On this week’s SecurityIntelligence podcast, our intrepid hosts connect with Dr. Larry Ponemon, founder of the Ponemon Institute, and dive into the research firm’s fourth annual study on “The Cyber Resilient Organization.” What makes an organization cyber resilient? What’s holding them back? And most importantly, how can they make the shift from reactive IT security to reliable, resilient response?
The Role of Cyber Resilience
Dr. Ponemon puts it simply: “Cyber resilience refers to an enterprise’s capacity to maintain its core purpose and integrity in the wake of or in the face of cyberattacks.” In practice, this means the ability to prevent, detect, contain and recover from threats against both data applications and IT infrastructure.
At scale, Dr. Ponemon describes it as “a concept that’s bigger than, say, security or a security posture.” Instead, it’s a holistic approach to cybersecurity that accounts for both the typically measured, tangible aspects of information security (e.g., app security, infrastructure defense) and the enterprise intangibles (e.g., end users and employee perceptions) to drive the development of security-as-a-culture.
Current Conditions Are Improving
As Dr. Ponemon notes, enterprises are seeing “constant progression” across security technologies, personnel and policies. Part of this positive shift stems from increased non-IT C-suite recognition that cyber resilience is key to business success.
“The trend is that leaders within the organization are more involved, have a more realistic view of their organization’s security posture and understand the potential risk factors associated with not having an ample level of resilience,” said Dr. Ponemon.
It’s also worth noting that technology and C-suite buy-in alone aren’t enough: Cultural support is critical to ensure everyone — from front-line users to middle managers to executives — is on board.
Hammers and Nails
Organizations have become increasingly adept at finding what Dr. Ponemon calls “point solutions,” but lack the ability to implement enterprisewide security solutions. Implementing cyber resilience strategies means developing a kind of self-awareness that empowers businesses to both identify problems and prioritize the development of a cyber resilient culture.
Solutions such as automation and artificial intelligence offer potential benefits here: As noted by the Ponemon study, organizations that extensively use automation (just 23 percent) reported significant improvements in how they prevent, detect, respond to and contain cyberattacks.
But tools alone aren’t enough — in fact, many enterprises now struggle with tool overload. This often creates a “hammer” problem: While almost any security tool can be used to bludgeon issues into some semblance of security, enterprises must find best-fit solutions to both maximize resource use and streamline infosec operations. In other words, a cyber resilient culture isn’t about adopting more tools, more quickly — it’s about creating an open and honest security culture and then deploying tools that empower organizational efforts.
Start Strong With Vigilance and Visibility
How do enterprises get started on the road to cyber resilience? According to Dr. Ponemon, it starts with vigilance and visibility. The ability to monitor, observe and respond to core business and technology processes allows organizations to both identify best-fit IT tools and prioritize their responses.
Combined with a security culture focused on transparency and underwritten by C-suite buy-in, organizations will be better equipped to reduce complexity and empower cyber resilience.
Pam: What does it take to be cyber resilient? And how do you know if you’re actually doing it right? According to the 2019 Study on the Cyber Resilient Organization, companies with high resilience have fewer data breaches and business disruptions. David and I want to dig into this promise of fewer business disruptions. So I’m curious, how can a strong security posture free you to transform your business?
David: A strong security posture means you’ve controlled bad risks so you can take good risks. A bad risk might be relying on your team to manually respond to an incident. There’s a lot of variables that need to be done in the right order and very quickly.
So, from an operations standpoint, if you remove that risk through something like automation, it gives you the option to take risk elsewhere, and that risk can be a good risk. It has a high potential for reward. So, if you have a high security posture or a strong security posture, that’s going to free you up to transform your business.
Pam: In this episode, we explored more findings of this report with the help of Dr. Larry Ponemon, the founder of the Ponemon Institute. This is the fourth year the Ponemon Institute has conducted the study. Trends from the report showed that automation and support from leadership across the organization are both drivers for resilience.
Pam: This is the SecurityIntelligence podcast, where we discuss cybersecurity industry analysis, tips, and success stories. I’m Pam Cobb.
David: And I’m David Moulton. Last year, Larry went behind the scenes of another report on the podcast, the 2018 Cost of a Data Breach Study. Definitely recommend giving that episode a listen if you wanna learn more about corporate data breaches.
Pam: But for now, let’s turn our attention to the current state of cyber resilience in our conversation with Dr. Larry Ponemon.
David: Thank you for joining us today. We always love hearing from you on the show. Can you start off by introducing yourself?
Larry: My name is Larry Ponemon, and I’m the chairman and founder of Ponemon Institute. We are a research company focused on data protection, privacy, cybersecurity, and other related topics. We’ve been in existence for almost 20 years, and I’ve been in the field of computer security and privacy for about 46 years. So, that makes me ancient. I’m glad to be here in today’s call.
Pam: Well, we’re glad too that you’re here, Larry. So, we’re going to dive into some of the new findings from a report you’ve recently published called the 2019 study on the cyber resilient organization. So, before we do that, how do you define cyber resilience?
Larry: Well, in general, at a high level, cyber resilience refers to an enterprise’s capacity to maintain its core purpose and integrity in the wake of or in the face of cyberattacks. So, therefore, a cyber resilient enterprise is one that can prevent, detect, contain, and recover from a myriad of serious threats against data applications and IT infrastructure.
So, basically, it’s kind of a concept that’s bigger than, say, security or a security posture. It basically takes all of those concepts and does more with it, allowing the organization to survive these negative events that seem to occur on a regular basis.
David: This is the fourth installation of a cyber resilience report. What are some of the key trends you’re seeing year over year?
Larry: Well, on a positive side, we’ve been seeing constant progression. You know, basically, organizations are getting better, developing better security protocols, basically implementing technologies and ways that will lead to greater efficiency and effectiveness. It also is the ability to hire and retain key people who have the skills to manage cybersecurity and other related aspects of the organization. So the trend is, or the three top things that we look at is, you know, technology, personnel, and also policies and procedures that are implemented throughout the organization.
David: Larry, it’s great to hear that there are some positives. What do you think is driving that kind of a change?
Larry: Well, a whole bunch of things. Number one, I think organizations are getting better at security. They’re implementing these new technologies in ways that are more efficient and effective, which is very important. But I also think organizations at the senior level, the non-IT C-level executive recognize the importance of cyber resilience.
You know, a couple of years ago, maybe like five or more than five years ago, you talk to the CMO of an organization about security and they would have that glazy-eyed look. They would say, “Well, you know, I’m not into that stuff. It’s not important, your job, Mr. IT or Ms. IT security practitioner.” But we see over time that senior-level executives find security-related issues as essential, you know, the ability to manage these issues, essential to the organization.
So I think the trend is that leaders within the organization are more involved, kind of have a more realistic view of their organization’s security posture, and understand the potential risk factors associated with not having an ample level of resilience.
Pam: With this, Larry, is there a trend in this report from this year that surprised you the most?
Larry: Well, you know, there were a couple of, I think, important trends. The ones that I think are most important to me is this continuous improvement. The number of questions that we’ve been tracking for, now four years, basically, there’s evidence that suggests that we’re making small, not exactly baby steps, but, you know, small steps in the right direction consistently across the enterprise. So I think it’s not a surprise, but it’s definitely an important finding.
I think another finding is that technology has its role, but just having strong technology alone doesn’t get you to the A-level. If you wanna play at the A-level, you have to make sure you have an entire process, an ecosystem that’s focused on cyber resilience, and organizations that do that, you know, really enjoy the benefits of greater efficiency and effectiveness.
David: Over the course of the four years, where have you seen organizations continue to face challenges?
Larry: Well, a number of places. You know, obviously, there’s good and bad in everything, and, you know, it’s just shades of good and shades of bad. But where organizations seem to be lacking is coming up with enterprise-wide solutions rather focus on point solutions, you know, dealing with problems proactively versus waiting for the problem to happen and get worse. And then you could identify it and quickly respond to the problem.
So we think a lot of organizations are still, and not all organizations, but many organizations are not as deliberative, not doing all that they could do proactively to prevent problems from, you know, anything, application or the data layer or even the network layer of the IT infrastructure. Another issue, of course, is you want organizations to have a culture for privacy and security.
And a lot of organizations are in the stage of building, but they’re not mature enough, you know, they’re not able to play the A-level because their culture is not supportive of cyber resilience. But things are getting better as I mentioned before. So, it’s give and take.
Pam: What are some of the steps that companies can take to tackle those challenges?
Larry:I think the main issue is awareness. At the beginning stage, you need to be aware of your cyber resilience or lack of cyber resilience. So, that means that you need to develop some kind of assessment process that you can actually identify where cyber resilience is lacking and steps to take to prioritize remediation and containment of problems.
Organizations that are more self-aware are much more likely to have a successful cyber resilience process. And we look at resilience, not as an outcome, but more of a process orientation. You know, for example, as a stretch target, no organization is perfectly resilient, but obviously, there are shades of gray, and the idea is to move from the black to the white light, you know, the positive versus negative.
But I think a lot of organizations have had a difficult problem on the cultural side, changing attitudes and beliefs of, especially non-IT executives. But many organizations have come a long way in that regards, as I mentioned before. So it’s, again, just degrees to which organizations are focused on these issues and helping their organizations achieve the right level of resilience.
David: How can organizations help build and promote an honest culture?
Larry: An honest culture, I think, is an open culture, the ability to express problems and issues that exist within the organization and to be able to communicate upward, you know, up-chain communication, getting the CEO and other C-level executives to understand the problem, again, before it becomes worse or a bigger problem.
The ability to free-flow communication to the very top of the organization, as well as to the board, is a way of establishing accountability. Organizations that are more open, have an open culture are more likely to do that, to keep their C-level executives across the board, not just in IT and IT security well-informed about cyber resilience-related issues.
Pam: So I want to call back to a point you made earlier about automation, and can you give us an example of what a highly-automated organization looks like?
Larry: Right. So, you know, the concept of automation is changing. Obviously, I’m an old guy, so I remember automation as a computer or a laptop. Computer, my God, that is advanced technology. But right now, we think of automation as having components like machine learning, artificial intelligence, perhaps, orchestration capabilities. It’s kind of a broad concept that says that you’re going to have people making choices, decisions, executing what they believe would be appropriate practices to achieve a high level of cybersecurity and cyber resilience.
But the key variable is that the technologies we have, the automation allows the individual to be smarter, you know, be more deliberate, have better information, have more actionable intelligence so that they can act in ways that are more effective for the organization. You can reduce false positives and false negatives. All of those good things happen when you have people working with enabling technologies.
Technology alone doesn’t cut it, right. I mean, you could have the greatest technologies, but poorly implemented technologies and you have just a mess on your hands. But the reality is that, you know, you don’t have to have a mess on your hands, but you could end up with a good quality outcome even when you’re not fully automated. But automation does make a big difference.
David: Larry, you’ve just touched on a lot of the benefits of automation, and I’m wondering, how do those who implement differ from those who don’t?
Larry: The issue about implementing automation technologies is, to do it right, you need to have a broad picture of the organization. Before you even think about automation or any of these advanced activities, you need to think about IT security governance, governance within data protection, privacy, information security, cybersecurity, and more.
The idea is that, to be a digital organization, you have to do a whole bunch of things in order to have an actual outcome. And in our experience, organizations that are, you know, leading-edge, keeping an open mind, having a culture for security, and all the governance-related activities in place will basically see more success in their cyber resilience program.
David: Reading through your report, I saw that less than half of the organizations that use automation extensively reported a data breach, and it seemed something like 55 percent of the overall sample reported a data breach. That was a pretty good difference, that 7 percent. Did you see any evidence that automation helps lead to those better outcomes to that security hygiene?
Larry: Yeah, good question, David. Basically, we find that organizations that are truly resilient enjoy the benefits of fewer data breaches, fewer cyber exploits that actually infiltrate the system. It’s more resilient to bad things. Bad things happen no matter what you do, but you’re more proactive in dealing with these issues in advance of the problem getting worse.
So, again, it’s all about having a process in place that allows you to properly identify, discover, after you discover, to be able to investigate fully, and the ability, ultimately, to contain the problem so that you’re not dealing with the issue over and over and over again. Technology, again, plays an important part of that, but again, it goes back to culture, having governance, process, a structure in place to allow the organization to operate across the board, not just pockets of resilience. But a fully-resilient organization from head to toe is what normally is the most beneficial aspect to all of these activities.
Pam: So we know that automation is beneficial in terms of hitting off things like data breaches, is there a way to put a value on automation? Maybe from talking about it from the point of view of operations, is there a cost in hours for a team to do manual work, or is there some savings that comes from avoiding damage?
Larry: There are ways to analyze the cost issues. Not to self-promote but we do a project with IBM every year on the cost of data breach, and it’s basically something. It’s capstone research that we’ve been doing for 15 years now, and what we find is that organizations that are basically doing all of these wonderful things from a technology and staffing and all these other activities, doing all of the right things, do enjoy a benefit.
And one number that I’m going to share with you that’s in the cost of data breach study, not in the resilience study, is it’s on average about $2.9 million of incremental savings by automating. Even if you’re not using AI, but machine learning and orchestration, and so forth, companies that implement the technology seem to enjoy an ROI that’s pretty significant.
David: That’s amazing. So, Larry, where is that saved money going? You know, we’re seeing this rapid scale of digital transformation. Is the money going back to shareholders, maybe investment in people and training?
Larry: Yeah, I think it’s being… well, it could go to a whole bunch of places. But my guess is that the benefit is enjoyed primarily by the IT security function maybe within the IT organization, because what it’s, in essence, allowing organizations to do is operate from a more effective position by virtue of having all of these process technology activities in place.
So the benefactor, I should say, from all of this, it would be the IT organization, as well as other organizations that participate, for example, in the privacy work. There is an input from IT, of course, but also from compliance and even the law department, they would be the beneficiary of all of this good stuff. But again, it’s not just going to one place in the organization. It’s being reinvested across the board.
David: And certainly, if they don’t have to have the cost of a data breach or some other cyber incident paid for and whatnot, then those operations in the rest of the business can continue to go rather than trying to gobble money to notify people or clean up malware, those types of things that really slow an organization down.
Larry: Exactly. You know, the real cost of a data breach is not the couple million dollars that we report, but it’s the brand diminishment. The reputation of an organization could be worth hundreds of millions or even billions of dollars. The real benefit is an organization that doesn’t have to deal with these problems or deal with these problems early on so they’re not…it can be, like, really bigger, big messy problems, or definitely enjoying a greater benefit, and therefore, having more residual dollars to invest in new and emerging technology.
Pam: So, one of the things that we’ve seen in this year’s cyber resilience study that we’ve seen in past cost of data breach reports have been a component that really explores regional trends. So, do you have any idea why Germany is outpacing other countries in many areas related to cyber resilience? Is it regulation, culture, technology? Any thoughts?
Larry: Germany is an interesting case study. We’ve been analyzing IT security practices of corporations, organizations, including governmental organizations, for many years. And consistently, we find German organizations are much more focused on compliance activities, making sure that their business process is, in fact, secure, relying on people and employee integrity to make the right choices. I think part of it is that it’s a culture. Germany has a culture for privacy and data protection, perhaps following with the issues of World War II. But people in Germany just see more benefit and see the necessity of having strong security protocols in place and, therefore, you know, value cyber resilience at a higher level than, you know, companies in other countries.
And again, I’m generalizing because it’s not exactly true in every place, in every facet of cyber resilience, Germany is the leading-edge, but it definitely seems that Germany is kind of a real positive case study for cyber resilience and cybersecurity generally. And again, it goes back not only to the technologies that German companies have but an orientation, a culture for privacy and data protection. It doesn’t exist in many countries.
David: In the near term, or maybe next year’s report, what does the future of cyber resilience look like?
Larry: Well, my gut tells me that automation will become even more powerful, more important to organizations and their ability to create a cyber resilient organization. I think artificial intelligence is kind of an early stage but will be deployed to make the information available to cybersecurity experts, and people who do security make them smarter, give them a greater ability to manage the risk associated with cyber resilience, to be more proactive in dealing with these problems.
I think that we’re going to see continued improvement. It may be a slow go, because as we’re improving, the bad guys are getting worse. So, you know, you have to kind of think about the net effect. But my guess is that cyber resilience will continue to be a very important concept for organizations for a long time to come.
Pam: So, is there anything that we haven’t asked specifically about the report that you wanna make sure that our listeners take away?
Larry: Well, I think the most important thing that I probably didn’t discuss is the whole issue of complexity when you actually report this in the report. It’s probably back to the question, you know, what are the three or four most important findings. What we find is that organizations that aren’t cyber resilient, but they’re still making huge investments in security without touching the cultural and personnel-related issues, are missing the boat.
And what we find is that it’d actually been where, by spending more you actually create more complexity, and complexity could be the enemy of security. In other words, having too many things to deal with, too many point solutions, not having one strategic approach but having many tactical approaches could actually create an environment that prevents an organization from becoming resilient. It kinda works the other way. It’s like a kid in a candy store. The first bite of candy tastes really good, but, you know, you just have unlimited access to candy. When you eat it all, you’re probably gonna get sick. And complexity is a little bit like that in the security world.
David: Yeah, the law of diminishing returns.
Larry: That’s true.
David: Every technical challenge needs a tool, but eventually, you have too many tools.
Larry: Too many tools.
Pam: Well, I’d love to juxtapose that with the idea that, inside, every tool is a hammer.
Larry: That’s right.
Pam: And that you can bludgeon a problem with anything, and it comes down to the organization figuring out what they need to implement. So you did talk a little bit about some of the first steps people could take towards cyber resilience. In terms of tools or processes or programs that should be implemented, any ideas?
Larry: Well, I’m a big believer in cyber intelligence technologies. So SIEM would fall into that category, also ideas, IPS, things that integrate well to give the full picture. Because, you know, good security these days requires a level of vigilance and visibility to the core process, business and technology process.
And so, tools that help you understand where the vulnerabilities are and where the problems might exist from a risk perspective, and also the ability to prioritize. Because, you know, the reality is you might get thousands of alerts every day, and it’s a large organization. You can’t manage…you can’t look at everything. So, having the ability, the intelligence to make the right choices becomes very important.
David: It seems to me that a lot of AI is incredibly local, right, to the tool, to the organization, and it doesn’t tend to look across the datasets from other tools. And it certainly isn’t at a point where we’re seeing a lot of AI data combined across different industries to find new insights. And you mentioned that maybe we’re early days in AI.
Do you expect that as we’re able to combine the different aspects of artificial intelligence from different tools in different datasets and that broader context that that will be a transformative moment for security?
Larry: Great question. And my belief is you’re right. Today, the artificial intelligence technologies are a point solution and certainly not doing all that we need to do to kinda create more of an ecosystem that is, you know, with artificial intelligence kind of baked into different parts of our ecosystem for security. I think what we’re going to have to do to stay ahead of the bad guy is make sure that our technologies are AI technologies that can be integrated across different platforms.
So, for example, what you do in IPS or IDS would be consistent with what you do with the rules they might build into your SIEM. Your network intelligence technologies would inform both the application and data layer, you know, making sure that these technologies are not just operating in a vacuum or a silo, so making sure that they’re integrated across the board becomes really very important. And very challenging—not too many organizations have the ability to do that level of integration, but I think it’s a necessity to get full value out of your artificial intelligence technologies and platforms.
David: And then, if you think about it, it starts to get to the point of being able to protect your AI datasets, your core business from attacks, from other AI. It’s very interesting topic. But it seems to me that those organizations that are highly cyber resilient will be able to more effectively protect their dataset and, therefore, their AI, as that reduces the ability for an attacker to be successful.
Larry: Exactly right. Nicely said.
David: All right. Well, those are the questions that we have today. Larry, thank you so much for joining us on the SecurityIntelligence podcast. For a bit of a preview on your new report, I know those out there that look forward to all the work that you do are gonna enjoy the 2019 study on cyber resilient organizations, and we’ll continue to look forward to having you on the show.
Larry: And I look forward to doing it again and again. It’s a lot of fun.
Pam: A thread has started to emerge in a couple of our conversations here on the podcast, that security isn’t solely a consideration of the IT department. What did you make of the finding that organizations with awareness from non-IT executives have stronger security postures, David?
David:I think that’s something that we’ve known here at IBM for a while, that security is a team sport. And that can mean your vendors are working with you, that can mean that you’re working with others in the industry, and it certainly means that you need to be working with the rest of your business to secure your business.
Pam: Well, and I think the idea of a team sport implies that there’s different positions to be played as well. So, clearly, there’s leaders, there are defenders, there are people that are actually trying to make the shot and bring everything home if we’re going to use a very bad sports ball analogy.
David: Sports ball.
Pam: I know, I am not a sports ball person by trade, as may be obvious from this discussion right here.
David: Well, I played sports ball in college, and you’re absolutely right. You’ve gotta know what your role is and you’ve gotta have a good awareness. If you go back and look at my background, I played a little bit of football, and if you have anyone on your team, defense or offense, that isn’t aware of what the play is and what they’re supposed to be doing, it can result in some, say, some running after the game from upset coaches.
And security, it maybe is a little different. It’s upset customers, some disappointment in the risk you can’t take to grow your business. So it’s encouraging to think that the highest performing companies in the survey or in the work Larry did actually have a broad level of awareness across their organization for security issues.
Pam: Absolutely. And I think you can even expand that analogy into my background when doing drills for high school band during the halftime show.
Pam: Because I “played” a flag. And I think knowing that position and where exactly you have to thread that needle so you’re not stepping on the toes of the clarinet player, literally, is something that we continue to have conversations about here in cybersecurity.
David: When thinking about how to assess the current industry landscape, I thought, “What better way than to turn to the report itself.” Were you encouraged by the trends from the report?
Pam: I was. I think we continue to see improvement across organizations, and we continue to see results and, you know, some of the statistics that we quoted with the companies that are high performers in cyber resilience experienced fewer repercussions or even fewer data breaches themselves.
And I really love the expansion into the geographic focus, the conversation that we had around Germany and their culture and how that can be applied into other parts of the world as well as other industries, I think, is really an important conversation to keep having.
David: Indeed. Yeah, I thought the results from Germany were particularly encouraging, and it shows that culture really matters, and I think that culture is one of the things that any organization can focus itself on to develop the culture, the practices, and build their security hygiene so that they become those cyber-resilient organizations.
Pam: And that’s definitely something that happens outside more than just the IT organization.
David: Yeah, absolutely. And that’s a wrap. Thanks to Larry Ponemon for joining us as a guest.
Pam: You can listen and subscribe to the SecurityIntelligence podcast on iTunes, Spotify, SoundCloud, Google Podcasts or Stitcher. For more security stories, visit SecurityIntelligence.com or follow IBM Security on Twitter and LinkedIn. Thanks for listening.