Treat Cyber risk as a science, not a dark art

As I write this piece I find myself in the midst of thousands of colleagues. Literally thousands of people who every year go on what I consider a Cyber pilgrimage. I have secluded myself for a moment in a nearby Starbucks, earplugs in I go to my favorite Spotify playlist so I can concentrate a bit better (Foo Fighters mixed with Bruce Springsteen and Radiohead). I briefly FaceTime with my kids before I go offline to hopefully write down some of the thoughts that have been racing through my mind. Looking out the window I see “handlers” everywhere, folks that hold up a sign that says “line starts here”. People everywhere. Buses passing by with advertising on it saying that you’ve already been hacked and that you should automate incident response. No kidding! Chaos in the streets of San Francisco! I love it!

The cyber industry has never changed in a faster pace

Ever since I started working in the field of Cyber security (since 1998) there is this one annual event that every Cyber professional wants to attend – and should attend at least once in a lifetime – the RSA Conference in San Francisco, with Moscone Center as its shrine. This is the fourth time I make this pilgrimage. In 2004 I remember that a company called Verisign was the name of the game. Probably 75% of companies here right now did not exist back then. Half of those will not exist anymore in 5 years from now. M&A is actually already in full swing with several “legacy companies” acquiring next-gen vendors. Many more to come, I am sure of it. Venture Capitalists will cash out, likely more of them will lose serious money. Change is the only constant. An open door maybe but I realize it’s so very true. And change in the Cyber industry has never been as fast-paced as now. So much is already clear to me after my first walk across the Expo floor.

Driven by a strong sense of purpose

Named after famous cryptographers (Ron) Rivest, (Adi) Shamir and (Len) Adleman, the RSA Conference is the gathering of suits and geeks, these days more suits, but still a rendez-vous that inspires a great many people. The RSA Conference is an event that combines the entrepreneurial spirit of Silicon Valley with a strong sense of purpose. In 2017 the impact of technology on society is unparalleled and data breaches are no longer a new normal, just normal.

Several Americans I talked to this week are convinced that the DNC-hack changed the outcome of the U.S. Presidential Election. Microsoft is making headlines today suggesting that the world needs a “digital Geneva Convention”. Brad Smith of Microsoft told us during his keynote that “Cyberspace is the new battlefield” and that “technology companies must be committed to 100% defense and 0% offense”.

Go back to your risk appetite

Usually during #RSAC, the role of the “defenders” and the technology that enables them is celebrated. This year is no different. In the opening keynote, actor John Lithgow made all of us applaud ourselves. Group therapy, I thought to myself, realizing that budgets for Cyber are not and will never be limitless (and shouldn’t be). I have also yet to meet the first board member who is worried about cross-site scripting, just to name an example. Lost in translation. It’s what drives me. Connecting the dots. How much should our company invest? Where should we start? What tools do you like? What is minimally needed? What could we reasonably do later? What do you think of startup Y? All questions KPMG clients ask us on a daily basis. The answer? Go back to your risk appetite. Make Cyber a business and boardroom priority, not just something for IT to take care off (still mostly the case I’m afraid). RSA Security’s CTO Zulfikar Ramzan said it best during his keynote: “Treat risk as a science, not a dark art”.

 

Bron: Blog KPMG