2013 has been a landmark year for enterprise security. Most recently, FireEye joined the ranks of public companies, while cloud security leaders Qualys & Proofpoint, among others, continued a steady climb in stock price. Unfortunately, this year was also a notable reminder of why we need to continue seeking innovation and adoption of new security solutions.
The Center for Strategic and International Studies estimates that the cost of reported malicious attacks and cyber espionage in the United States in 2013 could be as high as $120b this year. Unsurprisingly, since the problem plagues both the public and private sectors, the federal government decided to get involved. Earlier this year, President Obama signed a Presidential Policy Directive and an Executive Order to call attention to poor standards around critical infrastructure cybersecurity. It tasks the National Institute of Standards and Technology (NIST) with creating security standards for industries considered to be vitally important to the national economy. It also lays the groundwork for a centralized organization that would serve as a security information clearinghouse and analytics center to monitor network vulnerabilities and threats. At one point, President Obama proposed a minor medal of recognition for soldiers fighting to maintain US security, though some from the traditional military establishment rankled at the proposal. The initiatives currently are on an opt-in only basis, as Congress has not yet signed them into law.
While regulation is definitely an important step in raising awareness about systemic vulnerabilities, the impetus for security tech uptake in global and larger enterprises is going to come from proactive corporate governance. As mentioned in a Thomson Reuters’ white paper, Regulatory Change Management: The Critical Compliance Competence, the onus of responsibility has become clearer: “in the wake of the financial crisis, accountability has increasingly shifted to senior management and the board, who are held responsible for all activities and decisions within their organizations.” After all, while foreign and / or malicious hackers seem like a bigger threat, let’s remember Julian Assange and Bradley Manning; regardless of your view on the morality of their actions, these (not Chinese hackers) were stories of the decade.
We believe three main trends will dictate the need for boards to drive security and compliance investment both internally and with upstream / downstream partners:
Device Scale & Mobile Proliferation
The number of devices that are going to be connected to enterprise networks within the next year is projected to be in the millions and will continue to rise into the tens of millions through 2020. Kroll Cybersecurity, which released a much-touted white paper, The Insider Threat: Why Chinese Hacking May Be the Least of Corporate Worries, points out that non-compliant behaviors come mainly from existing company insiders: “Moles, opportunists, contractors, disgruntled employees, and ex-IT personnel—all currently pose a greater risk to corporate intellectual property than state-sponsored hacking and APTs, both in frequency and in damage caused.” With personal device use for business (BYOD) becoming more common and the likelihood of each device connecting multiple times over its life across many networks (including 3/4G cellular ones not controlled by the enterprise), the number of vulnerable connections and interactions grows exponentially.
While web and application security are evolving in their own right by recognizing that traditional firewalls and filters are insufficient, (ex. startups like Impermium, one of ours, and Prevoty) mobile security and monitoring is even less mature. Increasingly, companies ask you to download their app and enter personal information, but they themselves often have little visibility into who (ex. what partners & 3rd party services) has access to that data (full disclosure: solving this problem is the key focus of a Bowery startup, mParticle). Because of the growing interconnectivity required for coordination and efficiency, it will be in the interest of companies to help bring their partners online to ensure that critical information that must be shared exists within a protected network. This suggests an integrated approach with firms specializing in distinct security disciplines like threat detection (ex. Digital Shadows) and network virtualization (ex. FireEye) connected via partnership or within a full solution provider. This is reiterated by William Stewart, SVP of Booz Allen’s Commercial Cybersecurity group, who noted in a recent article that no “single methodology or set of solutions” can mitigate the diverse array of risks the modern Chief Security Officer faces.
Vertical-Specific Risks & Regulation
From a previous Bowery Capital post on the topic: HSBC was fined $1.25b at the end of last year for enabling money laundering by Mexican cartels to the tune of $881m. Prior to the fine, and contrary to common sense, Mexico was classified in HSBC’s lowest risk category. More generally speaking, the regulatory climate and public expectations for financial institution governance has changed since 2008. Gone are the days of robust prop trading operations and high leverage ratios, and here is the Consumer Finance Protection Bureau and derivatives regulation. Big financial institutions are being forced to adopt sweeping GRC programs to manage risk and remain compliant. But those regulations aren’t limited to white-collar crime or LIBOR manipulation; data privacy is critical in finance and healthcare, among other industries. And data alone can be big business. Whereas, enterprise attacks traditionally came from individuals or moderately sophisticated hacker teams, they now originate from massive networks of distributed users, highly sophisticated networks of “cyber-mercenaries” working on contract, and even nationally-supported cyberwarfare groups conducting industrial espionage. The heightened economic value of “corporate hacks” has manifested itself in increasingly frequent, sophisticated, zero-day, and dynamic attacks.
Any one of these factors alone should serve as sufficient impetus for companies to upgrade legacy security capabilities. Enterprise security historically has been viewed as a way to mitigate risk. However, done proactively and in the true interest of the customer or partner, security can be a way to build customer trust. Demonstrating corporate leadership in safeguarding vital information is more critical by the day. We must find time to laud the management teams, IT groups, and board directors that take the time and resource to do so upfront, rather than merely punishing retroactively those that don’t and get caught.