Cyberattacks are becoming more frequent and dangerous, as such cybersecurity needs to be front of mind for company executives. This is beyond treating it as a fire department role that only reacts in emergencies.
In this video, Oliver Wyman experts Souheil Moukaddem, Paul Mee, and Ziad Nasrallah share their insights on understanding cybersecurity risks, managing investments in strategic cybersecurity solutions, empowering CISOs and preparing for the threat represented by quantum computing.
Transcript of video
Souheil Moukaddem
Welcome, everybody to this conversation about some of the major themes regarding cyber. I am joined by two colleagues from Oliver Wyman who are going to introduce themselves. Paul, tell us a little bit about yourself.
Paul Mee
I look after our Cyber Platform for the United States, which tends to bleed into the rest of the Americas, as cyber knows no boundaries, but delighted to be here.
Ziad Nasrallah
Thank you, Souheil. My name is Ziad Nasrallah. I lead the Cyber Platform in the India, Middle East, and Africa region.
Souheil Moukaddem
Paul, do you think that cyber is getting the right level of attention at the executive level?
Paul Mee
It is and it isn’t. My view is like when people see breaches happening and other events, they clearly pay attention. They very much pay attention when it happens to themselves. My slightly negative view is sometimes organizations are using the CISO, the Chief Information Security Officer, like the fire department. We'll call them when there's a fire. And I actually think it's a holistic responsibility of the management, of the entire organization to be cyber ready.
Souheil Moukaddem
Ziad, what’s been your experience?
Ziad Nasrallah
I agree with you Paul, on all of what you said. And we see it clearly in the market as well in the Middle East. And what we've seen from the actual NCA, the National Cybersecurity Authority in Saudi Arabia, they put a regulation out where they're forcing organizations to have a CISO role, and have that CISO role report to a level one or the president of the organization. And we've seen that being very effective. However, there's a lot of pushback, and it's on paper, but culturally, it's not really accepted yet.
Paul Mee
I also think there's a responsibility to help executives. Showing them a long list of statistics and metrics about patching vulnerabilities isn't really even get them to appreciate it. I think we as consultants, and the CISO’s office themselves, owe a conversation with executives so they can appreciate risks they have, appreciate where those threats are going to come from, in a way that's understandable and doesn't end up being a whole bunch of technological kaleidoscope, as you try and understand them.
Souheil Moukaddem
Ziad, how do you know that the executives are spending the right amount of money on cyber? How do they calculate their ROI?
Ziad Nasrallah
That has been one of the most challenging topics that we have to deal with, especially with clients. And whenever we're building a cybersecurity program, and we put a budget in there, we get the CFO breathing down our necks – What is the return on investment? And what's the business case for cyber? That's the question we get all the time, and we have the right business models to be able to calculate this based on historical attacks by industry. But in reality, the ultimate question is: What are you willing to lose in your organization? What are the most critical functions that are a must? And that's really what you want to protect.
Paul Mee
And I think the best way I heard this articulated by one of the smarter CFOs, was that the business case is we get to stay in business when the worst happens. And that's the position you want to be in. Clearly, you don't want to throw money at this. As one of my clients said, I don't always want to be in a position where I'm putting a $50 fence around a $10 dog. So I needed to understand that I'm making those investments judiciously in the places where they really matter.
Souheil Moukaddem
Absolutely. So, Paul, can you talk to me a little bit about third party risks and how they come into the equation?
Paul Mee
Yeah, I mean, we live in amazing times. We've got more technology connected in more ways than ever before. We're in a position where we have a greater volume, variety and velocity of data than ever before, to improve the customer experience. Just the things we can do in our own hand with a mobile device are amazing now and will continue to be that way. However, to get those things to work the way they do, to be orchestrated the way they do involves third parties; FinTech, other specialized organizations. You're orchestrating and sewing these things together. To get the very best, you bring in many third parties who are elitist at this and bring their best capabilities. That wedding, as it were, means that you're married to a set of organizations that may be outside of your direct control. That in itself brings challenges because you can't just run down the hall and say “Can you fix this?” because it's an external party. And those parties may not have the same view of risk that you have.
Ziad Nasrallah
Just to build on what Paul just said, one thing that we do advise organizations is to have a good understanding of their third-party landscape, especially in terms of which vendors are giving you the most critical services that you absolutely need to be protected. And then making sure that you have the right controls in place and the right vetting, processes and frameworks.
Souheil Moukaddem
You're only as strong as the weakest link in your chain. So Paul, you talk about problems shifting to the left and we've seen some of that with Log4j. Can you tell us a little bit more about that?
Paul Mee
I think Log4j was a wakeup call. It highlighted that the fundamental aspects of coding need to be secure as well. You can't just be bolting on secure technology after the event. And the markets move that way. They want to make sure they're secure coding, secure testing, the right kind of regime is in place, which is also a CISO responsibility for secure code you’ve got out there. You don't want to be in a position whereby you've got something out there that you don't fully understand and the risks associated with it. And to the third party point we just raised, you don't want to be in a position where you've got people who are coding by day and hacking by night. So that security of code has become more prevalent and more important than ever before.
Ziad Nasrallah
And I also believe that regulators have a big role to play here, especially when it comes to introducing regulations and policies to protect critical national infrastructure organizations, to make sure that they're working with the with the right vendors that are adopting secure by design.
Souheil Moukaddem
So pulling on the infrastructure and on the security architectures Ziad, what do you think is being done and what should organizations do with the increased level of threat that we're seeing every day in the market?
Ziad Nasrallah
What we’re seeing in a lot of organizations, especially the ones that don't have the sufficient maturity, is that they're still treating cybersecurity as a technology and IT problem and are trying to solve it by just throwing software and hardware and cybersecurity tools at it. And in many cases, they're not relevant tools, and it's not relevant to the business they're in. And I think the proper way to do it is really design their architecture and secure it in a way to protect the businesses and services that they're offering.
Paul Mee
I would agree, just to be slightly provocative, I think a lot of organizations have an accidental architecture for security. You want an intended architecture for security – To the ROI point earlier, we understand where those finite investments need to be made to protect the assets of the organization, the data of our customers, and that of our employees.
Souheil Moukaddem
So, a proactive approach?
Paul Mee
Exactly, and also be a little bit skeptical about what the salespeople tell you. Make sure it does what it says on the box.
Souheil Moukaddem
Right, and this is where we come in as really being agnostic to any third-party vendors or salespeople.
Paul Mee
Exactly. We understand the risks, we understand the threats, and we have a view over how we are going to protect against those.
Souheil Moukaddem
So finally, the big topic, or as you call it ‘topic du jour’: Quantum computing; How is this going to change the threat landscape?
Paul Mee
Depends how you look at this. Quantum computing is the ability to decrypt classic computing encryption of today. Now, whether that happens in 5 years, 7 years, 11 years, is still up for debate. But nevertheless, you have the most powerful computing coming along to be able to take apart encryption that's here today. A lot of this information will still be valuable in 10 and 20 years time when it's national secrets, defense, your DNA, etc. Those things you want to keep private. And with quantum computing on the horizon, those things are under threat. Now, how realistic it is, it's still up for debate, but regulators are responding. We saw the United States write into law, the Quantum Security Act that will protect federal agencies. So I think the smart governments are getting ahead of this. They're not going to wait until this falls out. They're going to be proactive and make sure that every aspect of infrastructure is prepared for this threat.
Souheil Moukaddem
Can the private sector prepare itself for this?
Paul Mee
I think the private sector will. At the moment the private sector is in both camps. One is all of the innovations from quantum, which are amazing, in bio, in patent management, in space exploration, etc. that’s great. But nevertheless, that data that you have, that is currently encrypted to ciphers that are now nearly 20 years old, you need to think about what I want to protect the most. Especially if you're in financial services, especially if dealing with particularly sensitive information.
Ziad Nasrallah
I really like the analogy that you've used in the past Paul about calling it the new Y2K problem. And I think the only difference between this and the old Y2K is we knew that 01/01/2000, that’s when the date was going to hit. With this new Quantum computing we don't know when it's going hit.
Paul Mee
As I said it could be five years, could be seven years. With engineering the way it is, that data is getting closer every single day.
Ziad Nasrallah
We're just going wake up one day where we want to understand what happened. And that's how unknown getting into that is going to be.
Souheil Moukaddem
On that sobering note, Gentlemen, thank you for joining me. Thank you, everybody.