MacDonnell Ulsch is Managing Director of Cybercrime and Breach Response at PricewaterhouseCoopers LLP. He served on the United States Secrecy Commission and is the author of two books, “Cyber Threat! How to Manage the Growing Risk of Cyber Attacks” (Wiley, 2014) and “THREAT! Managing Risk in a Hostile World” (The IIA Research Foundation, 2008). Ulsch has advised a variety of private sector and federal agency clients and has led many complex breach investigations.
Christopher Skroupa: In previous discussions, you’ve mentioned the “shark fin effect,” relating it to how executives perceive cyber threats. Tell us what you mean by this and why it is cause for concern.
MacDonnell Ulsch: Over the years, the media has played a key role in shaping the perception of what constitutes a data breach. The common perception is that a data breach is defined as identity theft, the compromise of personal or health information, for example. That’s the shark fin—it’s the threat we see, that fin breaking the surface of an otherwise calm sea. But the fin only beacons what we don’t see—the actual shark. These breaches do not fully define the threat and risk associated with cyber attacks. Rather, they are simply the visible embodiment of a breach because of the many regulatory requirements to enter these breaches into the public record. But what’s beneath the surface may be the greater threat, producing the great risk impact. The compromise of trade secrets, intellectual property, and other proprietary information are reported less often and have not captured the popular imagination, and that is understandable. But the compromise of proprietary information is arguably more insidious. Among compromised proprietary information are the technologies and marketing plans and other critical information that fuel the economies of commerce globally. The loss of this information is a national economic security crisis. Coverage of these breaches is beginning to change, as the media becomes more aware of, for example, nation-state sponsored cyber attacks against the US industrial and critical infrastructure base. But ask the average executive today to define a cyber attack, and you’ll hear about the latest retail establish that’s suffered a breach.
Skroupa: Who are today’s greatest perpetrators in cyber hacking? How are they different from 5 years ago, or even 1 year ago?
Ulsch: Today’s hackers are nation-states, terrorists (domestic and foreign), transnational criminal enterprises, as well as individual rogues, disgruntled employees and former employees. Highly trained former technical intelligence officers—cyber mercenaries—are also available to assist in compromising targets. They’re also hacktivists. Never make the mistake of believing that hacking is not big business. It is, unquestionably. It’s sophisticated, it’s broadly diversified, and it is increasingly complex, and hackers reflect that level of diversity. We live in a world filled with hostile intent. Hostile intent breeds attacks. Cyber attacks are part of the landscape now. There are more hostiles, armed with low-cost, powerful technology in the form of highly mobile computing devices. Social media enables previously unaffiliated entities to become more coordinated, and emboldened. There is strength in numbers.
The key difference between now and even a few short years ago is this: (1) technology is increasingly more powerful and inexpensive; (2) attacks are more frequent; (3) specific companies are targeted and employees are profiled as hackers seek information that can be used to exploit vulnerabilities; (4) the proliferation of mobile devices translates into more sensitive information in more places and greater susceptibility to loss and theft, and weak bring-your-own-device (BYOD) policies and mobile device management; (5) bad social media habits, including weak password configuration, means more information in more unsecured locations and more employees distributing information; and (6) the fact that, while law enforcement is making gains, nation-states and criminal groups have tapped into a revenue generating vein that is profitable, low risk, and undeniably sustainable.
Skroupa: Many organizations are laser-focused on the issue of losing customer and other types of personal information. Should this be their primary concern?
Ulsch: Protecting personal information is absolutely vital, there’s no question. It is important to comply with the many state, federal and foreign country regulations governing the handling of restricted personal information. But companies need to be aware that other information may be at least as important as regulated personal data. While we have a great many regulations that require protecting personal data, there are far fewer requirements pertaining to defense of proprietary information. Either companies will voluntarily address the issue of protecting this proprietary information or we may see efforts to legislate protective mechanisms, especially where critical infrastructure is concerned. Boards of directors need to address the issue as part of corporate governance and their fiduciary responsibility to shareholders. Also, insurers will be weighing in on this, as well. Ultimately, executives and boards need to consider the value of proprietary data and its importance to sustainability and strategic interests. If you have a business model built on personal data, you need to protect it. If your business is based on proprietary information, you’d better protect that. It’s worth noting that virtually all companies possess certain proprietary information in addition to personal data. And in many jurisdictions, employee personal data must be protected. And then there is the issue of protecting critical infrastructure. Losing the electrical grid is a critical risk. When the power stops, most everything else does, too. We need to think quite holistically about the cyber threat. Whether ignited by regulators, shareholders, class action litigation, or corporate governance mandates, accountability is coming.
Skroupa: You have mentioned that protecting brand reputation and value should be the number one concern for company executives. What can failing to plan mean for company reputation?
Ulsch: Most boards of directors and executive managements don’t talk, think or act IT and security. But they understand risk and its impact potential. They understand that the company’s brand is inherently connected to its sustainability and prosperity. A company’s brand is like a person’s reputation: hard to earn, easy to lose, harder to reestablish. The risk impact of not planning for a cyber offensive aimed at your company? Loss of competitive positioning, loss of revenue and corporate value, loss of brand value, and compromised market share. This leads to the loss of jobs, reduced investment in research and development, reduced merger and acquisition investment, and so on. But there’s another factor. Fewer jobs result in lower tax revenue while more of the workforce faces unemployment and the demands for unemployment benefits escalate and other state funded subsidies, further stressing an already stressed economic system. The tail of a cyber breach can be as long as it is dangerous. Much has been stated in the past about ROI—return on investment. Companies went to great lengths to determine the ROI of a certain security system. Once defined, they’d try and get budget to implement it. But there’s an alternative view coming into focus, sharpened by the cyber attacks hitting companies every day. Here is the correct ROI strategy: protect your brand. Protecting those assets critical to sustainability—the crown jewels—must be properly defended. Lose that and ROI is not the problem; its financial sustainability and the ability—and financial capacity– to recapture what was lost. That is always more costly.
Skroupa: You pose that companies are now addressing the need to evolve to company resilience, 10 year late in the game. What does this mean for company strategy?
Ulsch: “Cyber” and the board have not always been soul mates. That’s changing. It’s not changing quickly enough, but we are moving in the right direction. Boards are beginning to embrace the fact IT and security and cyber and risk are related but not necessarily interchangeable terms. Even five years ago, and maybe even a year ago, mention IT and security and most board-level eyes would begin to glaze over. Now, when they hear about IT and security, the word cyber comes to mind, or it least it is starting to. They’re making the connection and they know they’re not up to speed. In regulated industries, boards are coming up to speed faster because regulators are driving the issue. Unfortunately, sometimes it takes a cyber breach to serve as the wakeup call.
A cyber risk strategy needs to be holistic. It needs to be integrated into virtually every aspect of the enterprise. Think about it this way. No one would reasonably say their house is secure by locking doors and leaving windows open. And what if that house was built in a flood plain or on an active earthquake fault, or too close to the ocean, right in the idle of a high crime zone.
It needs to address human resources, marketing and sales, research and development, mergers and acquisitions, as well as finance and accounting. It must consider the loss of proprietary corporate information, as well as regulated data. There is no substitute for planning and readiness. Being able to respond with speed, accuracy and agility, based on planning and practicing, can make the difference between a cyber attack and a cyber disaster. “Cyber” is business. Being able to build cyber resiliency into the enterprise in the face of increasingly complex and frequent cyber attacks is a strategy that will be the demand, ultimately, of regulators, insurers, strategic business partners, customers and others.
There’s one key difference in strategy between legitimate companies and hostile nation-states and transnational criminals: our adversaries build cyber security into their operations, and they spare little expense in doing so. They have an edge because they realized, early on, that without rigorous cyber security, their business models were unsustainable. Companies are moving in this direction, but not fast enough. It’s tough to compete with an adversary who has already figured out to how protect its assets, while stealing yours. But there’s progress. That’s the good news. The bad news is that there’s too little of it.
Skroupa: Why do company executives seem to misunderstand the difference between resilience and past generations of firewalls?
Ulsch: Resilience is the capacity to recover quickly—and, hopefully, as seamlessly as possible—from, in this case, a cyber attack. There was a time when returning to that state of operational normalcy could be as uncomplicated as reconfiguring a firewall after a breach. Some thought those were the good old days. Of course, that operational state was filled with risk, but managing risk in those days wasn’t as intense or as complicated, and certainly not the multidimensional, collaborative initiative that it is today. Firewalls were the centerpiece of security, and served as traffic regulators. This was reality, but it was perceptual reality. Factual reality was far different. True, this was an era when IT was IT and the board was the board, and communication between the two entities was, well, not always productive, let alone mutually understood. Threats were not well understood, and they were less sophisticated, less diverse. But the threats and risks were real, just not well understood. And when they were well understood, there was often insufficient appetite to act. With respect to the compromise of personal information, this is how personal information regulation was conceived.
Today, resiliency is more accurately defined as a more complex state of operational normalcy in a more threatening world–a lot more threatening. There are complications associated with state, federal and foreign country statutes and regulations, which can be contradictory, ineffectively administered and inconsistently enforced. There’s the risk of litigation. Then there is the introduction of attorney-client privilege. There’s a lot more data—we’re in the era of big data—in a lot more places: think mobile devices and social media, all bound by economic interests, common threats and common risks. There are more third-party vendors working with more companies, which have the potential to escalate risk. And then there’s the data acquisitive nation-state and transnational crime.
There is little in the enterprise that “cyber” doesn’t touch. Now that powerful technology and massive volumes of data are in the hands of often insufficiently aware workforce, and the reach of information regulation and litigation exceeds that of the past, we are witness to a conversation about risk that is more than a dialogue about bits and bytes. Slowly, it is a conversation heard in quiet whispers on the golf course and in the board room. IT and security discussions were once the foreign language of the board. It’s not just about firewalls anymore. Boards may not be any more motivated to configure a firewall today than a decade ago. But today, many boards are racing to connect the dots between “IT,” “security,” “cyber,” and “risk.” They get “risk.” And they have a fiduciary responsibility to do so, and the risk clock is ticking.
Serhat Cicekoglu, Director of Loyola University Chicago Quinlan, Center for Risk Management adds: “It is said that “cyber is business.” I think we are going through a period that Supply Chain and Customer Relationship Management software went through; it was perceived to be luxury, not for everyone, not very valuable. Over the years, those turned out to be shortsighted views. It seems that limiting our perspective of cyber security to identity or consumer data theft has been quite misleading, as suggested by Ulsch. It is true that such data is extremely important to the vitality of business, but there is equally if not more critical information. The target and perpetrators may be targeting and masking the real target by diverting the attention. Companies must accept that they will not be able to protect all of their critical information. Instead they need to focus on how to remain competitive despite such a loss, and to also maintain innovation momentum that perhaps brought the perpetrators’ attack.”
On October 14, 2014 , Loyola University Chicago, Quinlan School of Business, Center for Risk Management will host its first Executive Dialogue Series seminar program on Resilience—Big Data and Cyber Security. Continue the discussion with MacDonnell Ulsch, Serhat Cicekoglu, Director of Quinlan’s Center for Risk Management, and a select group of 25-35 company executives and internationally renowned experts on resilience. To inquire about attending contact firstname.lastname@example.org.