Gone Phishing: Cybersecurity's Big Catch

digital-edition-promo-block-February Cybersecurity is a perplexing puzzle with a staggering number of pieces and solutions that somehow all need to fit together. Can consultants be the ones to solve it? Cybersecurity is a complex puzzle with a staggering number of pieces, several new dimensions and some noteworthy paradoxes. The pieces include a massive tangle of information technology (IT) security applications, policies and practices—some effective, many no longer so—that companies have implemented in recent years. The dimensions now extend well beyond IT, into strategic risk management, legal, human resources, supply chain management, mergers & acquisitions (M&A) due diligence and other realms. Client companies confront a couple of paradoxes. “One of the perceptions in the marketplace,” notes Deloitte’s U.S. Leader for Cyber Risk Services Ed Powers, “is: we’re spending more money than we’ve ever spent on this problem and, in many ways, it doesn’t feel like things are getting a lot better.” Another contradiction relates to prevention. “The hackers are always going to be one step ahead of the game,” says BDO Consulting National Leader of Technology Services Shahryar Shaghaghi. “There is no such thing as ‘prevent.’ Instead, it’s about minimizing the impact of cyber attacks and maximizing defenses associated with the highest areas of value and vulnerability.” A challenging paradox also confronts cybersecurity consulting practices, which are booming; practice leaders report growth rates ranging from 50 percent to 500 percent. How can these practices scale up to meet client demand while designing solutions that are both comprehensive in nature and highly customized to individual companies? “Context is key,” notes Capgemini Chief Security and Compliance Architect Gopal Padinjaruveetil. “We approach every client engagement differently based on the company’s risk appetite, risk tolerance and risk capacity.” Johnny Lee, Forensic, Investigative and Dispute Services Practice Leader and Managing Director at Grant Thornton LLP, agrees. When asked the high-level question of how consultants are going to meet the needs of all of their cybersecurity clients he says, “The only answer broad enough to do the question justice is to say that you must take a risk-based approach. You have to ground things in the context of the client’s risk profile. It all comes back to risk management and proportionality.” It also comes back to mastering puzzles. “It’s as if you have a puzzle with 50 pieces,” explains PwC’s Global Cybersecurity Leader David Burg. “To make a security program work well, you need to have the right 50 pieces.” Consultants should understand how all the pieces interlock, even as what qualifies as the “right 50 pieces” changes rapidly, dramatically and frequently. Long-Term Survival and other Client Challenges The most formidable cybersecurity challenge companies face is existential. “In almost 40 years,” says Ken Allan, head of EY’s global information security group, “I’ve never seen anything that poses such a great risk to the long-term survival of many companies.” This big risk contains many sub-risks and challenges that Allan and his counterparts at other firms are helping clients address. These areas include the overarching cyber risk management strategies and programs, the integration of cyber-risk management into M&A due diligence, regulatory compliance demands, talent gaps, management of security-application portfolios, creation of security operations centers, threat assessments and modelling, incident-response processes, reputation risk, training and education, insider threats and much more. While IT-related cybersecurity issues are, of course, substantial, the strategic, cultural and human elements of the challenge are quickly growing. For example, the target company in a billion-dollar-plus acquisition likely has a very different cybersecurity infrastructure than the acquiring company, a situation that requires a major integration effort. In largescale M&A integrations, there is also the chance that the acquiring company is subjecting itself to a more nefarious threat. “What if that newly acquired entity is poorly secured?” Burg asks. “What if it’s badly compromised? What if bad actors knew that the transaction was going to occur and they also knew that the best way to compromise that large enterprise was to first compromise the target of the acquisition?” People also pose a challenge in the form of insider threats and due to a lack of adherence to security protocols. Padinjaruveetil rates insider threats as a top issue. “Firms are challenged to detect abnormal human behavior and confirm whether there’s malicious intent,” he explains. Crowe Horwath LLP Risk Consulting Principal Raj Chaudhary describes employee behavior as a common hindrance to the efficacy of cybersecurity programs. “The most difficult area to implement increased security controls is with people,” he notes. “Implementing people controls requires education and enforcement, as many companies struggle with changing the way their employees think about data protection.” New and forthcoming cybersecurity-related regulatory compliance requirements, guidance and frameworks also challenge companies in most industries. Last June, for example, the federal Financial Institutions Examination Council (FFIEC) unveiled its Cybersecurity Assessment Tool, which provides a roadmap for building and running cybersecurity functions in financial services companies. “Companies have to take these sorts of guidelines and put together a plan that identifies risks and vulnerabilities, and mitigation strategies related to gaps,” Shaghaghi says. “And then companies need to demonstrate to the regulators that they are making progress.” Given the comprehensive and complex set of cybersecurity challenges companies face, it can be difficult to know where to begin and what to focus on. That’s why some cybersecurity practice leaders are investing time to help their clients view this complex issue through a new lens. Powers encourages clients to start by looking at the root causes of cyber insecurity. These include companies’ growing reliance on information-sharing, their reliance on their people (very few of whom behave maliciously, but too many of whom behave complacently or ignorantly in the face of cyber risks) and the ways that companies drive innovation and growth. These levers include M&A, globalization, the adoption of new technologies, supply chain partnering and other activities that heighten cybersecurity risks. “The challenge is kind of ironic,” Powers explains, “because what you really want to do is do more of all the things that create cyber risk. Those things are at the core of the business strategy. Not only can you not stop doing them, you actually want to do more of them.” Powers’ logic makes a compelling case for a comprehensive, risk-based approach to cybersecurity. If snapping up a competitor, entering a new geography or outsourcing a function comes with additional cybersecurity risks, executive decision-makers should understand the nature and magnitude of those risks, consider them against the benefits a strategic shift would deliver and then make more informed decisions. Bespoke Solutions Proliferate Powers’ competitors also tout the importance of a comprehensive cybersecurity services. “The types of projects we’re doing are much, much larger,” Allan says. “They’re much more multi-faceted. They are often geared toward a complete re-architecting of the whole approach.” Allan assigns EY’s cybersecurity work to five broad categories: major security transformation work; cyber-threat management; identify and access management (a rapidly growing area thanks, in part, to the explosion of the Internet of Things); data protection; and business resiliency. The terms “resiliency” and “business resiliency” crop up frequently when consultants discuss their cybersecurity offerings. Part of the reason for this is practical—as Shaghaghi notes, “prevention” is impossible for most companies. Companies need to “pivot from pure defense to resilience,” Lee explains. “That means you are able to adequately respond to the bad thing when it happens, because you know it will happen.” This state of resiliency shares more than a few fundamentals with the best-in-class business continuity management (BCM) capabilities relatively few companies implemented and kept current in the past 10 to 15 years in response to massive natural and manmade disasters (hurricanes, tsunamis, terrorism, pandemics, etc.). Achieving business resilience in the face of when-not-if cyber breaches requires a response covering a broad range of areas: IT security, regulatory compliance, law enforcement, shareholder relations, brand risk, public/media relations, customer and supplier relations, and so forth. “Resilience has moved out of the traditional business continuity planning realm into a much more real-time and more holistic view – of which cyber is just one component, but a very large component,” Allan says. “This is a growth area for us.” It’s safe to say that most types of cybersecurity services qualify as high-growth areas. These offerings obviously vary in their structure and how they are organized. Capgemini’s global cybersecurity practice groups its offerings into three families of services: end-to-end advisory services, protection services and monitoring services. Deloitte describes its overall approach as “secure, vigilant, resilient.” Despite those differences, there are several common attributes of different offerings from different firms, which tend to be:  

To continue reading,
become a free ALM digital reader

Benefits include:

  • Complimentary access to Consulting Magazine Online and digital edition
  • Bi-monthly digital newsletter delivered to your inbox
  • 1 free article* every 30 days to Consulting Magazine's sister publications
  • Exclusive discounts on events and publications produced by ALM

*May exclude premium content