Back in September 2017, Equifax announced that its chief information officer, chief security officer and CEO would be stepping down. The move came just weeks after a massive cyber breach that compromised the personal data of as many as 143 million customers.
Four years on, the attack remains the costliest US data breach settlement case to date, with victims affected by the breach awarded up to $425m and Equifax ordered to spend a minimum of $1 billion on toughening up security measures over the next five years.
It is a story that highlights just where the buck stops when one’s security network is breached. The fact that it occurred prior to the unprecedented levels of organisational restructuring and changes to IT infrastructure undertaken in the wake of the pandemic should also give technology leaders pause. As threats intensify and attack numbers soar, IT leadership must realise how much is at stake, both personally and for their enterprises at large.
“The threat landscape has far outpaced the best practices that most security teams are still operating under,” says BlackBerry vice president of solutions for EMEA, Roger Sels. “We need a mindset shift to get ahead of that curve again.”
Into the boardroom
Sels has spoken with countless CISOs over the past 18 months as they address myriad and unprecedented operational challenges. Despite the obvious initial struggles adapting to large-scale remote working, Sels notes that these conversations revealed a surprising level of optimism within the field, thanks in large part to growing security awareness, boardroom engagement, and – perhaps most surprisingly – access to funding.
But a sharp increase in breaches since Covid-19 and a clampdown by regulators in a bid to diminish negligent cybersecurity protection also means CISOs have never been more visible. “An incident can have severe ramifications not only on the bottom line, but also the top line in attracting and retaining customers, so it’s rightly being recognised as a wider business risk,” explains Sels. “There’s plenty of stories in the media showing that if you don’t invest adequately, the cost will be significantly higher.”
Adding further pressure, Sels points to a rise in pricey shareholder litigation following security lapses in the US, with several CIOs, CISOs and CEOs forced to step down – as witnessed at Equifax. It is a trend which he foresees the UK and Europe following.
This certainly helps explain the willingness of those at the very top to take cybersecurity more seriously. For Sels, it’s been a long time coming. “A lot of companies have been operating with huge quantities of technical debt, underinvesting in security for years, but change is on the way,” he contends.
“Having said that, I don’t personally believe that you can always say ‘my security level has increased because I’m spending more’. It’s about optimising value.”
As a prime example of changing attitudes and organisational buy-in, Sels highlights the rise of chief trust officers within the IT function, especially within the internet, technology and security industries. It’s an evolution of the role that he expects to become widespread.
Also top of the agenda is finding ways to increase security measures without curtailing productivity. “I think CISOs are starting to say, ‘okay, we kept things up and running last year, how can we now improve user experience to make things more workable for the business?’,” explains Sels.
“There’s always a risk that the user will prioritise having a frictionless experience to get their job done in the fastest possible way. In the end, it boils down to training people on the risks of bypassing security controls, as well as the consequences within the organisation.”
A fresh take
Sels is encouraged by signs that CISOs are actively looking to work with security partners that can offer a fresh take on best practices and utilise greater levels of automation.
“I think most people underestimate how much they can increase efficiency by consolidating their platforms into one integrated suite of products that have all been designed to work together,” he says.
“We had already envisaged a future in which CISOs would be under increased stress, because there’s just too much data to be handling – cyber is no longer a human scale problem.”
To this end, having acquired Cylance – a pioneer in antivirus software applying AI and machine learning – in 2019, BlackBerry created a single platform which automates as many tasks as possible across a range of different pillars, including everything from end-point management to cloud access security.
The pandemic has only served to reinforce the tech giant’s vision. “We’ve seen lots of organisations having to respond to Covid-19 by increasing VPN capability which, in some cases, requires costly upgrades to new hardware,” says Sels.
“With our platform, we can still offer a high level of security without the need for VPN – I think we have a solution that’s ready to help businesses thrive under the ‘new normal’”.
As breaches rise, Sels says there has been a heightened demand for assessment services, where a team of BlackBerry experts seek to rapidly determine whether an organisation has been breached, or shows any signs of data leaks in the past. They then provide a detailed report of any threats found and suggestions for how to prevent future attacks.
He also highlights increased interest in BlackBerry Alert, the company’s crisis communication platform, which aids communication between employees during a cyberattack, and provides a playbook so that they know exactly what to do when an incident has been declared.
BlackBerry Persona is a prime example of proactive protection, using machine learning to identify behavioural and location patterns to detect threats. If the keystrokes or mouse patterns are different from normal user behaviour, appropriate security actions are suggested. “A major strength of our zero-trust platform is that we can take into account all of the factors, calculate the risk score and then dynamically alter security policies,” explains Sels.
The past 18 months have been exceptionally challenging for security leaders, but the rapidly evolving threat landscape has also created an exciting opportunity to reconfigure the role and capabilities of the CISO. Leveraging the abilities and visibility enabled by AI will play a major role in delivering this.
Now is the opportunity for what Sels calls “a more innovative breed of CISO”, willing to leave behind traditional best practices and effectively harness emerging technologies and solutions to define a new “gold standard”.