I had the pleasure of attending the recent World of Connections conference hosted by Wipro Ventures, Nokia Growth Partners Capital and Maersk. The event featured panels and speakers focused on the future of work, transportation, and enterprise business. One of the most interesting sessions was focused on the topic of cybersecurity. The panel was moderated by Aleksandr Yampolskiy, Co-founder and CEO of Security Scorecard, and included Rishi Bhargava, Co-founder and VP of Marketing at Demisto (recently acquired by Palo Alto Networks); Rob Gurzeev, Co-founder and CEO of CyCognito (a Wipro Ventures Portfolio company); and Ken Ricketts, CISO at Coupa Software.
Aleksandr opened the discussion with a thought-provoking question: (paraphrased): Given the immense amount of capital that has flowed into the cybersecurity sector — both investments into startups and the purchase of cybersecurity software — how is it that the number of data breaches and companies reporting a hack is only increasing?
Each panelist brought a different perspective, reflective of his experience and position in the industry:
Ken Ricketts, from his view as CISO, described how the environment has drastically changed. “We live in a world where velocity is our biggest enabler and also our biggest challenge.” As a CISO, he’s focused not only on risk, but also on enabling the rest of the organization. It’s essential for him and his team to meet or exceed the velocity of the rest of the business, which will inevitably lead to a wider footprint. Enterprise cyber-defenses have shifted from hardened perimeters to distributed software systems spread across the entire supply and value chain.
Rob Gurzeev, CyCognito’s Co-founder and CEO, approached the question from a distinctly different perspective. Hackers, or other malicious actors are looking for the “the path of least resistance,” Rob explained, and companies often ignore this simple concept while spending millions on firewalls, endpoint protection, and other popular security products. In its worst form, this can amount to “Security Theater,” in which a company can feel satisfied it has made the necessary preparations, without actually addressing a number of underlying blind spots that can be exploited. So, it’s critical to understand if attackers can access your IT assets, whether those assets are on-premises or in cloud, partner and third-party environments. Without seeing your entire attack surface, you cannot identify all of your risk, or prioritize what your critical gaps are, while a hacker looking to break into your systems can and will find and exploit your blind spots.
Rishi Bhargava, Demisto’s Co-founder and VP of Marketing, took a more philosophical approach to the question. There are “two interpretations,” either “we are failing as an industry,” a position most would disagree with, or we have an incomplete picture of the world, and do not know the true impact of these cybersecurity systems. That is to say, we have no counterfactual, or no comparable reality in which less money was invested into cybersecurity. Who’s to say this non-existent reality wouldn’t have 10X the number of breaches and hacks? Additionally, Rishi expanded, “Attackers have to succeed only one time, while defenders have to succeed every time.” Another interesting point Rishi raised was that “more needs to happen” around law enforcement and regulation. He made an analogy to the physical world, in which doors are often left unlocked, and windows are hardly secure, yet crime and break-ins are infrequent in many communities. This, he posits, is likely due to the risk-reward perception among those considering committing crimes. In the physical world, the risk of being caught and prosecuted often outweighs the potential benefit.
In aggregate, these answers form a holistic explanation of why we see more headlines related to data breaches. To summarize:
- The world of today is starkly different from even 10 years ago, particularly when you consider the widespread presence of technology in our lives. There are exponentially more threat surfaces and vectors and thus opportunities for malicious actors.
- It’s easy to prioritize flashy or popular products that give the impression of security, without actually addressing critical vulnerabilities, leading to organizations with a false sense of security.
- We can’t realistically determine how much worse off we’d be without the investments into cybersecurity products. In all likelihood, they have been effective, but you’ll rarely see headlines about breaches that were prevented. Further, our laws and regulations need to evolve to better combat digital crime. This is particularly complex because the scale is global instead of local and has clear geopolitical implications.