Digital trust and cyber challenge now extends beyond the Enterprise
FINAL_Cybersecurity Project (1)
1. Developing Egon Zehnder’s role in cybersecurity
securing cyberspace
Consultants: Kal Bittianda, Selena LaCroix
Project Mentor: Karena Man
Intern Team: Lulu Chang, Kayla Kesslen, Emmeline Kim march 2014
Charged with understanding the increasing prominence/importance of cybersecurity for clients and developing a distinct point of view on cybersecurity talent
Hot button issue following Target, Yahoo etc
Root of problem seems to be interconnectivity without a complete understanding unprepared
Result of this problem is ultimately overall loss, payout, customer loss
Target = $1B loss, 46% drop in revenue: $136 recovery cost/record
Highlight a few points from each example (namely government)
Not JUST Target/retail: Kickstarter, snapchat, navy (iran infiltrated their intranet), signa software (broke into software and published health insurance info for individuals from 3 NY based nursing homes)
78% of businesses surveyed by BAE systems increased cyber budget as a result of these attacks
What is contributing to this problem?
Growth in access points means an increase in vulnerable areas of attack
Credit card more than doubled 06 – 11
Exponential ecommerce growth (today about $180B)
Cloud increasing, particularly platform as a service (FB/Google)
Previous trends mirror those of data breach costs
More than doubled from 60 billion to 130 billion in 5 years: 82% of BAE surveyed companies think attacks will increase
Increased costincreased opportunities
Access points written on top
Despite these trends, it seems that CIOs are caring less:
Today, #1 CIO business priority=increasing enterprise growth & #1 technology priority=analytics & business intelligence
Disconnect – majority of companies think cybersecurity is a top 3 business risk
Other issue is false sense of security: Target was hacked by way of a small company they hired to do their heating/refrigeration
Underutilized potential asset is the CISO role
A lot of transition in technology officers
Most turnover in financial services/retail
Majority of companies not hiring from within companies
Vast majority of new external hires are coming from different industries experiences
Role first emerged in 2001 after Patriot Act mandated IT official for companies, but not all of these officials took the “CISO” name
Of Fortune 100 CISOs:
60% hired in last 3 years
70% of CISOs were external hires who entered new industries
30% of CISOs in financial services sector
http://www.mediapost.com/publications/article/122502/#axzz2h9oH0BUP
http://enterprise.alcatel-lucent.com/private/active_docs/Genesys_US_Survey09_screen.pdf
CIO set vision & strategy
VP of infrastructure is too techy
Need someone more specialized for cybersecurity
Chef analogy: CIO (exec chef), VP of Infrastructure (Sous chef), CISO (pastry chef-desserts are the best part)
Tech skills remain the same, but now more forward and outward facing – needs to coordinate: ANTICIPATE AND FACILITATE not just say no
Transition happened around 2008 (incidentally, also the biggest spike in tech officers hired)
EXPLAIN Chip/PIN (tap system cannot be copied unlike swipe and relies on PIN which cannot be forged unlike signature) 61% decrease in UK credit fraud, 70% increase
Executive collaboration
E.g. of unengaged board: energy/utilities sector—one of the most regulated industry sectors
79% of their boards rarely or never review roles and responsibilities
71% of their boards rarely or never review privacy and security budget
64% of their boards rarely or never review top-level policies
57% of their boards rarely or never review security program assessments.
Best offense is a good defense: need to prepare before they happen by fostering a culture of security conscientiousness
BAE survey – companies believe that having a clear understanding and intelligence about threats are the top methods of prevention
Today, 31% of companies don’t believe their boards understand risks – they are right: only 24% of boards report engagement with cybersecurity and 22% report engagement with emerging technologies
Otherwise, reactive approach is rep/brand management and payments
EZ recognizes that even though tech officers must be interdisciplinary, there’s still a scale: exploring different dimensions
Finally, just want to close with success stories
SAY THEIR NAMES/COMPANIES
Deliverable: pitch deck that provides a storyline to be used by consultants in the space
The US has no official legislation, whereas Europe has outlined directives
In Europe, chip & pin cards have replaced face-to-face debit cards, decreasing the incidence of card fraud
Note: The EU-US Working Group of Cybersecurity and Cybercrime was established to address global issues, but no concrete actions have been taken
http://www.bankinfosecurity.com/7-duties-for-cisos-under-fisma-reform-a-5620 (CISO role info)
http://www.cio.com/topic/3174/CIO_Role (CIO role info)
http://www.terremark.com/blog/role-cios-ever-evolving-cio-responsibilities/ (CIO role info)
http://www.informationweek.com/it-leadership/6-must-have-skills-for-aspiring-cios/d/d-id/1103925? (CIO role info)
http://searchcio.techtarget.com/definition/infrastructure-management (infrastructure role info)