantages.

The Cyber War Executive Summary

Let’s summarize this gloomy situation. We are in an exponential growth period of cybercrime. Anywhere from 67% to 90% of experts surveyed can relate to these comments:

  • They distrust the cloud.
  • Most do not know how or when they were hacked, if they were hacked.
  • Most do not know how to fully protect the old and new flood of internet connected devices from future hacks.
  • Just meeting compliance is insufficient against hacks and cyber attacks.
  • When hacks are noticed, they are noticed three to six months-plus after the fact.

This raises the question of how IT and security professionals will spend their security budget if they have been so unsuccessful in the past and present. This is clearly a high-risk environment and getting worse.

See also: How to Stir Dialogue on Cyber Security  

Can Cyber Strategies Rescue Us?

Classic and logical-sounding cyber strategies have been and are being rendered useless by hackers and cyber-sharks. Figure 3 depicts the sad state of worldwide cyber security. Why are most cyber strategies not working? Maybe because they focus too much on the technical and do not engage all of the enterprise resources and its culture as an additional layer of defense.

Figure 4 reminds us of the words of MIT Professor Bill Aulet, derived from the original quote by the famous management consultant Peter Drucker: “Culture eats strategy for breakfast, operational excellence for lunch and everything else for dinner.”  If our cyber strategy does not harness and engage the enterprise culture as a partner in this cyber war, we should expect only limited successes.

Can Artificial Intelligence (AI) Rescue Us?

Some are touting AI and machine learning as the “last hope” for cyber security, but some experts are also quick to confess that not all AI strategies are effective and that the cyber protection industry is only at the beginning of this journey to apply AI to cyber security. This confidence in AI also assumes that the “bad guys” will not use AI to become better hackers.

Can High-Reliability Organizational (HRO) Techniques Rescue Us?

Decades ago, high-risk organizations like nuclear submarines, aircraft carriers and nuclear power plants developed a highly successful culture-based management system that was later designated as high-reliability organizations (HRO). HROs have achieved zero-incident safety records even though they are considered high-risk. Now that every organization is thrust into the high-risk cyber world, it’s time to consider the HRO playbook and assess our cultures against custom HRO cyber criteria. Airlines, railroads, power plants, hospitals and other organizations are starting to customize HRO principles to meet their stretch goals for employee, customer and patient safety.

See also: Paradigm Shift on Cyber Security  

Figure 5 shows one of the first basic enterprise system and cultural assessments required to lay the foundation for HRO cyber thinking across all layers of the organization. Such assessments will require anonymous inputs from all stakeholders and levels to ensure that all skeletons in the closet and the taboo talk rules that limit cyber successes are exposed.

The pursuit of becoming a high-reliability cyber organization is not for the faint of heart, and it is not a quick fix. It is a set of highly disciplined principles that affect the behaviors, attitudes, decision making and accountability for every level of the enterprise cascade as summarized in Figure 6. If any of the cyber security elements in the cascade has a weak link, cyber security will be at risk. The last line of defense against cyber attacks needs to be organizational and cultural and not just technical or centered on compliance.

As the world moves toward the shocking new reality of annual multitrillion-dollar cyber damages, organizations will need to combine technical and non-technical best practices for reliability to counter cyber threats. Unfortunately, it might take one or more big business failures or a major worldwide cyber calamity before more organizations start to see the value of a combined high-performance culture and technical strategy. Great successes of HRO organizations should teach us that a combined culture and technical strategy is the best way to defend ourselves in this expanding cyber world war.