May 19, 2017
It’s Time for the Cyber 101 Discussion
by Dan Dunkel
Cybersecurity, like terrorism or tornados, is about risk management. The sales professional must educate prospects about the risk.
The emergence of the Internet of Things (IoT), or perhaps more appropriately described, the “Integration of Things.” has created more visibility to the convergence model generally and cyber threats specifically. That said, I see a fundamental problem with sales organizations, outside of the cyber industry, with initiating a cyber discussion. This is the first step in aligning cyber threats in the context of overall business risk, and for providing the managed services, secure products, and insurance coverage that the industry increasingly requires.
This Cyber 101 Discussion is more of an informal conversation than a deep technical discussion. Cybersecurity is a confusing topic to many people and is at times assumed to be overly complex. In reality, it is a crime and espionage discussion with a rich history and interesting as a business case study. Put into this context, it is actually a compelling narrative and promotes a lively conversation that inevitably turns to the topic of operational risk and specific business issues.
See also: 3 Things on Cyber All Firms Must Know
The first step is to know your cyber history. This does not have to entail a debate as to when and how hacking evolved. I believe an appropriate starting point would be the first Gulf War. Perhaps the 1990s are ancient history for some, but most senior executives can identify. The important fact was the ease at which the U.S. military demonstrated technical dominance over the Iraqi army. Nightly newscasts of American generals proudly showing video clips of guided missiles accurately striking buildings and vehicles was enough to send chills down the spines of our nation state adversaries, and jump start their offensive cyber commands.
“I believe the Chinese concluded from the Desert Storm experience that their counter approach had to be to challenge America’s control of the battle space by building capabilities to knock out our satellites and invading our cyber networks. In the name of the defense of China in this new world, the Chinese feel they have to remove that advantage of the U.S. in the event of a war”. – Admiral Mike McConnell (ret.), former Director NSA, and Director National Intelligence
Not to be left out, the Russian military also accelerated its cyber capabilities (post Gulf War I) as well. In fact, many “retired” military cyber warriors established the early Russian cyber criminal syndicates, and promoted global cyber crime as a business model. As a result cyber crime evolved, and Cyber Crime as a Service eventually exploded. It is a well-known operational fact that you only exist as a significant Russian cybercriminal if you abide by three hard and fast rules:
- You are not allowed to hack anything within the country;
- If you find anything of interest to the government you share it;
- When called upon for ‘patriotic cyber activities,’ you serve.
In exchange you are “untouchable” and immune from prosecution.
Tom Kellermann, CEO of Strategic Cyber Ventures, is a cyber intelligence expert, author, professor, and leader in the field of cybersecurity serving as a Global Fellow for the Wilson Center. He is the previous Chief Cybersecurity Officer for Trend Micro, and Vice President for Security at Core Security. Tom has mentioned to me that existence of approximately 200 “Cyber Ninja’s” globally; truly elite gifted hackers. This select group of black hat ninja’s realized they could produce “malware for dummies”, (or criminals with average skill sets), along with on- line “how to hack” support services, in return for a cut of the profits. This business model returned more personal revenues at scale, compared to individual hacking activities, with much less risk. These operations created the original “Malware as a Service” business models, and as a result cyber crime has since exploded.
According to The Serious Organized Crime Agency (SOCA), global cybercrime has surpassed narcotics trafficking in illicit revenues, and In the United Kingdom, over 50% of all crime is now cyber related. As a final thought Tom added that cybercrime has transitioned from traditional burglary to digital home invasion.
“The economic security of the West is in jeopardy. Civilizing cyberspace must become a national priority.”
Research firm, Cyber Ventures (not to be confused with Strategic Cyber Ventures), produced a report that predicts that cyber crime worldwide will grow from $3 Trillion in 2016 to over $6 TRILLION dollars annually by 2021! As a comparison, the entire Gross Domestic Product (GDP) for the U.S.A. was $14 Trillion in 2016.
Cyber crime today is professional, organized, sophisticated, and most importantly “relentless”. These are not personal attacks. If you have any digital footprint you are a target, period. The entire Internet can be scanned for open ports within a few days. When it comes to security, the old adage “Offense informs Defense” is appropriate when protecting your specific business operation. A former client of mine, John Watters, CEO of iSIGHT PARTNERS, (now FireEye), used an example: “A burglar and an assassin can use the same tools and tradecraft to gain entry to a location, but the intent, once inside, is very different. One wants your property, the other wants to kill your family. Prepare yourself accordingly”.
Another business challenge moving forward is that the risk of cyber attack is growing. This is a dual-edged sword in many regards. The Internet of Things and the Industrial Internet of Things (IIoT) opens a much wider attack surface of many more devices. However, the operational efficiencies and human productivity advances cannot be denied and will move forward. This situation creates a new reality; essentially cyber threats are morphing from a virtual threat into a physical danger. Matt Rosenquist, Cyber Security Strategist, Intel Security Group, explained in his 2017 ISC WEST Keynote address that the same controls that provide auto assist to parallel park your vehicle can be hacked to force a car (or hundreds of cars) to accelerate to high speeds and turn abruptly, causing fatal accidents. Imagine for a moment what that hack does to that specific automobile manufacturers brand reputation? Would the corporation even hope to survive? Moving forward SECURITY, followed closely by privacy protections, will be at the top of all buying requirements to win business.
The bottom line is that cybersecurity, like terrorism or tornados, is about risk management. This is a discussion that owners, management, and boards of directors know well. It is the responsibility of the sales professional to educate prospects to the sophisticated level of cyber risk that exists today and into the future. This is why understanding and explaining the evolving cyber crime business model is so important as an initial discussion.
See also: Now Is the Time for Cyber to Take Off
In 2017 I have had the “Cyber 101 Discussion” with sales leadership and executives from many companies and industries:
- The regional insurance firm in Texas (1,000 employees) that recognizes a huge and expanding cyber insurance market opportunity generating over $3.5 Billion dollars in 2016, and growing at 70% annually! Yet their sales organization does not know the first thing about starting the cyber dialogue with potential clients. ‘We know insurance, not cybersecurity”
- The global video camera distributor that needs assistance in aligning marketing and sales messaging to answer customer concerns about cyber security. The industry needs a response to the Mirai botnet attacks that virtually guarantee that the Internet will be flooded by hacks of new botnets powered by insecure routers, IP Cameras, digital video recorders, and other easily hackable devices:
- The physical security integrator that recognizes the need to provide secure solutions and endpoints for their enterprise customers, but needs to provide internal cyber education, while recruiting strategic partners offering cyber solutions and support resources.
- The domestic security monitoring company that now offers cyber managed solutions to SMB market, but struggles with positioning a compelling R.O.I. (Return on Investment), and explains that customers cannot “quantify” the cyber risk to their business? (HINT: That’s the job of your sales organization, your customers need cyber education)
It begins with a cyber sales comfort level within your own organization. Cyber education allows you to pass knowledge on to others as a trusted adviser. Get the Cyber 101 Discussion started as a first step. Whether providing cyber insurance, hardening physical security equipment, or selling secure managed services, the cyber 101 discussion starts with understanding cyber history and the evolution of adversary intent. Today’s cyber threat is a component in the new definition of digital business risk. Position accordingly.