As consumers in North America and the U.K. worriedly typed their names and Social Security digits on Equifax’s “Checking Potential Impact” site, ordered credit freezes and considered more stringent cyber-defense steps, they reached the same grim realization that leading cybersecurity consultants have been drumming into corporate boards and executive teams:
So this is how it’s going to be.
Until recently, far more companies suffered far greater and more enduring damage from cyberattacks than many consumers—including some of those who sit on corporate boards—understood. If there can be a silver lining to the recent spate of crippling cyberattacks on companies and consumers this year it is that they have raised awareness of this strategic risk while sparking crash courses in cybersecurity training and education. As consumers learn about unfreeze PINs and IRS Form 14039, boards and executive teams have been boning up on fourth-party data security risks, NYDFS requirements, super-user access management and next-generation security operations centers.
“The board is becoming more informed and more educated,” says Vice President of Strategy, IBM Security Services, John Wheeler. “In some cases, boards have put in place a director with cybersecurity experience who very much knows what questions to ask of management.”
The board’s growing engagement with cyber-risk—combined with the rapidly changing nature of cybersecurity threats, the ongoing digital transformation of all companies, and the procession of new state, federal and global cyber-related directives and rules coming down the pike —all but guarantee that cybersecurity consulting will remain in high demand for the foreseeable future. While progress has been made in some areas of organizational cybersecurity capabilities, additional progress remains a top board-level priority for most companies.
Phishing is Good, and that’s Bad
This need for progress is evident in the cybersecurity assessments and training exercises more companies now perform.
Raj Chaudhary, a principal in the Crowe Horwath LLP risk consulting group who leads the firm’s Security and Privacy Services group, recalls a recent presentation he attended in which an executive shared the results of his company’s most recent phishing simulation test: 35 percent of the employees who participated in the exercise, in which they were enticed by an offer in a mock phishing email, failed the test. In the same type of test the previous year, the executive reported, only 17 percent of participants took the click bait.
“The people component of cyber security continues to be a weakness,” says Chaudhary. This is the case, he says, because phishing emails and other attacks targeting employees are growing more sophisticated while human judgement remains fallible.
The need for better people, process and technology capabilities with regard to cybersecurity has been driving consulting demand at an impressive rate, according to ALM Intelligence Industry Analyst Laura Becker. She says the cybersecurity consulting market has the potential to grow at an even faster rate if the following scenarios (all of which sound likely) materialize: the occurrence of a major, high-profile breach (check); increasing regulatory oversight pressure (check); and/or a faster-than-average realization from the business side of the need to incorporate the cybersecurity piece into an overall enterprise strategy (a good chance).
“If any of these scenarios develop more quickly than expected,” Becker notes, “demand for consulting services around cybersecurity—from front-end strategy to emergency incident response—will increase even further.”
As key decision-makers become more educated about the key components of an effective cybersecurity program, more of them will discover that their current capabilities are not sufficient. Several cybersecurity consulting leaders expressed concern at specific instances of immature cyber capabilities within companies of all sizes across all industries.
“We’ve run across some large corporations that we expect to have mature capabilities, but then we find out that’s not the case,” notes BDO Head of International Cybersecurity Gregory Garrett. “They tell us, ‘Well, we haven’t had any significant attacks.’ But once we start asking probing questions, we quickly find out that they haven’t prioritized their own information assets… Some of the largest companies aren’t even doing 24-by-7 incident response management of any type. They have no active monitoring beyond work hours.”
Truths and Trends
When it comes to cybersecurity-related consulting, no two client requests are the same. While there appears to be a growing awareness that a comprehensive, risk-based approach is necessary, different companies have different needs based on their unique structures, vendor relationships, data assets and other factors.
While certain types of services are currently in high demand (see “Soup-to-Nuts Services” side bar), the following statements reflect the trend and needs shaping cybersecurity consulting demand:
Digital transformation and cybersecurity risk go hand-in-hand.
The Equifax hack and the way consumers responded to it by freezing their credit underscored that it is impossible to uncouple our growing use of digital tools in life and business from growing cybersecurity hazards; they are opposite sides of the same risk coin.
If too many consumers freeze their credit, lending activity could slow, which could in turn reduce economic growth. “So many companies are making heavy investments in digital, algorithmic stuff and artificial intelligence,” notes Vishal Chawla, a principal in Grant Thornton’s Business Risk Services practice who serves as national leader for the firm’s Risk Advisory Services practice. “Doing so can reduce costs, increase efficiency and drive quality. But as we embrace everything that’s good about technology, we also take on more cybersecurity risk.”
PwC U.S. Cybersecurity & Privacy Deputy Leader Grant Waterfall points out that many traditional companies, especially those in the manufacturing sector where sensors are being rapidly integrated into equipment and products, have suddenly become data companies. Newly digital manufacturers rarely have much experience protecting and monitoring the security of vast amounts of data. The same holds true for healthcare providers, few of which know with certainty what type of data resides on newly connected medical devices—and how secure that data is. “A lot of companies,” Waterfall asserts, “are struggling to make the shift in which data security and privacy suddenly become a fundamental component of the business strategy.”
Emily Mossburg, a Principal with Deloitte Risk and Financial Advisory Cyber Risk Services who leads the practice’s “Secure” pillar, points out that digital transformation is driving more digital assets to the cloud. Securing an in-house data center requires one type of approach while securing a data center that has a cloud component requires a different approach—as does securing a data center that is entirely cloud-based. “The ongoing movement to the cloud will create the need for a whole host of shifts related to the governance of the cybersecurity program as well as to the specific technology and solutions,” Mossburg adds.
Threats are changing.
The NotPetya malware that struck this summer was eye-opening on two counts: its nature (“Purely destructive,” Waterfall says); and its targets. The malware struck companies beyond banks, healthcare organizations and other traditional targets that possess rich troves of consumer data. The world’s largest advertising and shopping companies were hammered, for example.
Chaudhary points to the cyberattack on the Swift Banking Network, which nearly succeeded as billion-dollar theft and which ultimately swiped more than $80 million from the Bangladesh Bank account at the Federal Reserve Bank of New York. “The hacker community is continuing to steal credit cards and compromise the bank accounts of individuals,” he says, “but they’re now going after much bigger rewards.”
The cost of launching a cyberattack is declining, reports Stefan Deutscher, an associate director in the Berlin office of The Boston Consulting Group and the firm’s global topic leader for cyber security and IT risk management and for IT infrastructure and data center operations. He reports that the annual growth rate of cyberattacks (about 20 percent) is eclipsing the annual growth rate for cybersecurity spending (roughly 8 percent globally, but significantly less in some regions). “That means that businesses are wondering whether they are outgunned by the bad guys,” Deutscher notes
Buyers are changing.
“The buyer is changing,” Mossburg says, “but it’s not necessarily the case of moving from one executive to another. There are more buyers.”
Until a couple of years ago, the chief information security officer (CISO) was most common purchaser of cyber-related services at most companies. Today, chief risk officers (CROs) – in companies (e.g., financial services) that have that position—often partner with the CISO on buying cyber services, according to most cybersecurity consulting leaders.
“The buyer may also be the chief marketing officer,” says Mossburg, who notes that the CMO’s participation reflects the extent to which the state of a company’s cybersecurity affects the perception—and value—of its brand.
IBM’s Wheeler kicks off many of the executive briefings on cybersecurity his company conducts for clients and prospects. These days, he finds himself speaking to larger audiences. “It’s no longer just the CISO in the room,” Wheeler says. “Often, the C-suite is coming in. We’ll see a CISO and a CRO who might be accompanied by a COO, a CFO and/or the CEO.”
Boards are also becoming buyers. “There are times when we’re engaged directly by the board to help them do some sort of assessment or to help them, from a training and awareness perspective, get a better understanding of the current landscape so that they can ask the right questions,” Mossburg adds.
Companies need help integrating cybersecurity into enterprise risk management.
When asked to describe the hallmarks of the best cybersecurity programs they’re familiar with, consulting leaders—without fail—describe a capability that is either integrated into enterprise risk management or addressed according to risk management fundamentals.
Companies with mature cybersecurity capabilities, Grant Thornton’s Chawla reports, “integrate cyber as a key component of their risk management rather than treating it as just a technology issue. When I go into those companies, I see the chief risk officer at the table. I see the board asking for reports on cyber risks every quarter. I also tend to see that CISOs in those companies tend to report into the chief risk officer, either via a direct line or a dotted line.”
Marsh Risk Consulting Managing Director for Cyber Security Consulting Thomas Fuhrman observes similar practices in leading cybersecurity programs. “Among companies that are more mature in their understanding of cyber security,” he says, “we see the risk function taking more and more ownership of cybersecurity.”
The integration of cybersecurity “into overall corporate risk management is best practice,” Deutscher agrees, “but still rare.”
While recent progress has been made on that count, much more is needed. “You would expect CROs to step up to say, ‘Well, actually this might even be half of my risk profile right now, and I’ve got to do something about it,” Waterfall says. “We are seeing progress in that direction, but I would not describe that as a step change in the past 18 months. It’s more of a dawning realization, and you’re seeing some leading companies doing it.”
Regulations are multiplying and overlapping, driving the need for compliance rigor.
“As regulators are starting to pay more and more attention, and are introducing tighter regulations, compliance is starting to be a major challenge,” notes Deutscher, who says that global companies, in particular, have trouble keeping pace with numerous different regional regulatory changes.
Waterfall describes the current surge in cybersecurity regulations—including the EU’s General Data Protection Regulation (GDPR), NYSDFS 500 and China’s perplexing Cyber Security Law (CSL)—as “a bit of a regulatory tsunami, especially for global companies.” Organizations, he continues, “are being hit left right and center by these things, it’s a mounting challenge. And companies need the ability to address [cybersecurity regulations] in an integrated way, because many of these rules address the same issues and controls.”
That goes double for B2B companies grappling to understand and comply with new regulations while fielding more—and/or more demanding—requests from client companies to provide assurances that they are not only compliant with relevant rules but to also prove that they are not a cybersecurity risk for their customer companies.
In this way, cybersecurity concerns have elevated vendor risk management activities to a new level while illustrating the extent to which cybersecurity issues spill into seemingly every key component of organizational strategy.
Becker confirms that companies are asking consulting firms to “create a holistic, comprehensive approach encompassing the overall business strategy with the cybersecurity strategy.” Becker also notes that consulting firms are increasingly responding to these needs with offerings that “help clients develop a comprehensive cybersecurity strategy that reduces risk, creates awareness and develops plans for incident response and business continuity in case of attack.”
Third- and fourth-party risk requires attention
As more companies invest in cloud technology, more information assets are stored externally (via hosted solutions). As a result, greater portions of organizational cybersecurity effectiveness rely on vendors’ security capabilities. The growing use of digital collaboration also gives network access to more external partners. “Enterprises now have an expanding attack surface because of the vast number of third parties that have some degree of access to their network and/or their data,” says Fuhrman.
These conditions and risks have client companies asking for more assistance with adapting their vendor risk management programs to the digital age.
Wheeler recalls a recent discussion with a financial services company that centered on “fourth-party risk.” Some of the company’s larger vendors use vendors that also manage the company’s data. “Their concern centered on the smaller, fourth parties,” Wheeler says. “They wanted to get better visibility into whether those smaller vendors are resilient to ransomware and able to withstand a DDos attack as well as the kinds of threats we’ve seen in the past 18 months.”
Given the quickly changing nature of cyber threats, that visibility into third- and fourth-party security risks has an increasingly important timing component. A few years ago, VRM primarily consisted of manual activities: having vendors fill out questionnaires or self-assessments, and visiting the sites of a handful of key vendors. “Those types of assessments are still happening,” says Deloitte’s Mossburg, “but we’re also seeing more organizations trying to do some type of real-time monitoring of their third parties.”
The skills shortage is real—and driving innovation.
Access to cybersecurity skills remains a major challenge for most companies. Most business rely on IT and many organizations are in the process of digitizing their primary modes of creating value, Deutscher points out, “but few of them have the scale or the brand to attract and retain top cyber security professionals.” That raises tough questions in terms of which aspects of cybersecurity companies should seek to source with full-time employees and which areas they should source to external partners.
Wheeler also describes talent as a top cybersecurity challenge moving forward. He also reports that the skills shortage is nudging more client companies to 1) look at how they can consolidate the amount of security technologies and vendors that they’re currently using; and 2) deploy new methods (e.g., machine learning) to “ automate and orchestrate” their responses to security incidents and risks.
Skills shortages, constantly changing risks, rapid technological change – many of the factors defining the current state of cybersecurity consulting also ensure that the challenges companies face in securing their digital assets will sustain for years, if not longer. As companies increase their spending on cyber-related products and services, they likely will become much more attuned to the degree to which those investments are securing valuable returns.
Sidebar: Soup-to-Nuts Cyber Services
During the past 18 months, consulting firms with cyber security practices have been placing an emphasis on comprehensive, end-to-end cybersecurity approaches.
“In the past, we’ve seen technical providers whose focus was solely incident response or threat intelligence, but there is a growing realization that what clients really need is a trusted advisor,” explains ALM Intelligence Industry Analyst Laura Becker. A crucial cybersecurity role that consultants fill involves educating the entire organization—from the board and executive team to the rest of the workforce – on the importance of preventing cyberattacks. That said, most consulting firms also fulfill numerous other roles. “The largest consulting firms now provide capabilities encompassing strategy, business process transformation, governance, workforce skills training, privacy and consumer protection, incident and threat management including cloud, analytics, threat intelligence and more,” Becker adds.
One of the most common cybersecurity-related requests that consulting leaders field from client companies concerns assessment. BDO Head of International Cybersecurity Gregory Garrett says clients are hungry for best practices from an industry standpoint. “We’re often engaged at the C-suite level to come in and help them assess where they are in comparison to the industry,” Garret notes. “We also receive requests to conduct highly focused cyber-risk assessments, which tend to include gap analyses: Help me understand where we are in comparison to the NYDFS requirements, for example—where are we? Where do we need to be? And what should our remediation and actions plans be going forward?”
Garrett and other cybersecurity consulting leaders stress that no two cyber engagements are exactly alike. That said, certain components of comprehensive cybersecurity programs—including identity and access management, cyber strategy-business strategy alignment, security operations center improvements, and the measurement and quantification of cyber risk—are in particularly high demand right now.
“In cyber, we’ve lived with high, medium and low risk-rating frameworks for many, many years,” says Marsh Risk Consulting Managing Director for Cyber Security Consulting Thomas Fuhrman. “The problem with that approach is that it does not translate well at the executive level. What a risk professional needs to know is the likelihood of an event occurring and, if it does occur, what the impact will be in dollar terms. If I can find that out, then I can really manage it.” —E.K.
Sidebar: Cybersecurity Progress Report
Cybersecurity is in an unstable state. Since Consulting last devoted a feature article to the topic in early 2016, much has changed, especially regarding cyber attacks. WannaCry, NotPetya and the Equifax hack forced many companies to rethink their cybersecurity strategies and tactics. Although business organizations tend to evolve slower than cyber criminals, companies have achieved progress in advancing several aspects of their cybersecurity capabilities in the past 18 months.
Marsh Risk Consulting Managing Director for Cyber Security Consulting Thomas Fuhrman has seen more chief information security officers (CISOs) begin reporting to the risk function in the past year. “That organizational change represents a positive step,” Fuhrman says. “It’s important because it reflects a recognition that cyber is an enterprise risk issue as opposed to an IT-function issue.”
Other areas where companies have made cybersecurity strides include the following:
υ Board and C-suite awareness: “This has really changed remarkably over the past few years,” reports Stefan Deutscher, a Berlin-based associate director with The Boston Consulting Group. “The C-Suite and, increasingly, board members are starting to accept and take ownership of their responsibility for cyber resilience…” Vice President of Strategy, IBM Security Services, John Wheeler agrees, noting that rising board awareness of cybersecurity issues is evident in the sophistication of the questions that more corporate directors now put to CISOs and chief risk officers. These directors are also hungry for metrics that can be used to more effectively measure cybersecurity effectiveness.
υ Security monitoring: Emily Mossburg, a principal with Deloitte Risk and Financial Advisory Cyber Risk Services, has been impressed with the way that many companies have laid a foundation to “get monitoring under control” in the past year and a half. She says that companies have a better understanding of what potentially malicious activity should be logged and how that activity should be analyzed.
υ Identity management: “I would also say that we’re seeing more progress around identity management,” Mossburg notes, pointing to privileged access management as a particular bright spot in terms of recent progress. “Once adversaries are on the inside and gain access to those privileged credentials, it allows them to stay inside and expand their reach. More organizations understand that and the importance of making sure that those [privileged] user accounts locked down. We expect that focus to continue.”
υ Quantifying risk: Companies with leading cybersecurity capabilities have made progress putting dollar amounts to at-risk data assets as well as to potential types or magnitudes of attacks. This quantification helps prioritize cyber-risk management activities while giving executives and board members a more precise view of cyber risk. “This is a critical aspect of the process,” says PwC US Cybersecurity and Privacy Assurance Leader Grant Waterfall, “because you 1) want to protect the right things; and 2) there are not enough resources and talent around to do this stuff without doing it efficiently.”
As cyber threats continue to mutate, consulting firms will continue to help client companies measure up by measuring and managing their most important cyber risks. —E.K.