cyber forbesAriel Evans is an American Israeli cybersecurity expert, entrepreneur and business developer. Evans is the go-to person in Israel that connects cyber startup companies to funding and business development opportunities. Today she manages over Israeli 30 companies, secures them venture funding, M&A opportunities, and channel sales. She has raised over $200 million in the U.S. with private equity and venture capital firms. Formerly, Evans was the Chief Information Security Officer for a major telco in the United States. Additionally, she was a leader on Wall Street in Risk and Compliance having held positions at The McGraw-Hill Company, XL Capital, JPMorgan Chase, and Merrill Lynch as well as Lockheed Martin. Her insight into regulation, governance and business inter-connectivity technology allowed her to provide expert guidance to the Department of Homeland Security, The Payment Card Industry & other governing bodies that are accountable for reducing risk and ensuring secure financial, medical and personal data.

Christopher P. Skroupa: What are the biggest trends that you have seen in cybersecurity over the past five years?

Ariel Evans: Cybersecurity has become a boardroom conversation. Chief executive officers and directors are now addressing and owning the cybersecurity risk. The most drastic shift in cybersecurity is the emergence of thought leadership; organizations are changing the way they respond to cyber threats moving from a reactive to proactive approach. It is no longer adequate to speak solely in terms of technological vulnerabilities such as insufficient patching of servers and network specific devices. Instead, organizations have begun to appraise the value of their assets and calculate how secure they are against a cyber-attack. New questions are now meticulously deliberated, for instance: how much cyber risk do we have? How much cyber insurance do we need? Are we doing enough to protect the most critical business assets or processes, such as customer credit card information or personally identifiable information? Attention is shifting toward protecting the most critical business assets or processes rather than buying groovy cyber technology.

Skroupa: How has the role of the chief information security officer (CISO) changed?

Evans: The CISO is no longer a network guru, but instead a risk manager. They are responsible for understanding the cyber risk associated with each asset in order to tactically manage the cybersecurity program across people, processes, and tools. Their goal is to align the ascertained cyber risk within acceptable risk tolerances. Furthermore, the CISO is beginning to report to the chief financial officer (CFO) rather than the chief information officer (CIO). A conflict of security agendas has arisen, as operational-based information technology and cyber are not conducive to a world-class cybersecurity program. Now that cyber is a boardroom issue about business assets, the CFO is more involved and more responsible.

Skroupa: What does an organization need to know in order to understand how effective their cybersecurity program is?

Evans: Lots. Again, cybersecurity is a compilation of people, processes, and tools. If just one leg of that three-legged stool is broken, the stool fails. The same thing applies to cyber. Effectiveness can be measured in relation to the National Institute of Standards and Technology (NIST) cybersecurity framework. The NIST Special Publication 800-53 combines both cyber controls as well as organization controls in order to create a complete cyber picture. An automated cyber risk management platform tremendously helps CISOs to understand risk. This automation facilitates the process of prioritizing the work, rather than simply guessing or using stale, nine-month-old audit data. Cyber Threat Intelligence also helps to determine the effectiveness of an ongoing effort, requiring standards and assessments to be compared with configurations, best practices, and most importantly, common sense.

Skroupa: What are the most common issues that organizations face in cybersecurity?

Evans: The most common issue is the lack of skilled people. Thankfully, we are seeing innovation in automated cyber tools to assist the personnel. Some of these tools provide the ability to keep malware out, as well as the ability to look within the organization’s current state to see what malware is already in. Organizations can now accomplish more with less, due to these Cyber Risk management tools and other forms of automation.

Skroupa: What are your predictions for the next five years?

Evans: I believe that budgets will move out of information technology and into their own line item. In addition to this, I predict there will be a rapid growth in sophisticated cyber tools as well as automation. With these emerging technologies, information will be easily shared across subsidiaries which will lead to more mergers and acquisitions. Currently, there are many cyber tools that are feature or project based, these are excellent candidates for acquisition by larger, more multifaceted vendors.

We are only now just seeing the tip of the iceberg in cyber, and we haven’t even begun to see what’s under that iceberg. We are in the midst of a cyber revolution of sorts—similar to the industrial revolution—however this process is reactionary instead of a proactive process. As we struggle to protect our financial and nation state assets, cyber will become more scalable in order to address the expanding risks. Eventually, cyber will not be built on top of existing technologies, but instead will be integrated and baked in front of the automation. The companies that will survive and thrive already have this approach in mind as they develop new products such as smart cities, cryptocurrencies, and other internet of things (IOT) solutions. Cyber will dominate the conversations and become a critical success factor for future economic growth.