When facing a massive data breach, a company’s status quo — and perhaps its very existence — can all be gone in a matter of seconds. Tanium co-founder & CTO Orion Hindawi and Brad Peterson, Executive Vice President and Chief Information Officer for Nasdaq, understand better than most that countless companies are teetering on the brink of a preventable catastrophe.
Orion and Brad recently sat down together to discuss what they believe are the top six questions directors should be asking. The following is a summary of their conversation.
Question #1 What are you spending on information security? What percentage of your spending on cybersecurity tools is on legacy vendors, and what percentage is on newer technology?
Brad: I can first answer the question for Nasdaq, and then provide my thoughts on the topic in general based on my interactions with other CIO/CTOs.
For us, our spending has continued to increase for information security over the past three years while our overall technology spending has remained flat. This area and the new data technologies have been the growth areas for us. In terms of legacy vendors versus newer technology, we have introduced a number of new technologies as the investment and innovation in information security solutions has really provided an impressive lists of new entrants. There continues to be strong investment and a significant amount of innovation, but the focus of tools has shifted from protection — which was deemed insufficient — to faster detection and remediation capabilities. These have become a priority, for them and for us.
The vector is still up on spending. CEOs and boards have to give their tech leadership the notion and impression of carte blanche: “What can you trade off to make room in the budget?” It was a trend in the past — that new vendors will lower your costs and that technology costs can go down. That’s not the case with information security. There is much more capability, but the overall spend is going up.
Orion: Many of our clients have best in breed cyber divisions; they understand they are combatting new threats — like a one or two month old threat that anti-virus has no chance at managing. You can’t combat a two month old threat with 20 year old technology.
Question #2: Have you quantified the cost if you lost data and/or IP to a cyber attack, and have you compared that to your cybersecurity spend?
Brad: There are a number of reports available today that quantify the average cost of a cybercrime breach. For example, the latest report commissioned by IBM pegged the 2015 consolidated average cost at $3.8 million. There are a few law firms that specialize in supporting boards and companies that have been breached and they believe the number is higher than the number stated in IBM report. For example one law reported the average to be $7 million. I think understanding the costs up front and having a dialogue with your board will help prepare everyone to assess the right mixture of investment in the information security function, the amount of insurance needed and the business risk the firm is willing to take. The long-term brand or reputation costs from a breach seem to be the most difficult to quantify and model.
Orion: With mega-breaches, the price between direct costs and brand diminution can go into the billions. Quantification is case-by-case and rigorous analysis from problem to solution — it depends on type of business, sales, data, etc.
Question #3: How do you assess the company’s risk? Do you know how many endpoints the network has and how do you control them?
Orion: It’s surprising how many CIOs can not answer the question “How many endpoints do you have?” If you don’t know what you have, you don’t have a prayer to protect it — and it’s a board’s duty to expect an answer.
Brad: Orion is right, and in addition to knowing the number of endpoints, you have to have the tools to be able to understand what is happening on those endpoints. What software versions are installed, what is changing, what is being added. So to assess risk, the board should be satisfied that the management team has the tools and team to inventory and monitor the company’s dynamic set of end points. The final area to assess is the management team’s ability to respond to an emerging risk to the environment. How quickly can it remediate once a vulnerability is known?
Question #4: What is the company’s response plan in the event of a major data loss?
Orion: The best cyber teams are developing the capability to respond to threats in-house vs. bringing in an external partner. When you bring in an outside party, you are essentially absolving yourself of responsibility. And in a large-scale breach, you don’t have control of resources if you’re using outsiders. Internal response really is a core competency now, not a nice to have.
Brad: We primarily manage response with internal resources. I think third party vendors are a valid resource when you buy a company — you need help quickly understanding the risk of a potential acquisition. Otherwise, you have to be careful that you don’t over-rely on outsiders because you think you’re better protected than you actually are. Nasdaq has a 24/7, co-located security operations center with global network operations center.
Question #5: What’s our insurance status? Do we have coverage against losses from a cyber attack? How broad is it?
Orion: Three years ago, no one had cyber insurance.
Brad: I think the act of buying cyber insurance is a worthwhile exercise for management to engage in and report back to the board. It is proactive and opens a healthy dialogue about the potential costs of a breach and forces a company to understand their specific types of risks from a breach. As with any type of insurance, the level of the deductible and the limitations on coverage can illuminate better uses of the funds, such as improved cyber security tools and staff. Whether the answer is more insurance or more investment in the information security function, assessing the level of insurance protection should be recurring annual process.
Orion: I’ve talked to many CEOs of banks who realize cybersecurity is their #1 business threat. It can doom a financial services company, and it’s not hard to imagine it happening. There’s a huge existential reason CEOs are worried.
There isn’t a perfect solution, but better solutions. They may be expensive, but most companies have underinvested and they are playing catch up. We all know what we’re supposed to be doing. Unmanaged assets, inventory….we were supposed to be doing this the whole time.
Question #6: Is our security team able to get all the intelligence they need from third parties? Can they affectively use that data to manage or ameliorate threats?
Brad: We are unique because we’re regulated and considered critical infrastructure, so Nasdaq coordinates very closely with government partners like the Department of Homeland Security, FBI and other government agencies. We also subscribe to the leading commercial threat vulnerability notification services to round out our intelligence.
Orion: There are two very important parts of this question: do you have the relationships you need to get data from the government and pertinent threat streams? Then, just as important, do you have the tools to consume that data efficiently?