Podcast transcript: How to overcome cybersecurity challenges in a post-pandemic world
35 min approx | 19 October 2021
Susannah Streeter
Hello, this is the EY Microsoft Tech Directions podcast, Cybersecurity in a post pandemic world. I'm your host Susannah Streeter. As businesses adapted to widespread disruption during the pandemic, the scale and speed of the shift to new ways of working was immense. IT departments transitioned armies of workers from the office to home, supporting customer interaction virtually, and keeping supply chains open through digital platforms. But the speed of change came with a heavy price. Many businesses did not sufficiently consider cyber security in the decision-making process.
As a result, new vulnerabilities entered an already fast-moving environment and continue to threaten the business today. 81% of executives who took part in the EY Global Information Security Survey 2021 said that COVID-19 forced organisations to bypass security processes. So now as the dust settles, it's become evident that IT teams have an even bigger network to operate and protect while also continuing on their digital transformation journey. So it's crucial that organisations act now to ensure that they have the C-suite level confidence in their ability to protect both mission-critical systems and their customers’ personal data. And that's what we're focusing on in this podcast. How do you foster a security-by-design mindset and provide the armor for the valuable new digital assets, which will power our future? One of the best ways of reinforcing networks while still empowering employees, and boosting productivity, creativity, and collaboration.
Well, we have two esteemed thought leaders in the business to take us through the challenges and opportunities. But before I introduce them, please remember, conversations during EY podcasts should not b relied on as accounting, tax, legal, investment nor any other professional advice. Listeners must consult their own advisors.
Joining me now from Massachusetts is Joram Borenstein, General Manager of Security Sales Strategy and GTM at Microsoft. Great to have you here, I know you're in demand, so thanks very much for your time.
Joram Borenstein
Thanks for having me. Great to be here.
Streeter
And from Alexandria, Virginia. I'm delighted to welcome Kris Lovejoy, former EY global consulting cybersecurity leader. Hi there Kris. Thanks very much for interrupting your busy schedule, because I know you must be working with organisations pretty intensely to help protect and grow their businesses right now. So it's great to have you here.
Kris Lovejoy
Thank you so much. And yes, it is indeed a very busy time for us.
Streeter
So Joram, I want to ask you first, let's take us to the start of the pandemic and the enormous challenges organisations were faced with in switching to digital in such a short amount of time. Is it understandable, then that cybersecurity was lower down on the list of priorities, when new systems were adopted?
Borenstein
It's a great question to start off with, I think it is, to some extent, understandable, you know, the pandemic, the way it started, at least, you know, year and a half ago, approximately, depending on what part of the world one is in, you know, it was historic, in every sense of the word, very few people alive, certainly probably very few people working, if any, had any experience with this kind of situation.
I think it really challenged businesses at their most fundamental levels about, you know, how do they continue operating? And so I think, unfortunately, I think it is, to some extent understandable that some of the emphasis on security, and even some of the basic issues of you know, cyber hygiene, etc., did at least initially, sort of fall by the wayside. I think very quickly, though, that that did change, right, businesses did fundamentally recognize that, you know, if they had people working remotely, who perhaps had never worked remotely before, they needed to think very differently about their network security, their endpoint security, their identity, and access management, etc. And in cases of businesses that did continue to operate physically in person, they also think very differently about, you know, issues of physical spacing and devices, perhaps, you know, not being shared as much. And, again, all of those, whether it was a work-from-home scenario, whether it's a hybrid scenario, whether it was still a, you know, working-in-person scenario, there were I think, you know, quite a few implications from a cyber point of view.
Streeter
Absolutely. Kris just what is the scale of the problem?
Lovejoy
Well, I think let's dial back before the COVID period, and I think the statistic that you pointed out about the 81%, that is that is a large number and larger than we've ever seen before in the pools of organisations that have sort of avoided the security conversation at the beginning of a digital transformation. But that said, having been a practitioner in this field for going on almost 30 years now I can say that this is a very, very crisis or compliance driven market, by and large. And so historically, organisations, even prior to the pandemic, have tended to treat security, as you know, sort of that compliance function that came in after a new initiative was designed, prototyped and perhaps even rolled out. And so I think, what's happened within COVID is, it's not necessarily new. But what it's done is it's exaggerated a trend that existed before. And I think one of the issues that is further exacerbating the situation we're in, is the fact that during COVID, not only were these new technologies rolled out without, we use it in the example of, if you're rolling out a car, and you put it into the showroom, and then figured out, you had no seat belts, you'd have a problem.
And so think about the same thing within the security perspective. But not only did we roll out massive amounts of technology without the seatbelts built in. But we also cut back on our budgets from a security perspective, as well as cutting back on hiring. And so now what we find ourselves in is in a situation where there is a lot of risk that has been inherited by the security organization, so a bigger attack surface that they need to protect, they are trying to figure out from a budget perspective, how do you deal with this inherent risk, as well as deal with the new strategic initiatives that the businesses are outlining today. And then moreover, they're engaging in kind of hand-to-hand combat in hiring the right people to help them in solving the problem.
Streeter
So tell me more about the concept of security by design, why is it crucial that it underpins decision making, and that security isn't just an afterthought?
Lovejoy
What typically happens, or what should happen is that a security organization should be working with the business, let's say the business is undergoing a supply chain transformation, as they're thinking about that supply chain transformation, they should be helping the business to think about, okay, what does this mean? What are the systems that we're going to be bringing in? What are the kinds of people that are going to be interacting? What are the kinds of processes that are going to be executed? How does security play a part in us? How do we both protect our data and our systems, but also enable the right human beings to communicate with the other right human beings within this particular process? And so having that conversation upfront, and allowing for the CSO, or the security team to have business risk discussions, help the business understand what the risk is, and select the right types of controls to implement is critically important. That's security by design. It's sort of peeking around the corner, understanding what is the need for the business, and then helping them get there.
Streeter
So how do you then Joram, actually make sure that the groundwork is laid to ensure that security by design is built from the ground up? Because it's not as simple as just doing it is that I mean, there needs to be the right groundwork first.
Borenstein
Yeah, I think it's an excellent question. I think it is the question in most executives’ minds, you know, to Kris's point a moment ago. I'd make a couple of comments, I'd say, look, this world of hybrid work, and digital transformation obviously has now been with us for a year and a half. So it is still for many leaders a relatively new concept. Some of them were, of course, working on these types of projects, perhaps in a smaller capacity before the pandemic started. But many were not from my sort of anecdotal experience. And what we're seeing now, quite frankly, is that literally almost every single customer thinking about hybrid work is thinking about it from a security point of view, or is weaving security into that conversation. And more specifically, what they're asking for help for are things like, how do you create a seamless and a secure experience for every employee, regardless of whether that employee is never in the office, always in the office or sometimes in the office.
Right, there shouldn't really be a distinction from their own experience just based on where they're physically located. Obviously, they're also thinking a lot about cost savings and consolidation. Right, that plays an important role. Of course, in most executives decisions. They're also quite frankly, looking at blending, what I would call the digital world with the physical world, right and thinking a lot about physical factories and physical assets in the same way they're thinking about digital assets. And I know oftentimes, those topics are treated separately and if you read mainstream articles and things like that, but increasingly I do think you're seeing leaders try to think about those blended together. And then last, but not least, how do you just fundamentally in our customers, how do they think about modernizing their whole security operation? Right, which can mean any number of processes, technologies, training, hiring. And we're seeing also, in many cases, you know, reorganizations because simply the way an organization was structured before the pandemic may not be fully optimized for what the business needs today.
Streeter
Yeah and you talk about cost cutting, sometimes teams and businesses in general are being pulled in two directions, the need to make immediate costs, but then again, you've got to get this issue right, in terms of reputation and ultimately, the bottom line, don't you?
Borenstein
For sure, customers we talked to think a lot about these issues. We conducted a survey, Microsoft conducted a survey in August of 2020. So just over a year ago, looking at about 800 business leaders across a number of different countries. And what you see, time and again, is that the businesses are still in some cases being impacted by phishing scams, they're still trying to figure out what the ideal security budget they need is, and hiring and retention of key talent, you know, remains a key issue. Those are some of the obvious themes that popped up. And it's fully aligned with some of these challenges that the businesses were facing.
Lovejoy
You know, I want to flip the conversation on a little bit off its axis, because I think that this issue on cost savings is actually an opportunity. And so what do I mean by that? I said before, that the security industry is largely a compliance or crisis driven industry. So, what's happened over the years, and, you know, when you talk to a CSO, you know, what they'll tell you is, because of the approach that we've taken, instead of thinking strategically about security, often time, the only thing the business allows us to do is to find the solution to the problem that we face today. Meaning that if it is a we've got the auditor coming in and saying you've got a problem here with A, I'm going to buy the narrowest possible solution to A at the cheapest possible cost.
And so what happens over time is that your closet gets full of technologies and policies, etc. And because you're doing it for compliance reasons, you can never take any of that stuff out. And so over time, what's happened is, organizations have become overloaded with almost too much stuff from a security controls perspective.
So I think one of the opportunities we have today, from a digital transformation perspective, is to massively simplify the infrastructure that we have in place to protect our organisations, and to main overall security and resiliency. And so I think that the cost savings gives us this window of opportunity for us to go in and question what we've got in the closet. And I think that the other thing that this allows us to do is actually fast track the pace of transformation. Because I would argue that moving to a cloud infrastructure as an example, that actually will lead to a massive simplification, and a rationalization of controls, that not only will allow you to save cost, but will actually allow you to improve your security. And so one of the things for organizations that have a lot of legacy risk, that are facing these a sort of budget crisis – use it as an opportunity, go back, clean out your closet, and use it as a as the rationale to run, not walk, to a transformation.
Streeter
Yeah it's interesting, that analogy of cleaning out the closet, because Joram you think it's even more crucial right now, because regulatory fragmentation is piling on the pressure?
Borenstein
Yeah, I think I fundamentally agree with where Kris is going in her comments, I would say it's not uncommon to encounter a customer with a few dozen different security and compliance products from multiple different vendors, right, and watch them to Kris's point, struggling with getting these products to work together, if that's even possible. And so, when it comes to audits and regulatory pressures and realities, what do we tend to find is customers tend to say, again to Kris's point, if I could build on that for a moment, they tend to say, ‘Well, I need to get this done just to pass the audit and just to get through the compliance hurdle that I'm facing right now’. And so compliance is, I would argue, a big consideration. I think it is growing. And I think the complexity in the regulatory environment as businesses launch new products and services to remain competitive, and also enter new markets, new jurisdictions, is critical. And then the last thing I would say on this, if I may, Suzanna, is privacy, right? I think the world has gotten much more serious about privacy than I think it ever has been. There have always been parts of the globe that are have been more serious than others. But I think what you're seeing now is fundamentally a fairly consistent growth worldwide and it concerns, again, both at the business level and at the individual consumer level on privacy.
Streeter
So Kris, what challenges do you think fragmentation presents?
Lovejoy
I have to say, and this is probably worthy of a full day of conversation. But you know, this issue of compliance complexity is something that we're all dealing with today, but is going to get much worse. And let me explain just for a minute why. So, one of the wonderful outcomes of all of the backlash against globalization, and the populism is this onslaught of new regulations, cybersecurity, and privacy regulations that are coming out in the individual nation states. If you look at the mature and emerging nation states, as defined by the ITU, what you'll find is about 80% of them have introduced or are planning to introduce new privacy and security regulations in the next 12 months. Now, what does that mean? It means a huge amount of fragmentation, because each of these regulations is just a little bit different. And so if you think about it, from a practitioners perspective, not only do I have all of the cyber risk, but now I've got a way through all of these very very balkanized requirements that require me to think about how do I maintain data locally? How do I meet individual requirements vis-à-vis disclosure? How do I implement you know, sort of different kinds of controls over encryption, etc., etc. So this problem on the compliance side is going to increase the pain, I think, for the security organization. So, where do you start? How do you even begin to think about this? You know, one of the things that, you know, I always advise is that, again, let's go back to the business, you know, at the end of the day, this is all about businesses, providing services to a customer, whether you're a government or nonprofit, or you know, a for profit enterprise, you are providing a service to somebody. And so the question is, you know, what is the risk associated with that service? What are the obligations that I may have, you know, vis-à-vis the location in which I'm providing those services? And so in answer to the question, where do you start? Yes, start at the beginning of understanding the business service. And I know, that may seem really trite. But one of the problems that I'm seeing is that, CSO's don't necessarily always understand the language of the business, the relationships between themselves in the business are not necessarily the healthiest and so therefore, because the conversation isn't starting at the beginning, and not really understanding the way the business works, we're not necessarily able to identify the risk and then optimize the controls around that.
Streeter
So Joram do you think that part of the long-term strategy should be giving security officers a steering role in innovation?
Borenstein
I think yes they should be involved in innovation, I fundamentally believe that, but I think some of the organisations we work with still have some more sort of baseline or fundamental issues at play. And what I mean by that is, the reporting structure for a CSO is still not always clear, and not always appropriate. Right. And a lot of organization's CSOs don't report directly into the CEO or don't even have regular board access, they may be accountable to the board of directors for something, you know, once a quarter, once a year, etc. But they don't always have the visibility and the and the ability to get access to senior leaders, you know, for when a crisis demands it or just when, you know, regular business demands it. And so I think we are still witnessing in many ways an evolution of the CSO role in the same way we sort of witnessed with CIOs in the 1990s.
It took a few years for businesses to figure out how senior should the CSO be? Where should the CSO report into and even after that, where should the CSO have access to, again, for a sort of break glass emergency scenario. The second comment I would make, Suzanna, is that fundamentally CSOs as I think people have witnessed in many organisations don't, they don't stick around for that long, sometimes by choice, sometimes not by choice. And so there's a lot of pressures on CSOs from day one, or even day zero, to perform and to show impact. And it is awfully hard in large, complicated organisations to do that, especially if your reporting structure doesn't always align and isn't always optimized with what you're ultimately trying to achieve. And I think for those couple of reasons, I think, yes, the CSO should be involved in innovation. Yes, the CSO has very intelligent things to say about innovation and it has a tremendous amount to add about innovation. But in many organisations that we spend time with the issues are so much more fundamental and basic, that that conversation about innovation is still kind of a future conversation.
Streeter
So Kris do you think establishing good partnerships and collaborations will help CSOs use the best strategies and maybe feel less isolated?
Lovejoy
Yeah, absolutely and you know, I also think, as a practitioner, I have to say, it's really interesting, when you study the perception gap between CSOs in the business. One of the things that we looked at and we asked CSOs in our latest survey is, how do you perceive your relationship with the board? Meaning, do you think that the board understands you, understands the value of what you do? And 46% of CSOs would say, yes, that the board is fully on board, they're there, they're good with, you know, all of the strategy and the sort of the execution activities. Then when you ask the board the same question, what do you think about the security organization, only 9% of board members of those same organisations are confident in the ability for the CSO and their teams to actually protect the organization. So there's a big gap there. And I think that, you know, when you dissect it a little bit, what you find is that one of the biggest problems is in the method of communication, boards would say that the CSOs, and the security teams don't necessarily speak in the terms of the business. And the CSOs would admit themselves, that they're not particularly good at it. And in fact, only about 20% of them have the ability to quantify risk within financial terms.
So, I think that there is definitely an opportunity for there have to be a bridge. But I think that there has to be a two-way recognition of the need for the CSO to improve their ability to speak within business terms. And I think that the supervisory and management boards really need to think about, at what point are they bringing in the security teams to have conversations and make more of an effort to actually pull them in, as opposed to assuming that the CSO is just going to be able to do their job without a little bit of help.
Streeter
And do you also think, let me bring in Joram, do you also think Joram that part of the issue is the perception, some would say, myth that a greater focus on security, might stifle creativity and productivity within the business?
Borenstein
Yeah I think that's a perception that does persist in some quarters. But I think it is a dying perception, I think, enough businesses have seen the cost of not weaving security and privacy and other relevant, risk, in some cases, into new products and into new innovation from the ground up and so I think, while a lot of people like to move fast and feel that weaving CSO in his or her organization into the conversation could slow them down. I think, more and more people are realizing, quite frankly, that it may feel like it's going quickly, and it's going rapidly at first, but ultimately, it's going to encounter some fairly significant speed bumps that ultimately will take longer.
Streeter
And I also want to pick up on what you talked about a little earlier, in terms of attracting the right talent. But the other issue we need to mention is that the industry is also experiencing a skills gap, and there's labor shortages across many industries. So how can firms navigate this Joram?
Borenstein
It's a great question. It is a topic that is on everyone's mind, most survey data, you will reference would actually argue that the dearth of talent has only gotten worse. Since the since the COVID pandemic started, depending on again, which survey you look at the worldwide gap in cybersecurity skills could easily be three or even four million professionals, again, depending on which survey you reference. And I think the challenge is that businesses are increasingly realizing that the shortage is probably something they are going to be contending with for the long run. And that the attacks are only getting more sophisticated, so that it's a double edged sword, if you will, of having to retain the existing talent, train them, make sure they're up to speed on the latest and greatest technologies, processes, threat vectors, etc., while also looking to not overwhelm the teams. Fundamentally, I think it's going to be a team effort. I think it's going to be public sector, private sector working together. And I'd also argue it's about identifying new sources of talent. I think, organisations have not historically thought about their talent pipeline, holistically. They've not thought about diversity of thought, diversity of perspective, diversity of experience. And I think there is a real opportunity here to bring again globally in the cybersecurity professional industry to bring in new voices and new perspectives to help with these very significant challenges.
Streeter
How do you think new perspectives can be brought in, Kris?
Lovejoy
I want to echo everything that Joram just said, you know, I think he's dead on right on the subject, I would add on these perspectives, you know, one of the answers to this problem is partnership. Now, you may be listening and thinking, you know, gee, of course, you come from a security community that provides security services. But I do think, having spent most of my time as a CSO, that good partners can provide the expertise and experiences that you're not going to be able to staff on your own. But moreover, there's a second aspect to that, which is as you're thinking about your supply chain partners one of the biggest risks that we all face is the recognition that our supply chain partners may fail in their duty to implement appropriate controls. And we just leave it to the procurement organization and the terms and conditions in a contract. Assuming that, you know, security is being built into the contract, we have nothing to worry about and that's just not correct. So I think the other aspect of this is by us increasing the scrutiny in and around our supply chain partners, and demanding that those supply chain partners do a better job when they provide us digitized products and services. What that does is it frankly, decreases the amount of work we have to do as practitioners to you know, sort of clean up the mess. And so I you know that seems like maybe a little bit of a circuitous answer, but I'd say in addition to what Joram says those perceptions of, you know, partners, both from bringing in the skills, as well as making sure that they don't introduce risk is really important.
Streeter
Also, as well, as we've talked about cost cutting, squeezed budgets can really hinder progress. Kris what examples can you share where companies have successfully taken a bit more of a strategic approach to cybersecurity funding?
Lovejoy
Oh, yeah, no, absolutely. You know, I think going back to Joram was talking a little bit about, you know, sort of the reporting of the CSO. You know, one of the other things that we see, in addition to kind of the CSO being kind of buried within the IT organization is the fact that the budget is fixed, and it becomes a part of the IT budget. And it actually is a very small part of the IT budget, you know, what we're seeing is that if the IT budget, you know, we the outside organisations would, you know, benchmark it at about 2-5% of revenue, the security budget for any given corporation is .05 percent of revenue. Okay, so think about that 2-5%, is it .05 percent is security, that's a fraction of, you know, perhaps what it should be. And as I mentioned, it is fixed, and it is buried. And so one of the things that we're seeing leading organisations do is better align the budget for security, to be more dynamic and benchmarked to how the business is spending vis-à-vis digital transformation programs. So instead of thinking about it as a fixed pool, and you know, there is going to be some operational spend that isn't going to change, there is a percentage of the budget that is allocated toward enabling digital transformation. And I think just having that kind of funding mechanism in place, it also puts the businesses on notice that security is important and needs to be built in.
Streeter
Joram do you think flexibility in funding is absolutely key?
Borenstein
I do. And the other the other irony of the global pandemic I would add to all of this is that, you know, businesses have, really truly internalized the fact that there is phenomenal talent everywhere. And by saying everywhere, you know, it means, you know, much of that talent may not lie within 25 or 50 miles of some corporate headquarters, but the reality is that for an industry that is facing such tremendous challenges and a shortage of talent, like, I think it behooves all of us to think very creatively and very broadly. And that includes not only thinking about new sources of talent by going into, to, you know, new constituencies, new populations, etc., different types of, you know, schools, universities, etc. but also to think about does every job need to be in a geographically specific location or not? And I think businesses that are increasingly asking themselves that are discovering that they now can hire in ways that again, maybe as recently as two years ago would have been inconceivable.
Streeter
Yeah, it's really interesting how the world has changed and just what effect the pandemic has had in so many ways. Now, we're coming to the end this podcast and I just want to ask you to look into your crystal balls and tell me just how confident are you that when we look back in five years’ time, that companies will have surmounted all the cyber issues they're currently facing, Kris?
Lovejoy
I think we're in a perfect storm. And I know that some of what I've said, the dwindling budgets and hard-to-find talent, and failure to include security inside coupled with lots of regulatory complexity that just seems kind of like the sky is falling. One thing I can say about the security industry is we're really good in a crisis. When it's crunch time, that's when we shine. And so what my hope is, as I hear from executives, business leaders, and supervisory boards, as they increase their interest in the subject, and I'm seeing the influence of the CSO increase, I think, and I am hopeful that that kind of nexus is going to allow us as security practitioners, to finally address that fundamentally broken approach that we've taken. And instead of us looking at it as a compliance or crisis function, you know, something to be ignored at every possible cost, finally, we're going to be able to kind of take the reins, and really treat this as a business risk that it is and, sort of get the headspace, if you will, with the executive community and be able to make that positive change.
Streeter
An optimistic outlook, Joram are you as positive?
Borenstein
I am I am fundamentally optimistic. I mean, you know, if we look back 10 or 12 years, there weren't that many CSOs, right. Many organisations did not have a chief executive with responsibility for security and only security, right? They might have had someone in the IT department, who did three other jobs and security was just a fourth leg to that stool, if you will, are leg to that table. And that's not the reality anymore. And then as recently as maybe seven or eight years ago, even if you said the word CSO. To someone, they would say what's that? Right, and you would have to define the term, that simply isn't the case anymore. CSOs are a well understood role, it's a normative role in most large and midsize organisations, the organisations that don't have CSOs or full time CSOs understand it, and are trying to manage around it. So fundamentally, we're at a much better place than we were as recently again as 10 or 12 years ago. The second reason I'm optimistic is that these are basically solvable problems in many, many cases. A lot of the challenges that we see are driven by a lack of some pretty basic cyber hygiene, issues around identity and access management issues around Endpoint Protection, etc. And what we're seeing I think more and more is people are realizing that getting the basics right and getting one's cyber hygiene, again, at an organizational level improved, is yes, it requires diligence and focus. And it may require, you know, board visibility. And obviously, Kris made some very important comments a few minutes ago about budget, but the reality is that there is a path, there is a roadmap to doing that in most cases. And then the final comment I would make is board visibility. Cybersecurity issues were not discussed for the most part at the board level, again as recently as 10 or 12 years ago, and that is just not the case anymore. And so, if you look at the trajectory of these three topics, the reality is these issues are becoming more widely understood, more widely recognized as real fundamental risk issues to an organization and they're becoming more widely professionalized if I could make up that word for a moment and budgeted.
Streeter
Okay, thank you so much for all of your insights. We are coming to the end of the podcast now and I just want to thank you, Joram and Kris for joining me to talk about all the cybersecurity challenges we're facing. So many valuable insights that you have provided.
Borenstein
Thank you, Susannah, this was lovely.
Lovejoy
Thanks so much Susannah for having us.
Streeter
You've been listening to the EY and Microsoft Tech Directions podcast, Cybersecurity, in the Post Pandemic world. For more information you can visit ey.com/microsoft. And a quick note from the attorneys. The views of third parties set out in this podcast are not necessarily the views of the global EY organization nor its member firms. Moreover, they should be seen in the context of the time in which they were made. I'm Susannah Streeter, thanks very much for joining us. EY and Microsoft, your digital world, realized.