Cybersecurity: Locking Down Data

"Digital transformation and digital risks are like the yin and yang," says Vishal Chawla, a Principal in Grant Thornton's business risk services practice and national leader of the firm's Risk Advisory Services practice. "You need to address both to build a performance-driven organization." These opposing yet related needs explain why cybersecurity consulting practices and business lines are growing at extremely healthy clips. 

That doesn't mean that this work is easy or easily scalable. Numerous challenges— including a recent spike in cyberattacks by nations, less tech-savvy board members, fundamental gaps in existing capabilities, skills shortages and more—pose knotty obstacles to the step-change improvements most cybersecurity programs require. In many companies, "the basics of information security are not in place," notes Vinnit Patel, the head of Cybersecurity and Risk consulting in the U.K. for Infosys Consulting.

The process of getting the fundamentals squared away and then maturing a cybersecurity program faces stout headwinds.

Dramatic Changes all Around 

Twelve to 18 months ago, one of the most common requests for cybersecurity help, Patel recalls, consisted of staff augmentation and specific types of expertise. "We would often get requests for a consultant with a particular type of skill to complement a team," Patel continues. "More recently, though, there's been a significant shift. Clients want outcome-based services. They'll present us with a problem statement and ask to apply our industry and domain expertise to share how we would address the problem."

Patel and other cybersecurity consulting leaders also report major increases in volume of client demand for cyber-consulting services. These requests are largely being driven by three factors. 

1. The External Environment

Add up all of the Internet of Things (IoT) sensors coming online during the next few years, compute the rising frequency of cyber breaches, estimate the shareholder value and reputational hits sizeable attacks inflict and the math quickly becomes staggering. Although this formulation is blunt, its implications are crystal clear: cyberattack surfaces are rapidly expanding, bad actors are deploying more sophisticated methods of attacks, and larger portions of organization value are at risk. Perhaps the most difficult aspect of cybersecurity relates to the way the effectiveness of this internal capability hinges on a range of unstable external factors, including the threat environment and change regulatory expectations.

"Within the past 12 months or so, the [cyberattack] activity from nation-state actors has increased dramatically," reports PwC U.S. Cybersecurity and Privacy Leader Sean Joyce. "A lot of countries are learning that this is a low-investment/high-impact activity, and one that can be used not only for geopolitical purposes, but also for economic purposes." 

Scott Laliberte, a Protiviti Managing Director and leader of the firm's global cybersecurity practice, agrees that cyber risks are transforming. "Attackers are no longer just seeking credit card and personally identifiable data," Laliberte notes. "They're looking for new ways to monetize attacks through means such as ransom, business disruption, or collecting business-related data that could be used for financial gain."

Increases in how often companies are paying ransoms—in as many as 45 percent of ransom attacks by some estimates—paint a grim picture of how effectively this monetization is working. 

As regulators become more educated in cybersecurity risks, they are issuing new forms of requirements and guidance that adds to organizational compliance burdens. GDPR and the California Privacy Act qualify as game-changers, yet they likely mark only the beginning of a new era of data-related rules-making. A U.S. version of GDPR appears to be in the works, and the SEC is looking closely at how cybersecurity risks affect mergers & acquisitions. "Data privacy is going to be the biggest regulatory mandate change during at least the next two to three years," Chawla asserts.

2. Internal Transformation

Changes are also occurring inside companies, which also complicates cybersecurity. "You constantly hear about digital transformation and cloud transformation, but the impacts of these activities are very real," says Vice President of Strategy and Offerings, IBM Security John Wheeler. "Look at manufacturers as they incorporate sensors in their factories and the products that they produce and send out to customers," he says by way of example. "That's changing their traditional view of security." Besides continuing to secure their shop floors, manufacturers now need to protect the data streaming in and out of their systems and products as well as micro-transactions that use this data. "The same things happening in manufacturing also are occurring in healthcare, utilities and other industries," Wheeler adds. "Everything is getting more digitized."

Digital transformation now tends to occur hand-in-hand with the adoption of new and emerging technologies, whose information security risks need to be understood and addressed, notes Group Technology Officer of Accenture Security Tom Parker. "Clients are implementing tools that create new exposures that have not been considered in the past," he explains. "If you look at things like blockchain and machine learning, there are some new and interesting vulnerabilities that can arise if these types of technology are not implemented correctly. We're trying to help companies think ahead regarding the ebb and flow of new technology implementations."

3. Cybersecurity Consulting Practices

Those changes are causing consulting firms to make more frequent and dramatic changes to how they organize and deliver cybersecurity services. Last year, Deloitte completed a significant realignment of its cyber practices so that offerings can be provided in a solution-centric manner, notes Emily Mossburg, the firm's advisory and implementation leader for cyber risk services. Similar overhauls have taken place within most other large firms. "We've changed drastically over the past 18 months," reports PwC's Joyce. 

Cybersecurity leaders say they continually recalibrate their offerings to reflect the fast-changing threat environment and the technology changes occurring within client companies. "In the past 18 months, our teams have become more cross-functional to help solve larger, more complex problems," Protiviti's Laliberte reports, noting that his cyber team often works closely with the firm's data analytics and data visualization specialists.

Among the many structural changes and recalibrations cybersecurity leaders promote, a few stand out. Deloitte Risk and Financial Advisory has a ventures portfolio "that allows for the incubation of new risk-driven technology solutions designed to address clients' most challenging problems," Mossburg reports. This cyber venture team, she adds, "works in tight coordination with our broader cyber practice to introduce new solutions into the practice and to listen to the needs of industry and organizations." 

Three Areas of Focus 

As complex as the external cyber risk situation and internal technology environments are becoming, high-level cybersecurity strategy tends to be relatively similar and straightforward across most organizations: select a cybersecurity framework (e.g., NIST or ISO), assess the organization's current capabilities against that maturity scale, and then prioritize and address gaps. 

Consulting firms are assisting with those assessments as well as the comprehensive work required to address shortcomings. Specific areas in need of attention include application and data security, incident response practices, and identity management. When cybersecurity consulting leaders discuss these engagements, four other focal points loom large as enablers of successful consulting engagements. These areas also appear likely to generate more client interest over the coming year.

Focal Point 1: The Board

Clients and consultants are paying more attention to the board's awareness and understanding of cybersecurity issues as well as to what information is reported to the board committee that oversees cyber risk. Given that cyber breaches are now a matter of when not if, "boards want to know how quickly the company can handle the breach and get back up and running," notes The Santa Fe Group Chairman and CEO Catherine Allen. 

As cyber risks comprise a larger portion of an organization's overall risk appetite, board-level adjustments are needed. "Boards may need to restructure their committees and develop new charters to adequately oversee cybersecurity risk management," notes Dave Burg, EY Americas cybersecurity leader within the firm's advisory services.  Clients are also asking for guidance regarding which executives should present on cybersecurity to the board and the nature of information those reports should contain.

Wheeler, whose IBM team regularly conducts tabletop cyberattack exercises for boards, says that more corporate directors and boards and C-level executives are treating large cyber breaches as business incidents rather than as the sole purview of the information security function.  

That's a perspective that needs to be nurtured in most cases, according to a recent Deloitte global risk management survey in which only 30 percent of responding CEOs and board members identified their boards as highly engaged with cybersecurity.

Focal Point 2: The Trenches

The emergence of cybersecurity as a key corporate capability over the past five years drove widespread implementation of new governance structures and policies. Now, many companies need to make significant strides in how they put those policies into action. "If you perform a high-level audit, you'll often find that the company has information security policies and a governance framework in place," Patel says. "They've got the typical controls in place, they are patching the environment, and performing vulnerability scans." 

But when cybersecurity experts dig a little deeper into underlying processes, a different picture emerges, Patel says. "Even today, many organizations don't have processes ownership in place," he continues. When Patel's team asks who is responsible for patch management of access management, they often receive shrugs in response. "That makes it much more complicated to ensure the controls within each of these underpinning processes are actually being executed," he adds. 

Roles and processes need to be clarified and improved so that organizations can manage cybersecurity in a much more effective and efficient manner. It's "one thing to be able to say that I can patch systems, but it is another to say that through my processes I can confidently secure pre-release financial data throughout our organization," EY's Burg points out. "The next generation of cyber leaders will need to be comfortable, not only addressing risks and issues through solutions but understanding, stating and optimizing tangible risk reduction throughout all their efforts."

This maturation needs to occur to support risk-based decision-making concerning cybersecurity investments. As Laliberte emphasizes, cyber risk is not the only business risk organizations face. "Quantitative risk analysis can help to provide context for cyber risk in financial terms that can then be used for apples-to-apples comparisons with other business risks," he notes. Mossburg agrees, noting that many organizations struggle to "quantify and trend the enterprise's cyber risk posture to leadership and the board."

Focal Point 3: Third Parties

"Third party risk management is a huge challenge in many organizations," Parker asserts. Supply chain risk management marks a related issue that also poses cybersecurity challenges, as the recent Huawei controversy demonstrates. 

Nearly two-thirds of the CEOs in Deloitte's survey identify extended enterprise partners as the largest cybersecurity risk.  Many companies continue to "worry about their supply chains and extended third, fourth, fifth party relationships," Mossburg confirms, "In many cases, clients have impacts from an incident and they weren't even a target. The target was the third party but the openness allowed for an attack to impact the client—opening them up to a new set of adversaries."

Patel notes that many organizations have difficulty validating whether vendors and other third parties are adhering to the information security requirements laid out in contractual agreements. A good way to determine if this is a problem, he adds, is by monitoring how frequently vendors raise exceptions to those information security requirements or request a waiver from a specific requirement.  If vendors are not pushing back, Patel notes, there's a good chance they're not embedding contractually required information security mechanisms into their delivery processes.

As more reporters fill in the blanks in their accounts of staggering cyberattacks, more companies will turn to consulting partners to eliminate the riskiest gaps in their cybersecurity capabilities. While that much is assured, the precise nature of how these requests will evolve during the next year and a half remains highly uncertain, given the fluid nature of cyber threats as well as internal IT environments.  

Sidebar: Three for Thirds: Vendor Risk Management Challenges

Cybersecurity consulting leaders point to third-party risk management as a crucial area that clients need help addressing. As companies share more data with more third parties (e.g., cloud software firms, cloud storage providers and supply chain partners), they must maintain effective methods of governing, managing and monitoring these relationships from a cyber-risk perspective. 

Mature vendor risk management capabilities frequently exist within companies with boards of directors that are highly engaged with third party risk issues, according to studies conducted by Protiviti and The Shared Assessments Program, a membership organization devoted to fostering third party risk assurance. However, the latest version of this ongoing research indicates that only 32 percent of boards are highly engaged with vendor risk management issues.

Besides board engagement, Catherine Allen, chairman and CEO of The Santa Fe Group (which operates the Shared Assessments Program), describes three other third-party risk management challenges that exist across most industries:

1. Keeping track: Companies, especially larger enterprises, have difficulty monitoring vendors because: A) they have so many external partners; B) numerous different business and groups within the company manage these relationships; C) vendor information is kept in a tangle of different information systems.

2. Clarifying responsibilities: In some cases, responsibility for vendor risk management resides with the procurement function; in others, the CIO, chief information security officer or chief risk officer owns the capability. Given that third party risk management is a relatively immature discipline in many industries, standards for where the capability is located in the organization have yet to emerge. Allen advocates placing a third-party risk management group within the risk function because the discipline should be treated as a pivotal component of enterprise risk management. 

3. Managing competing priorities: Different buyers of third-party services have different priorities—including some that take precedence over risk management considerations. Procurement functions tend to look for the lowest-cost option, for example. Other buyers within the business may focus on access to innovation and speed (i.e., how quickly a prospective vendor can get the relationship up and running). When these types of priorities drive the vendor-selection process, assessments of vendors' data-protection capabilities, processes and controls tend to receive short shrift.