Cybersecurity is a perplexing puzzle with a staggering number of pieces and solutions that somehow all need to fit together. Can consultants be the ones to solve it?
Cybersecurity is a complex puzzle with a staggering number of pieces, several new dimensions and some noteworthy paradoxes.
The pieces include a massive tangle of information technology (IT) security applications, policies and practices—some effective, many no longer so—that companies have implemented in recent years. The dimensions now extend well beyond IT, into strategic risk management, legal, human resources, supply chain management, mergers & acquisitions (M&A) due diligence and other realms.
Client companies confront a couple of paradoxes. “One of the perceptions in the marketplace,” notes Deloitte’s U.S. Leader for Cyber Risk Services Ed Powers, “is: we’re spending more money than we’ve ever spent on this problem and, in many ways, it doesn’t feel like things are getting a lot better.” Another contradiction relates to prevention. “The hackers are always going to be one step ahead of the game,” says BDO Consulting National Leader of Technology Services Shahryar Shaghaghi. “There is no such thing as ‘prevent.’ Instead, it’s about minimizing the impact of cyber attacks and maximizing defenses associated with the highest areas of value and vulnerability.”
A challenging paradox also confronts cybersecurity consulting practices, which are booming; practice leaders report growth rates ranging from 50 percent to 500 percent. How can these practices scale up to meet client demand while designing solutions that are both comprehensive in nature and highly customized to individual companies? “Context is key,” notes Capgemini Chief Security and Compliance Architect Gopal Padinjaruveetil. “We approach every client engagement differently based on the company’s risk appetite, risk tolerance and risk capacity.”
Johnny Lee, Forensic, Investigative and Dispute Services Practice Leader and Managing Director at Grant Thornton LLP, agrees. When asked the high-level question of how consultants are going to meet the needs of all of their cybersecurity clients he says, “The only answer broad enough to do the question justice is to say that you must take a risk-based approach. You have to ground things in the context of the client’s risk profile. It all comes back to risk management and proportionality.”
It also comes back to mastering puzzles. “It’s as if you have a puzzle with 50 pieces,” explains PwC’s Global Cybersecurity Leader David Burg. “To make a security program work well, you need to have the right 50 pieces.” Consultants should understand how all the pieces interlock, even as what qualifies as the “right 50 pieces” changes rapidly, dramatically and frequently.
Long-Term Survival and other Client Challenges
The most formidable cybersecurity challenge companies face is existential. “In almost 40 years,” says Ken Allan, head of EY’s global information security group, “I’ve never seen anything that poses such a great risk to the long-term survival of many companies.”
This big risk contains many sub-risks and challenges that Allan and his counterparts at other firms are helping clients address. These areas include the overarching cyber risk management strategies and programs, the integration of cyber-risk management into M&A due diligence, regulatory compliance demands, talent gaps, management of security-application portfolios, creation of security operations centers, threat assessments and modelling, incident-response processes, reputation risk, training and education, insider threats and much more.
While IT-related cybersecurity issues are, of course, substantial, the strategic, cultural and human elements of the challenge are quickly growing. For example, the target company in a billion-dollar-plus acquisition likely has a very different cybersecurity infrastructure than the acquiring company, a situation that requires a major integration effort. In largescale M&A integrations, there is also the chance that the acquiring company is subjecting itself to a more nefarious threat. “What if that newly acquired entity is poorly secured?” Burg asks. “What if it’s badly compromised? What if bad actors knew that the transaction was going to occur and they also knew that the best way to compromise that large enterprise was to first compromise the target of the acquisition?”
People also pose a challenge in the form of insider threats and due to a lack of adherence to security protocols. Padinjaruveetil rates insider threats as a top issue. “Firms are challenged to detect abnormal human behavior and confirm whether there’s malicious intent,” he explains. Crowe Horwath LLP Risk Consulting Principal Raj Chaudhary describes employee behavior as a common hindrance to the efficacy of cybersecurity programs. “The most difficult area to implement increased security controls is with people,” he notes. “Implementing people controls requires education and enforcement, as many companies struggle with changing the way their employees think about data protection.”
New and forthcoming cybersecurity-related regulatory compliance requirements, guidance and frameworks also challenge companies in most industries. Last June, for example, the federal Financial Institutions Examination Council (FFIEC) unveiled its Cybersecurity Assessment Tool, which provides a roadmap for building and running cybersecurity functions in financial services companies. “Companies have to take these sorts of guidelines and put together a plan that identifies risks and vulnerabilities, and mitigation strategies related to gaps,” Shaghaghi says. “And then companies need to demonstrate to the regulators that they are making progress.”
Given the comprehensive and complex set of cybersecurity challenges companies face, it can be difficult to know where to begin and what to focus on. That’s why some cybersecurity practice leaders are investing time to help their clients view this complex issue through a new lens.
Powers encourages clients to start by looking at the root causes of cyber insecurity. These include companies’ growing reliance on information-sharing, their reliance on their people (very few of whom behave maliciously, but too many of whom behave complacently or ignorantly in the face of cyber risks) and the ways that companies drive innovation and growth. These levers include M&A, globalization, the adoption of new technologies, supply chain partnering and other activities that heighten cybersecurity risks. “The challenge is kind of ironic,” Powers explains, “because what you really want to do is do more of all the things that create cyber risk. Those things are at the core of the business strategy. Not only can you not stop doing them, you actually want to do more of them.”
Powers’ logic makes a compelling case for a comprehensive, risk-based approach to cybersecurity. If snapping up a competitor, entering a new geography or outsourcing a function comes with additional cybersecurity risks, executive decision-makers should understand the nature and magnitude of those risks, consider them against the benefits a strategic shift would deliver and then make more informed decisions.
Bespoke Solutions Proliferate
Powers’ competitors also tout the importance of a comprehensive cybersecurity services. “The types of projects we’re doing are much, much larger,” Allan says. “They’re much more multi-faceted. They are often geared toward a complete re-architecting of the whole approach.”
Allan assigns EY’s cybersecurity work to five broad categories: major security transformation work; cyber-threat management; identify and access management (a rapidly growing area thanks, in part, to the explosion of the Internet of Things); data protection; and business resiliency.
The terms “resiliency” and “business resiliency” crop up frequently when consultants discuss their cybersecurity offerings. Part of the reason for this is practical—as Shaghaghi notes, “prevention” is impossible for most companies. Companies need to “pivot from pure defense to resilience,” Lee explains. “That means you are able to adequately respond to the bad thing when it happens, because you know it will happen.”
This state of resiliency shares more than a few fundamentals with the best-in-class business continuity management (BCM) capabilities relatively few companies implemented and kept current in the past 10 to 15 years in response to massive natural and manmade disasters (hurricanes, tsunamis, terrorism, pandemics, etc.). Achieving business resilience in the face of when-not-if cyber breaches requires a response covering a broad range of areas: IT security, regulatory compliance, law enforcement, shareholder relations, brand risk, public/media relations, customer and supplier relations, and so forth.
“Resilience has moved out of the traditional business continuity planning realm into a much more real-time and more holistic view – of which cyber is just one component, but a very large component,” Allan says. “This is a growth area for us.”
It’s safe to say that most types of cybersecurity services qualify as high-growth areas. These offerings obviously vary in their structure and how they are organized. Capgemini’s global cybersecurity practice groups its offerings into three families of services: end-to-end advisory services, protection services and monitoring services. Deloitte describes its overall approach as “secure, vigilant, resilient.”
Despite those differences, there are several common attributes of different offerings from different firms, which tend to be:
Given this need to customize, some cybersecurity consulting leaders emphasize the importance of a couple of surprising qualities as the demand for their services soars: self-knowledge and patience. Lee says it is crucial to remember what his firm does and does not do. If a happy client asks Grant Thornton to provide managed security, “We would immediately and candidly say, No, but here are three names that we’d recommend,” Lee notes.
EY, on the other hand, does provide a managed security service. “But we don’t want to build managed security for 100 clients when we know that in this year, we can probably do it for 20 [companies] and do it very well,” says Allan. “…I think it is a mistake to think that, in order to meet margin, you have to create a solution and then to sell it many times over. The nature of cyber security is so bespoke, that the solutions also have to be.” ■
Cybersecurity Spending Soaring… and Seems Sustainable
Company directors are intensifying their involvement in cybersecurity efforts as corporate spending on cybersecurity soars, according to a late 2015 survey of 150 corporate directors of public company boards conducted by BDO USA’s corporate governance practice.
Seventy percent of survey respondents indicate that their company increased cybersecurity investments in the past year. The average budget expansion was a hefty 22 percent. The portion of companies that are boosting their cybersecurity investments is also growing. BDO conducted a similar survey in 2014, and found that 55 percent of companies had increased cybersecurity spending in the previous 12 months.
This trend seems likely to continue. In a recent report on the state of cybersecurity consulting, Kennedy Consulting Research & Advisory Senior Analyst Erin Hichman, who leads the firm’s IT consulting research practice, identifies four key drivers of corporate cybersecurity spending:
Major Risks, Inadequate Systems: Executives realize more investment is necessary, Hichman notes. That’s largely because risks related to cyber-attack have proven substantial while traditional information technology (IT) systems, policies and processes have proven inadequate.
A Business Risk: As more companies and boards treat cybersecurity as a business problem, as well as an increasingly strategic risk, the issue demands business guidance combined with technical expertise to assure what Hichman describes as a “holistic assessment of risk management.”
An Expertise Shortage: Companies are discovering that cybersecurity expertise is difficult to find, highly specialized and dynamic.
Data Overload: Massive external and internal data streams must be integrated and analyzed to develop integrated, real-time reports of current threats, Hichman adds. —E.K. Crowded Marketplace
Everyone is buying cybersecurity consulting services.
That’s not an overstatement, and it rings true for companies as well as the buyers within organizations. Eighty-seven percent of corporate directors are now briefed on cybersecurity issues at least once a year, and 33 percent are briefed quarterly, according to BDO USA research.
“Boards of directors are becoming more engaged with cyber security, taking more ownership and working to understand the underlying issues,” says BDO Consulting National Leader of Technology Services Shahryar Shaghaghi. “We see an opportunity to work directly with members of the board of directors and/or the audit committee of the board.” This work, Shaghaghi adds, involves establishing the lines of communications (i.e., types and frequency of briefings) and transparency the board needs to respond proactively to cybersecurity risks rather than waiting to react once an individual incident strikes.
Traditionally, cybersecurity services were purchased by an organization’s IT department, under the direction of the CIO or a chief information security officer (CISO), notes Kennedy Consulting Research & Advisory Senior Analyst Erin Hichman. Today, she adds, “boards of directors have become acutely aware of the risk to reputation—of both the enterprise and management – as well as the real cost in terms of revenue, company assets, and stock price that a major breach could extract.”
Boards are not the only buyers, however. Hichman also points to CEOs, COOs, CFOs, chief risk officers (CROs), CMOs and business line executives as common purchasers of cybersecurity consulting.
“We’ve definitely seen an interesting change,” says PwC Global Cybersecurity Leader David Burg. “About two to five years ago, cybersecurity was viewed as being an IT issue. Most of our buyers were CIOs or chief information security officers. As cybersecurity has become appreciated as much more of a strategic issue, and much more of an enterprise risk management issue, we have different buyers. Now, we sell directly to the board, to the CEO, and we’ll sometime see purchases that involve risk officers. Of course, the CIO and the CISO remain buyers but what’s interesting is that in some cases, even marketing officers and human resources officers are involved.” —E.K. Five Attributes of Effective Cybersecurity Consulting
Cybersecurity consulting practices confront new challenges as they strive to help client companies contend with the massive, complex and dynamic nature of cybersecurity risks. Cyber threats raise big questions about what companies can and cannot control; require organizations to rethink their approach to managing data, supply chain relationships and strategic decisions (for example, potential mergers and spin-offs); and pose people challenges that rival technical and process challenges. Cyber risks also raise tough questions in consulting firms as they seek to scale their offerings to leverage a major opportunity. “Because of the size, complexity, and constant evolution of attack vectors, there is no simple, one-size-fits-all approach to managing the risks associated with cybersecurity,” according to a recent Crowe Horwath white paper titled The Five Critical Attributes of Effective Cybersecurity Risk Management. Here, the co-authors of the paper, Technology Risk Senior Manager Jared Hamilton and Risk Consulting Principal Raj Chaudhary, respond to questions about those five attributes (an effective framework, end-to-end scope, thorough risk assessment and threat modelling, proactive incident report planning, and dedicated cybersecurity resources) and about the current state of cybersecurity consulting:
Consulting: Are cybersecurity challenges technical, procedural, cultural and/or regulatory in nature?
Raj Chaudhary: All of the above. Cybersecurity always includes people/culture, process and technology risks. Gaps in security controls will also increase regulatory/compliance risks as well. The most difficult area to implement increased security controls is with people. Implementing people controls requires education and enforcement, as many companies struggle with changing the way their employees think about data protection. The best advice is to “market” security awareness to employees from multiple angles, such as tips of the week, posters, learning sessions, login banners and even simulated phishing exercises. Coupled with solid management buy-in shown by setting the example from the top, companies can see a positive culture change over time – and, ultimately, a security-awareness increase amongst their employees.
Consulting: What types of cybersecurity offerings are you delivering?
Jared Hamilton: Addressing cybersecurity risks involves four major phases, including assessment, design, implementation, and maintenance. Crowe’s cybersecurity services provide consulting across each of these four phases. Through our assessment services, we can identify overarching trends from risk management and compliance gaps, down to deep technical issues discovered from network penetration testing. We can then help design a remediation plan which prioritizes top risks, as well as assist with the implementation of the plan by enhancing or introducing new people, process and technology controls. Finally, we provide continuous IT security assistance through the management of specific programs such as third-party or vulnerability management, up to and including co-sourcing or full IT security outsourcing to experienced security professionals.
Consulting: What are the biggest challenges cybersecurity practices and consultants need to address? How are you addressing these issues?
Raj Chaudhary: Consultants confront the same challenges that our clients face—keeping pace with the new threats and advanced techniques used by hackers to exploit our clients’ systems. We subscribe to different threat intelligence sources across multiple industries to keep up, and this helps us service our clients better.
Consulting: Among the five attributes you identify in your paper, which do client companies typically need the highest level of consulting help to address?
Jared Hamilton: Attribute One: An Effective Framework—companies are putting a lot of effort and finances into addressing cybersecurity risks, but they are generally lacking organization and focus. The best efforts currently involve handling day-to-day fires and issues, but companies often lack an overall strategic plan or way to measure their success, or lack thereof. Questions such as “What should be addressed first?” or “How secure do we need to be?” often crop up when there is not an effective security framework in place. A framework helps organize efforts and provide the foundation to provide metrics to ensure an organization is identifyingand meeting its risk management goals. —E.K.