By Connie Moore, Digital Clarity Group
February 6, 2017
I recently interviewed Juanita Koilpillai, a cybersecurity expert who is the CEO of Waverley Labs (a cybersecurity software and services firm) and co-founder of the Digital Risk Management (DRM) Institute (a nonprofit seeking to expand knowledge about cybersecurity risks.) She identified two important, nascent trends for 2017:
• Cybersecurity collaboration. In forward-looking companies, the lines of business execs (LOBs), the chief risk officers (CROs), chief security officers (CSOs), and chief information officers (CIOs) will begin in 2017 to collaborate with each other, and also with chief marketing officers (CMOs) regarding how to mitigate cybersecurity risks that could seriously deteriorate customer trust.
• Software defined perimeter (SDP). A small but important number of large firms will begin shifting from fixed cybersecurity architectures to a safer and more flexible approach known as the software defined perimeter. This approach is more secure because it is more closed to intruders than architectures currently in use, but it needs to be considered carefully. Tighter security measures that safeguard customer information could also make it more difficult for customers to engage and interact with those firms. Finding the balance will be important.
The entire interview is well worth reading but here are some key excerpts:
Connie Moore: CMOs and customer experience leaders may be perplexed as to why we are tackling this subject, because it may seem so far afield from their usual focus. Juanita, do you encounter cybersecurity collaboration with the companies you work with?
Juanita Koilpillai: It’s still nascent for these disciplines to work together at the executive level. It was only in 2016 when executive boards got involved in looking at cybersecurity. That largely happened when people were fired over breaches in some organizations. More business and technology leaders are now at least trying to talk about how cybersecurity impacts the entire enterprise. Until now, [only] CIOs have [been] bubbling this topic up to the C-suite, so it’s a new conversation across the leadership in most organizations.
CM: How is cybersecurity related to CMOs?
JK: CMOs have a huge stake in whether their companies are hacked, because it exposes highly confidential data [such as sensitive medical information or private financial data]. This information has a huge exposure. The elevation of cyber to the C-suite will force the CMO to be a player in how the organization proceeds. This is one of the emerging trends for 2017 and beyond. It’s just like how social media changed the way CMOs approach their jobs. Elevating cyber is going to change the paradigm from a security/risk/technology conversation to a major business continuity issue that C-suite leaders must figure out.
CM: You’ve worked with companies that have gone into a panic after a breach and observed their steps. How do they react?
JK: The impact has been variable. For example, Northrop Grumman had no change to its stock price following a breach. Sony, however, was devastated by its high-profile security breach. It took two to three years for Sony’s stock to recover.
Legal teams have gotten a lot more involved, but it’s still new in most companies. It requires bold leadership to initiate cybersecurity discussions. Some industries are ready for it and some leaders are ready to initiate discussions, but some fields and industries are not yet ready. We are seeing a change. More law firms are getting involved in identifying responsibilities. We see companies beginning to identify what information they need to share externally with customers and with the financial community when a breach occurs. It’s important for organizations to determine how they are going to talk about it with the outside world and the community at large.
CM: How do you prevent breaches in the first place? I’ve heard that risk management and security management executives don’t even work together.
JK: That’s true. Security teams usually focus on cyber failures that happen online because they understand that universe well. In the past, risk officers have focused on financial risk. Risk officers need stronger technical backgrounds and better training so they can become more comfortable guiding organizations. The steps are: 1) assess your risk, and then 2) figure out how to reduce your exposure. This should happen before the organization is breached and it should drive the conversation. CIOs and security teams know how to focus on the more technical aspects of cybersecurity but don’t collaborate; they can do a much better job than how they work together today.
CM: Fears of a possible breach, not to mention an actual breach, can quickly shred customer trust and intimacy and lead to a major meltdown like the reaction that Sony experienced.
JK: Correct. There are many laws about privacy and you also need to know where data is traveling. One cloud vendor developed a local data store and appointed a firm that functions like a data trustee. The trustee will own the data and can prove that it hasn’t traveled to a specific country. This business model is going to be adopted fast in the healthcare industry; it must happen. There will be a legal framework that stipulates how it will work.
CM: I saw a press release about the software defined perimeter that grabbed my attention. What is the SDP and why is it an improvement over what organizations are currently doing?
JK: The SDP concept came about by mirroring the security approach used by the Department of Defense [DoD] and the National Security Agency [NSA] in the US government. DoD and intelligence agencies operate on a need-to-know basis, which means if you are cleared and have a need to know, then you can get information. Otherwise, you can’t get anything.
The other DoD concept factored into the software defined perimeter specification is that of fingerprinting devices. [The term “fingerprinting devices” refers to the collection of information about a remote computing device for the purpose of identifying that device.] Combining these two concepts – the need to know and [device] fingerprinting – became the basis for a new architecture known as SDP. The SDP maintains an access mechanism to control all the devices tied to users trying to access an organization’s infrastructure. SDP is specifically designed to handle the explosion of devices connecting to the internet.
The old paradigm [most organizations use] is to maintain a fixed perimeter with a firewall. With a fixed system, the organization has control over where or who its users are. That approach is changing now because customers and users want access from phones and laptops, which move around. The perimeter is no longer fixed, because users and devices could be here today and in Russia tomorrow.
The current idea of allowing people to get to your system and then authenticate is dangerous. With the software defined perimeter, if a user is connecting to a public infrastructure [using the internet or cloud] she must first authenticate her access [user name and device] to even get onto the public network. Secondly, the firm’s infrastructure – which in the old paradigm is very public – must be hidden so no one can see it. The software defined perimeter specification defines the idea of a dynamic firewall, which opens and closes to people coming in only if they have prior authentication to even access the firewall. Without prior validation, the user can’t get in. And the perimeter completely hides what is behind the firewall so that cyber criminals can’t even see the organization’s infrastructure – it’s completely invisible. The firewall opens up only to people coming in, and then closes. [See the full interview for a diagram of SDPs compared to current architectures.]
These are the two key protections provided by the software defined perimeter:
1) Authenticates users before they connect to or even see the organization’s infrastructure.
2) Authenticates devices before they connect to or even see the organization’s infrastructure.
Essentially, what you can’t see, you can’t hack.
* * *
This interview underscores the importance of CMOs and other customer experience leaders taking immediate steps to get involved in cybersecurity planning and measures. The threat to customer information is pervasive, and a breach would put an organization at high risk. Threats range from disgruntled, score-settling employees and identity thieves to sophisticated hackers, corporate espionage spies, and foreign government spies. The risk to customer information and longstanding customer loyalty cannot be overstated.
The most immediate action customer experience leaders can take is to reach out to CROs, CSOs, and CIOs to start a conversation and begin collaborating internally on this topic. Then, focus on:
- taking safeguards that protect customers, starting with never requiring or requesting the customer’s Social Security Number (SSN). (This can be difficult in some industries, such as health care.)
- Encrypting customer data and enforcing limited access to this customer data using strict controls.
- Proactively providing guidance to customers about how they can best protect their information, including encrypting their devices.
- Regularly forcing password changes, and require an 8-12 digit combination of special characters, numbers, and text. Another precaution is having all teleworkers change their router passwords daily or weekly if the device is used for work purposes.
- Applying the same rigor that financial services companies apply, even if you are in a different industry.
- Safeguarding hard copy information and minimizing or eliminating the amount of sensitive customer information collected and sent through the mail.
For the full report see Customer Experience Leaders Must Step Up to the Cybersecurity Challenge