Ariel Evans is an American Israeli cybersecurity expert, entrepreneur and business developer. She recently took the helm of an Israeli cyber risk company that provide enterprises, cyber insurers and M&A teams quantification of cyber risk. Additionally, she consults for over 30 Israeli companies and is the go-to person in Israel that connects cyber startup companies to funding and business development opportunities.
An entrepreneur herself while in the US, she raised over $200 million from private equity and venture capital firms and has two successful exits under her belt. Evans was the Chief Information Security Officer for a major telco in the United States. She is recognized as a leader on Wall Street in Risk and Compliance having held positions at The McGraw-Hill Company, XL Capital, JPMorgan Chase, and Merrill Lynch as well as Lockheed Martin. Her insight into regulation, governance and business inter-connectivity technology allowed her to provide expert guidance to the Department of Homeland Security, The Payment Card Industry and other governing bodies that are accountable for reducing risk and understanding its implications with complex technologies.
Christopher P. Skroupa: What are the major areas of growth in cyber security?
Ariel Evans: There are three major areas of growth in the next decade: cyber risk, cyber insurance and IoT security. Each of these three areas are green fields, and are the next level of assurance in cyber.
The board and executives of organizations must protect the assets of the business. Seven out of ten Target board members were ousted and the CEO was fired—they had no visibility into the risk that cyber had on the business. Cyber risk must be understood in dollars and cents to communicate in a language that the board and executives understand. Only then can senior executives have a cyber strategy that allows them to protect the assets properly.
Cyber insurance is in its infancy, and as such, organizations need to understand how much cyber insurance they need. Target had $100 million of cyber insurance and has over $450 million of loss today, which is estimated to total at $1 billion by the end of 2017. This isn’t a little off—it’s way off. Cyber insurance is a tool to transfer risk that needs to be correlated to cyber risk.
There are over one billion IoT devices in use today, and by 2020, that number is expected to be over 50 billion. The large and unprecedented IoT-centric DDoS attack a few months ago caused major outages for many sites, including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix by attacking internet infrastructure companies that had not reset default passwords on their firmware. Unfortunately, the password is hardcoded into the firmware. Tools to disable the firmware are not present, and to top it off, the web interface is not aware that these credentials even exist. This is basically unfixable, and will remain a cyber threat. The only way to protect against them is to unplug them from the Internet.
Once again, history is repeating itself. Security by obscurity is the name of the game. Malicious individuals and nation states are taking advantage once again of the inability to bake cyber security controls into technology.
The bottom line is organizations have to be in front of cyber, not behind. We must proactively bake security in—not bolt it on. We have to be strategic in our thinking and not reactive. Cyber risk allows for thought leadership, cyber insurance provides that extra layer of protection and IoT security if not addressed now may lead to Cybergeddon.
Skroupa: How can companies evaluate the effectiveness of their cyber security tool stack? How is this related to cyber risk?
Evans: Most organizations have layered security tools in place such as firewalls, Intrusion Protection Systems (IPS), Data Loss Preventions (DLP) and Security Incident and Event Management (SIEM). These organizations likely look only at control maturity then evaluating cyber risk.
Control maturity is a term commonly used by IT to measure their ability to perform and is derived from IT governance methodologies such as CobIT (Control Objectives for Information and Related Technologies), ITIL (Information Technology Infrastructure Library) and CMMI (Capability Maturity Model Integration) models.
Control maturity provides no visibility into the effectiveness of these layered tools. This bottom-up approach to security only describes the implementation status of the control. It stops at the system level and does not tie the business processes to the data assets and the systems, hence it lacks the ability to demonstrate the effect a missing control, or a discovered vulnerability has on cyber risk. Bottom-up methods have proved themselves to be extremely inaccurate as they measure controls on the technology level and only describe the control maturity and not its effectiveness.
As an example, an anti-malware solution can be 90% mature because it is installed on 90% of the endpoints. But from an effectiveness perspective, the policy this control is enforcing could be irrelevant to the risk—its effectiveness could be 0%. Measuring cyber risk by evaluating controls maturity puts organizations at a high probability for cyber loss.
A top-down approach ties the business impact of the assets and processes to the cyber risk and demonstrates the effectiveness of cyber security tools. A top-down approach is the only means to measure risk of assets, prioritize remediation properly and equate that to the amount of cyber insurance that is needed.
Skroupa: How is cyber insurance evolving?
Evans: Cyber insurance is one of the fastest growing segments of the insurance industry. Cyber insurers are beginning to understand the need to differentiate themselves and price policies based on the actual risk of the insured. Today, it is the neighbor method. You sold Bank A a $500 million policy for $5 million, and you think that will work for Bank B. The issue with this is that the cyber security posture of Bank A could be wildly different than that of Bank B. Would you insure a 21 year-old New Yorker with a DWI for the same premium as a 50 year-old from Montana with a spotless driving record? Hardly.
Insurance has always been based on risk, so why is cyber not in sync here? Cyber insurance companies have been trying to take the easier, softer way and the results are nil. Measuring cyber risk requires understanding how the business assets are impacted by a cyber attack. Assets must be prioritized. A system that makes money or could cost you money in fines if breached is much different than a system with minimal business impact. Visibility into the risk exposure in dollars and cents provides the cyber insurance companies competitive advantages that allow them to differentiate policies for good cyber drivers and gain a competitive edge. Risk metrics allows for risk accumulation scenario analysis for data exfiltration and cloud compromise across the portfolio of the cyber insurance company. Lastly, risk metrics demonstrate now much cyber insurance is actually needed by an organization.
Skroupa: How will IoT impact cyber security in the next few years?
Evans: IoT means interconnectivity. IoT is the internetworking of physical devices, vehicles (also referred to as “connected devices” and “smart devices”), buildings, and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data. The Internet of Things revolves around increased machine-to-machine communication; it’s built on cloud computing and networks of data-gathering sensors; it’s mobile, virtual, and instantaneous connection; and they say it’s going to make everything in our lives from streetlights to seaports “smart.” This smart framework has a set of risks associated with technologies that have high risk already. Combine these together and you exponentially increase the risk.
Cloud and mobile technologies are notoriously riskier than on-premise technologies. As more and more companies manufacture sensors and devices, they continue to skimp on security to be competitively priced. This exacerbates the risk. As IoT explodes, security risk will explode with it, leaving a trail of data breaches with high price tags. Regulation always lags behind technology and IoT will be no different. The issue with this is that the cost of security by obscurity may finally reach it’s boiling point and you and I will be left holding the bag.