One on One with CohnReznick’s Shahryar Shaghaghi

As new technologies emerge and cyberattackers become more sophisticated, protecting digital assets and critical data has become a central focus of many organizations, but there is still much work to be done. Clients are turning to consulting firms with cybersecurity expertise more and more for help eliminating vulnerabilities. Consulting sat down with CohnReznick’s Shahryar Shaghaghi, Lead, Cybersecurity Advisory, to talk about the evolving cybersecurity landscape.

Consulting: What are your plans for leading CohnReznick’s cybersecurity practice?

Shaghaghi: It’s not that this practice doesn’t exist yet today, in fact they’ve had a good run in terms of offering cybersecurity and technology risk to the marketplace as we speak. This group has been involved in some of the largest and most important cyberattacks and cyber breaches, both from a reactive and forensics investigation service as well as proactive advisory. My role is to really come in and grow this practice substantially and help drive a number of services our clients are in need of. Our clients span from lower mid-market, where most of them today don’t have much as it relates to basic controls around cybersecurity, to sophisticated, well-established clients in that space. I have some thoughts to bring some additional services into this area. Today we’re already pretty deep in performing various types of security assessments and penetration testing, services around vulnerability assessments and ultimately helping clients close some of their gaps. I also want to look at our industries and some of our services on the digital transformation side. There’s a lot of cyber play in all those areas. 

Consulting: What are the biggest cybersecurity challenges facing clients?

Shaghaghi: Companies as much as they pay attention to financial audits today, in the future also have to pay attention to how to audit their cyber resiliency. Breaches are increasing across industries. Back in the day it was primarily a lot of financial services organizations where attackers targeted, today, attackers don’t discriminate. Their motives are very different and the level of sophistication of breaches increases as the tools are getting more advanced. And of course the hackers only have to be right once, us as defenders have to be right all the time. Breaches are expanding in terms of the impact as well as average cost of a breach, now estimated at close to $4 million per compromised record.

Consulting: What keeps companies from going full-force ahead with staff awareness about cyberthreats?

Shaghaghi: Larger organizations, especially in some of the critical infrastructure services like banking, manufacturing and so-on have been paying attention to this space for a while. I would say from the late ’90s to early 2000s they’ve been putting some formal programs around this and spending a lot of money to build up these capabilities. A lot of that had to do with the regulatory environment. Unless you’re not regulated or as large in size, most organizations kind of take this for granted in terms of the seriousness of the situation. Most of them even today are reactive rather than proactive, unless they get breached or some other organization they’re working with gets breached, or maybe if they get pressure from their boards, partners or clients to have some standards or certifications. The name of the game is changing and shifting, but unfortunately in most organizations we deal with cyber is not even incorporated into their annual budget. So it’s a shift from a standpoint of prioritization and really understanding what the core components of an organization’s risk management program are and bringing cyber into that equation. 

Consulting: How has the way companies approach cybersecurity evolved?

Shaghaghi: For most companies, cybersecurity translates into a small spinoff of their IT organization. That has evolved over time from infrastructure security to application security. They’re looking at it from an IT problem, but it’s becoming more than that. You have other issues you have to address when it comes to managing cybersecurity risk, making sure they have the right governance in place across the organization, not just in IT. When you have a breach, you need to understand your legal obligations, the internal communication commitments, the HR component, corporate communication, risk and compliance, and all these things that must come together is one area we help clients get together when it comes to incident response to breaches.

Consulting: How can companies make smarter investments in cybersecurity?

Shaghaghi: A lot of companies still don’t have their arms around what their crown jewel is. We work with clients to let them know regardless of level of maturity as it relates to cyber controls, you’re going to get breached. The name of the game is how well you can control and contain that breach to minimize impact. Therefore, if you apply a wide paintbrush kind of approach you are spending more money and addressing fewer issues, versus going to a risk-based approach and understanding what your crown jewel is, your critical digital assets and infrastructure you really need to protect. The traditional thinking of cyber defense is not going to be as effective today. You need to evolve with the times and the explosion of data growth, the whole issue around privacy versus security, utility computing and migration to cloud, the space around AI and machine learning, advanced analytics and of course IoT and everything that has to do with the integrated world is changing the way you need to look at how you put the right level of detection and protection services across the organization.