[Applause]
this is my credit card and somebody I’m
not letting you see the numbers of
course somebody stole it
and it’s it’s really frustrating because
I never you know had it lying around I
never lost possession of this physical
card but as we all know all it takes
these days right is for someone to get
access to the credit card numbers and
then they can go on a shopping spree and
they went on a shopping spree has this
happened to you know think okay I’m
seeing I’m seeing that it has we’re not
alone okay mine happened in 2014 and
that year there were 17 million victims
of identity theft in the US alone how
about the letter have you received the
letter saying that your personal
information was part of a data breach
and again I see you have that too I got
that I got that too okay and these data
breaches so in a data breach
confidential and sensitive information
is made available to an accessible that
people who shouldn’t have access to it
right and obviously these identity theft
and data breaches are related because
the data that’s being breached could
easily be credit card numbers but it
could also be social security numbers it
could be health records it could be
emails or it could be the blueprints for
an advanced military fighter jet right
and again we’re not alone gemalto is a
company that studies this and in 2015
they reported that there were 700
million data records breached worldwide
we hear news about data breaches it
seems all the time and I think it’s
lawless into a kind of sense of
complacency about them you know so much
so that they’re saying now is there are
two kinds of organizations in the world
those that have already had a data
breach and those are will in the future
and it there’s no question ok every
every organization is vulnerable but
when it gets to this point where it’s
kind of a slogan ok it becomes a
built-in excuse so the next time we have
data breach a company will say we
apologize for the data breach but you
know what they say there’s two kinds of
organizations in the world and you know
so on and so so it conveys a sense of
inevitability and hopelessness okay I
don’t buy it for a second okay I’m not
naive but I am impatient I work in this
field okay it’s it’s not hopeless okay
there are things we can do so I’m a
computer scientist and professor in a
business school at a university and I
operate in these two worlds okay of
Business and Technology so here’s what
I’d like to do I’d like to explore these
two worlds to see what can be done to
reduce the frequency and impact of data
breaches by exploring these two worlds
and especially the territory between
them when I work in these two worlds
often it’s really quite distinct it’s
like context switching it’s sort of like
give lectures during the week and code
on weekends and the two worlds you know
they have their own characteristics I
mean when you think of the business
world it’s really about business matters
okay the business world is about
strategy and vision and mission and
operations and costs and operations and
more operations and revenues and profits
and then there’s the cyber security
technology world and when I think of
that world you know what comes to mind
is more like kind of a solitary coder
and you know the kind of images there
are more about like pocket protectors so
I have I have my pocket protector okay
and it’s more about like empty you know
pizza boxes and so on so what I thought
I’d do to kind of put these two worlds
in stark contrast is come up with some
images that try to capture the
distinction between these two worlds so
for the business world I get a chance to
work with terrific business students I
mean they’re ambitious and upbeat and
positive and it’s all about
collaboration and teamwork so here’s the
image I’d like us to keep in mind for
the world of business okay and to
represent the technology world and
that’s where cybersecurity is
for that I think of sort of the iconic
computer tech person the kind of techie
you tolerate and for that I image from
the film Jurassic Park
okay the kind of iconic computer tech
person so representing the technology
so not only is he a tech person but
actually he’s a he’s a computer hacker
in the film now today we’d call him a
malicious insider okay so even his last
name of this character Dennis Nedry I
mean the last name Nedry is an anagram
for nerdy so you know you see I had to I
mean absolutely had to include him okay
so we have these two images but what’s
really going on in these worlds is also
you know is also quite different and in
the business world you know they’re
concerned with operations and profits
and revenues and so on but when there’s
a data breach we think of that as being
confined to the technology world so when
something bad happens like a data breach
I mean the worst that can happen
okay would be maybe that well the chief
information officer ok the CIO might get
might get fired but then something
happened okay in 2013 and that was the
data breach at Target so retailers like
Target I mean they’re looking for
holiday shopping at the end of the year
for a big boost in revenue okay and in
the fourth quarter of 2013 profits at
Target fell 46 percent so I’m talking
about profits that’s something from the
business side and 46 percent is a pretty
big number so sure enough it was a data
breach okay and the CIO did resign but
we’re talking about profits so it turns
out the CEO also left the company
well when CEOs leave the company that
tends to get the attention of other of
other CEOs and right away in 2014 we had
really massive data breaches at Home
Depot eBay JP Morgan
Chace federal government’s Office of
Personnel Management and Sony
Entertainment okay so I have one more
image for you and it’s from the business
side it’s company executives these are
the executives at Sony Entertainment so
the CEO is in the middle and here
they’re apologizing for the PlayStation
Network brief breach which affected 77
million accounts this image is riveting
okay any thought that cybersecurity
would keep its realm in the in the
technology world is gone
okay this image more than anything says
that cybersecurity means business so how
big a business issue is it for four
companies two blocks from here is the
Center for Strategic and International
Studies they estimated the worldwide
annual cost of cybercrime at over 445
billion dollars so here’s where we are
in our exploration we’ve established
that data breaches have a huge negative
impact okay on people on companies and
on the global economy so the question is
what can we do about it one starting
point may be to look at what does
business know about cybersecurity how do
they learn about it and there’s research
from JP from PricewaterhouseCoopers it
says boards of directors hear about
cybersecurity 26% of them hear about it
once a year and there’s another 28% that
hear about it not at all so given we
talked about what data breaches he’s
hearing about cybersecurity once a year
not at all really sufficient and when
they do hear about cybersecurity what do
we know that well it turns out that
board members say it’s too technical
okay they don’t understand the
cybersecurity data or reports they want
understandable language that doesn’t
require them to be cybersecurity experts
so here’s a way that here’s a way to
proceed learn from this research okay
and try to find more effective ways to
deal with it it turns out there’s a
window of
opportunity because there is increased
attention at the board level to risk and
in fact sometimes it leads to dedicated
risk committees some of this in the u.s.
is mandated so for example a Georgia
Tech study show that in 2008 8% of
boards had dedicated risk committees and
by 2015 53% of boards had risk
committees so this is an opportunity now
these risk committees they have a lot to
consider okay they’re concerned with
global economic conditions with
reputational risk legal and regulatory
compliance financial risks market risk
liquidity risk credit risk and
increasingly cybersecurity is on the
list but cybersecurity stands out it’s
still tied to specialized technical
information and it’s really not of the
same kind so here’s a recommendation
recast cybersecurity it’s digital risk
and I say this not out of a sense of
euphemism or a simple name change it
actually really gets at the origin and
essence of this entire field
cybersecurity is evocative of looking
outward okay to online communication and
the Internet cybersecurity is about
security and cyberspace William Gibson a
brilliant science fiction writer coined
the term cyberspace in the 1980s he was
inspired by seeing kids play those early
arcade video games so energetically that
as Gibson said it was as if they wanted
to reach right through the screen to the
space beyond cyberspace this is a realm
of virtual experience created by the
internet and public and private networks
and all the words after cyber these days
are evocative of this orientation to
external networks so cyber monday is
about online shopping and increasingly
these days the word after cyber are
around a theme like cyber rattling and
cyber threat and cyber attack but in all
cases oriented it’s an external networks
but what does it research say about this
if we go back to the
700 million data records that were
breached it turns out 37 percent of them
were because of accidents okay so it’s
not intentional not a cyberattack
nobody hacked anybody else I’m talking
about human error its employees not
following policies and procedures lack
of expertise interacting with websites
and applications and this is not about
blaming employees it is about
recognizing a need for companies to get
greater employee engagement so these
policies are realistic and it is about
more training more education and more
redesign of interfaces and software
applications so that’s what’s really
needed here’s a specific example last
year a clinic in London used email to
send out a newsletter and this
newsletter goes to subscribers of a
service where HIV patients can get their
test results and the individual
composing the email placed all 781 email
addresses not in the BCC field but in
the to field so this meant that every
recipient of the email could see the
email addresses of all of the other HIV
patients and in most cases the full
names as well so yes there is terrorism
but there’s also error ISM okay in
digital risk does a better job of being
more comprehensive about it
companies may not suffer losses from
cyber attacks every day but I guarantee
you every day
employees are sending and storing and
processing data and it’s all this
digital data that can be breached with
this balance of attention both
internally and externally
digital risk is ism is a much better
term it’s really echoing strategy from
2,500 years ago in the art of war if you
know the enemy and know yourself you
need not fear the results of a hundred
battles the current cyber security
climate is oriented to knowing the enemy
external threats and they are severe
there’s no question about it
but digital risk gives much better and
much needed attention internally knowing
yourself
as a company digital risk is the right
term at the right time it’s more
indicative okay of all sources of risk
especially what the research is telling
us about the actual causes of data
breaches but what else can we do Pro
tivities a company that that looked at
this and one approach might be to say
what’s going on as far as best practices
are what are the good companies or
really top performers in cybersecurity
doing and maybe all the companies can
can copy that and what they found was
the top performers in IT security and
privacy had these characteristics in
common they had the right tone from the
top of the organization they had their
core security policies in place and they
had a data PLASA fication scheme so they
understood what we call the crown jewels
in their data so I’m looking at this
list and I’m wondering where is the
technology okay I don’t see anything
about the top performers in security are
top performers because they have an
innovative computer network architecture
I don’t see anything about them being
top performance because they use a
particular vendors intrusion detection
and prevention system there’s no
technology at all what I do see instead
is business okay what makes top
performers top performers is they have
strong leadership from the top they have
effective management practices and they
understand what business they’re in they
know their critical data and they
understand their mission so this is a
twist okay we started out wondering how
the business world can learn more about
cybersecurity
it turns out one of the best ways to
make an impact on data breaches maybe
for the cybersecurity world to learn
more about business okay so I really
reached the reach of the end in our
short journey and short exploration of
these two worlds and and the territory
between them so I’d like to just take a
moment more to highlight what we’ve seen
along the way here’s the future that I’d
like for us okay when you’re holding
your credit card in your hand then you
can be confident that no-one’s stolen
the credit card numbers
and when you’re in a room like this and
a speaker says I like all those who are
victims of identity theft and data
breach – raise your hand no hands will
go up but I know that’s not our current
reality okay but I know also it’s not
it’s not hopeless and if we listen to
the research in this cyber security
business interface we can move these
worlds of Business and Technology closer
together we can recast cybersecurity is
digital risk and we can apply strong
leadership and effective management to
reduce the causes of human error and as
these two worlds come together it’s
going to cause us to rethink those
images we used at the beginning and they
are moving closer together as well so
when we think of the business world it’s
still going to be an upbeat business
professional but now it’ll be a cyber
savvy professional who really
understands digital risk and for the
technology side representing this
technology side we still have our iconic
computer hacker character but now he’s
all dressed up and ready for business
okay thank you [Applause]