In this episode of the Futurum Tech Webcast I was joined by my partner and fellow Futurum analyst, Daniel Newman, for a conversation about cybersecurity. Security breaches are frequent, inevitable, can have a big impact on customer trust, can also impact corporate profitability, and quite often can cost a CISO or CIO his or her job.
From the Microsoft Exchange Server attack this past week, to the SolarWinds attack of the last few months – both at the hands of state sponsored actors, one suspected to be of Russian origin and the other Chinese, to well-known cybersecurity breaches like Equifax, Target, Capital One, JP Morgan Chase, Marriott, what we’re seeing in the industry is a massive difference in risk between organizations that take effective cybersecurity precautions versus organizations that don’t.
With the financial impact of a data breach in 2020 averaging about $3.86 million, not taking into consideration what is often millions of dollars in fines, cybersecurity and the inevitability of a hack is something that needs to be addressed at the highest levels in the organization. Cybersecurity must be a board-level concern and resonate on down through every level of the organization, from the CEO and CIO/CISO and beyond.
Cybersecurity must be a foundational part of business strategy and more training and more processes isn’t always the answer — technology will likely play a big role here as well in the months and years ahead.
In our conversation we touched on what we do with data and the problems with the status quo. Think about it for a moment. When it comes to data, we:
- Decrypt it to use it
- What happens when the administrators or our data repositories leave?
- When the data relies on the public cloud, how do we ensure the container or the virtual machine operators are operating in a trusted way?
- Are process and certification and compliance standards enough?
We don’t think so. Yet, anyway. This is the first of several conversations we’ll have on this topic as we are also working on a research brief on the topic of Confidential Computing, which is all about how to manage and more accurately and safely secure data that is in use, and protecting data in use by performing computation in a hard-ware based Trusted Execution Environment. Confidential Computing is in the nascent stages, but we’re certain we’ll all be talking much more about this in the months to come.
If cybersecurity is of interest to you and your organization (and we hope that it is), you can watch the webcast here:
Or grab the audio here:
Disclaimer: The Futurum Tech Podcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
Other insights from the Futurum Team:
Shelly Kramer: Hello, and welcome to this week’s episode of the Futurum Tech Webcast. I’m your host, Shelly Kramer. And I’m joined today by my partner in crime, Daniel Newman. Hello Daniel.
Daniel Newman: Hey Shelly. I still always got to get used to the whole we are now a webcast thing. It’s awesome because I love being on video. I love that people get to see us. We love to see you. But I just always want to call it a podcast.
Shelly Kramer: It’s not a podcast.
Daniel Newman: I know.
Shelly Kramer: It’s a webcast.
Daniel Newman: I know.
Shelly Kramer: So change is good. Transformation, that’s what we do.
Daniel Newman: We do. And we’re good at it. And this particular show is all about a big transformation and trend that’s going on in the marketplace that I felt was appropriate to talk about. In fact, I think this is so important that we should maybe talk about it a few times on a few shows.
Shelly Kramer: Absolutely.
Daniel Newman: A big trend, something that you’d literally have to be living under a rock to not have heard about, but over the last few months there’s been some pretty darn big security breaches. And Shelly, I know this is something you pay a lot of attention to.
Shelly Kramer: I do. I’m the security freak. It’s funny. I was just thinking about you have kids in club sports, I have kids in club sports. You probably have parent groups. I’m the one that posts in parent groups, “Got a notice of a hacking from the outfit that we buy our equipment from. Here’s where you need to be careful.” And these parents are looking at me like, you’re kind of crazy lady. And I’m thinking when you live in this space, you pay attention to those things.
Daniel Newman: It’s funny you say that I’m the one that is always on Facebook watching people participate in these goofy your best rock concert, or your favorite vehicle, or what movies you watch every year on Christmas? And people just share this stuff so liberally. And I think people maybe feel because it’s in their social community that this data, it’s not achievable-
Shelly Kramer: Accessible.
Daniel Newman: … for people to legally be able to access… There you go. Access it, and mine it, and keep it, and associate it. But just like we’re tracked all over the internet for the purposes of advertising and shopping, hackers can do the same thing for the sake of data mining collection. And trust me, we’re not deep, dark, crazy secret world people, but there are definitely dark websites that have your information and my information just waiting for us to give the right pieces of data so that they can get after us. And people like you that are careful, I’m not saying I’m not, it’s good that you are out there.
Shelly Kramer: Well, and I think that even people who are extremely knowledgeable about security and the risks and everything else, and I would say I wouldn’t call myself extremely knowledgeable. I’m moderately knowledgeable, right? I’m not a security. I’m not a hacker. I’m not a security expert. There are certainly people with way more knowledge than I have, or than you have. But really, it’s that awareness. You know what I’m saying? Whether it’ I’ve got to check for compromised… If you use Google Chrome and it shows you have compromised passwords, fix those. Make sure you’re not using the same password across the web, all that sort of thing. But kind of to move on a little bit to our topic today, we’re going to talk about trust. And we’re going to talk about how trust is really, it’s the new battlefield in the age of digital transformation. I’m sorry, I’ll get that right. So trust, it kind of drives everything.
Daniel Newman: Yeah. And really at Futurum Research, we’re sort of onto this trend. So over the last few weeks, like I said, you’re kind of under a rock if you didn’t hear about what’s happening with Microsoft Exchange. And by the way, we have a great article up on Futurum. We’ll put the link in the show notes, check it out, that really talks about what happened. Shelly, you tracked the SolarWinds hack very closely. That’s sort of, I wouldn’t say it started the conversation because this conversation has been going on for some time, but each passing hack and some of these zero-day vulnerabilities that have happened over the past couple of years, seemed to be drawing a little more attention. There’s everything from regulatory impacts now where we’re starting to look at everything from civil and criminal negligence to just what companies can people trust. And so a broad spectrum, but something that can definitely damage a brand and the value of the brand. It can also, of course, create real material damage to national security in the cases of some of these hacks. These are big deals.
And so we want to kind of start a series here, a three-part, so you and I are co-authoring some research that’s going to come into market talking about this bigger trust topic. And we’re also going to dive into in the later parts of this series into this idea of what’s called confidential computing, which is an effort that’s being put into market. There’s a consortium of companies, some of the leaders include IBM, Intel, AMD, and there’s also other companies doing different things. AWS has secure enclaves, which is the type of technology that allows for data to be both at rest and in motion, but also in execution to be secured.
And we’ll get into more of that technical garb later on. But where I thought it made the most sense to start was kind of just talking about the landscape of trust, the landscape of security. The sort of trend in the space, Shelly, to have people sort of invest only as much as they have to where it’s almost like a teeter totter of if I can spend less and it’ll only cost me so much, we’ll let you go ahead and breach us. Which of course isn’t the way anyone’s actually thinking, but it’s been a lot of the approach that companies have taken. We’ll spend as little as we have to to be secure enough.
Shelly Kramer: Well, and I also think there’s a very real mindset, Daniel, that companies have insurance, okay? Companies have insurance. And yeah, a big settlement hits the bottom line, but I have insurance. And I think that there is in some instances, and I don’t think consumers think about this, but I think in some instances at the enterprise level and beyond, in the small to midsize space, I think people are saying, “Well, I’m going to buy this insurance. And if something happens, we’ll be covered in some way.” And they’re not thinking about it in terms of what does this do to our customers? What does it do to the trust that our customers have in our company and our brand? One of the things that we talk about in the report that we’re developing is what does this do to a career? Somebody’s got to take the fall for a data breach. And that’s, generally speaking, somebody within IT. The CISO, the CIO. So it’s some very real way ramifications there.
Daniel Newman: Yeah. And by the way, it can be the CEO too. I mean, we’ve seen, depending on the severity, everybody’s at risk. And again, that’s part of this broader discussion, Shelly, is that we have entered an era where it is no longer just an IT conversation to talk about security. It is its own piece of the world because it crosses over into every vertical and every part of a business, and not to mention every line of business. But it’s also a board level discussion at this point. It’s something that needs to be discussed in the board room, like a key interest rate might impact your business, or a line of credit. Well, you know, what, security is your line of credit to trust within your customers.
And in a world where you’re seeing growing regulatory environments, you’re seeing tougher compliance rules outside of just highly regulated industries, you’re seeing a shift towards new laws that impact the ability to market efficiently to people because you need to take their privacy seriously. And of course, Shelly, we’re seeing massive impacts with, like Apple. Look at what’s going on with Apple and Facebook. Now that’s not a “security” story, but it is a security story. It’s all about making people feel secure that their data is being used for good and valuable customer experiences, and not for nefarious uses. And that your data and you as an individual have some control over it.
And just I’ll kind of punt it back with this in mind, but this story is like two trains converging. The idea of taking care of people’s data privacy and using data for good as much as possible while still delivering experiences. And this idea of keeping your data and your applications and your environments secure from hacking and hackers that could access information that’s private, personal, and like I said earlier, it could be even a risk to our national security.
Shelly Kramer: I think that there are also some key things at work here. We did some research in partnership with SAS in 2020. And one of the things that came out of this, we surveyed 4,000… Was it 4,000 from brand and 4,000 from consumer? I mean, it was a pretty big study.
Daniel Newman: It was 4,000 total. 2,000 brand, 2,000 consumers. Yeah.
Shelly Kramer: 4,000. Total 2,000, 2,000. And what consumers told us, as it related to security in particular, and trust because a lot of this work that we focused on, it was about customer experience, the future of customer experiences now, was how consumers feel about what brands do to protect their privacy. And the answer was very little. And consumers feel very much out of control. We’re worried about this. We don’t feel like we have any control over it. And we really don’t know what to do about it because we do still need to engage in experiences to buy things, to do things, do whatever. So I thought that that was really interesting.
And the other thing that’s, I think, a really real factor here. So consumers yearn for data privacy, security, trust. They’re living in a state where they don’t have it. Competitive advantage. Okay? So that’s one thing to keep in mind, I think. But the other thing that is a very real challenge today is that there is a dearth of skilled technical talent. So we can talk about all these great solutions, but if we don’t have IT teams, if we don’t have the right talent for to help run our companies, run our operations, especially talent that is specifically experienced in security, that’s problematic. So I think there’s kind of this magic confluence of all of these factors. We have security at the hardware level. We have security at the software level. The SolarWinds attack was a software level attack. Hardware level attacks happen too. And trust that goes along in that chain of security, the physical security is also an issue. So it’s really this huge equation.
Daniel Newman: And not to mention, we really would be remiss to talk about security and not just talk about the fact that it is a very human effort too. We are seeing massive investments in observability technologies that are able to manage and monitor massive sprawl of data concurrently using AI/ML, using anomaly detection, threat detection models that have been built to basically identify potential threat surfaces and the risks that could happen on those surfaces for companies.
I mean, but people are a huge factor in this. I mean our own behavior. We started kind of talking about this when you were talking about the club sports and your little crazy messages. But I mean one of the recent hacks that has been really commonly used because of the remote work has been us on camera. You and I have professionally built environments, more or less, that we know what’s in our camera shot. But how many times do you get on with people, and there’s no cause or concern or care as to their backgrounds? You see people, “Hey, I’m in my office today,” and they’re snapping an Instagram photo of what they’re doing. And write on there is papers. And again, you can’t see with the naked eye. You only have to watch one episode of 24 to know what you can do with high tech equipment that can take that piece of paper on your desk behind you, and zoom in on it and identify things.
And I mean, people are fairly irresponsible at times. I mean the joke about the sticky note on the laptop with your password is not a joke because it’s not real. It really happens. And again, 32 bit and 64 bit encrypted passwords can be hard to remember. And that’s why we’ve used things like Passpack and different password tools to generate automated hashed or encrypted passwords that are difficult to remember. And that stuff’s great, but that’s also problematic because anybody that’s trying to actually live their life at times knows that I just need to know my password. So there’s all these different juggles. And these juggles become struggles for people. It’s like-
Shelly Kramer: That was clever. That was clever. These juggles become struggles.
Daniel Newman: Juggles and struggles. The juggles become struggles.
Shelly Kramer: Did you work on that in advance? Because that was really clever.
Daniel Newman: I mean, I’m pretty sure there’s a password for at least one thing that I’ve reset for you over 100 times. I won’t say what it is. But I’m saying even us who are pretty cognizant-
Shelly Kramer: Which, by the way, isn’t my fault.
Daniel Newman: What?
Shelly Kramer: Which by the way is not my fault. We shouldn’t talk about it because this is going to jinx us, right?
Daniel Newman: Yeah. We’re going to get jinxed. But my point is, is even the most responsible. But in the end, security is one of those things that how often do most organizations talk about, how much in the remote work world do they really create that playbook for the remote employee to be more considerate. As we’ve built everything to be cloud SaaS and web enabled, and you start doing more things on your personal devices, not realizing that once you put your email on your personal device through a web app, and you leave that app open, all those attachments that are in there, it could be company P&L, it could be information that could leak that could impact a stock performance or an upcoming earnings event. It could be information about your competitors. It could be know all kinds of competitive intel.
And it could be of course things, if you’re in a super regulated industry, you could be looking at files and information that is much more critical, that would break all kinds of rules. Maybe it being FINRA or HIPAA rules that could really get you into some trouble. And people don’t always think about that. You leave your phone somewhere on a desk, how it’s secured. Yeah, of course, it locks, but it doesn’t lock right away. And if you accidentally leave it open on the desk and someone gets it before it closes, it only takes a moment sometimes to be able to undo everything. So there’s just a ton of risk factors for people. And sorry, I’m rambling on, but it’s just I’m so passionate about that human part. We’ve got to train people to be responsible.
Shelly Kramer: But you know what, so back to volleyball, which is my life. Soccer, I know is yours. As you know, we were out of town at a volleyball tournament this past weekend. And rental car. And we would get up every morning and drive to the convention center where the tournament was being held. And on the second day of the tournament, my husband always has a backpack on. And one of the other parents looks at him this day, and I happened to be standing nearby and said, “Dude, why are you carrying that?” And my husband who works for a Fortune 100 company said, and by the way you don’t have to work for a Fortune 100 company to have this mindset, but he said, “I learned a lesson once early in my career. Never ever leave a laptop anywhere. It is always in my possession. I don’t leave it in my hotel room. I don’t leave it in my rental car. I don’t leave it in my car when I pull in the driveway at home. My laptop is always in my possession or somewhat nearby.” And it’s, I mean, that’s what he lives by.
Daniel Newman: And even with logins and passwords and biometrics, it’s just you just don’t know what someone can do. They can physically pull apart your machine, remove a hard drive. And there’s all kinds of different things that, again, people a lot smarter than the average, even technologist or average user. And by the way, tell your husband, he’s in good company.
Shelly Kramer: You never do it either.
Daniel Newman: I take my laptop everywhere.
Shelly Kramer: Never.
Daniel Newman: It always comes with me. I always have my bag with me. I could be going away for one game. And people were like, “Why are you bringing your laptop? And your-
Shelly Kramer: Always.
Daniel Newman: … bag. And why are you walking around with it?” Just because I always want… “Why do you not leave it in the room?” I just don’t trust anybody.
Shelly Kramer: And for us, we own a family of companies. Part of the reason I have my laptop with me at all time is, truly, our job is taking care of our clients. And if there’s something that happens, I need to have access. And I don’t want to be conducting important business constantly on my phone. So that’s one reason I have it. But I would never leave it in a hotel room. It just doesn’t make any sense. But that kind of goes to, going back to our conversation here, which is about trust. And what we’re talking about is operational trust, okay?
And what we try to establish within an organization is we tell our employees, we tell our IT team, here’s what we want of you. Daniel, please don’t ever leave your laptop unattended. If you’re going to travel with your laptop, have it with you at all times. Daniel says, “Okay, sure.” But there’s no real way of enforcing that, right? He either does or he doesn’t. We don’t know that. And by the way, I’m not saying that operational trust is bad. And we’ve worked with lots of clients in the security space, in the training space. And we know that one of the keys to safer organizations is a culture of security and awareness around security. And that’s not one and done training. That’s ongoing training. That’s maybe hackathons, it’s all different kinds of things. It’s testing your employees’ resilience to phishing campaigns or to vishing campaigns, or all kinds of different things. And that’s operational trust.
And then you’ve got stricter rules. You’re not allowed to do this, or you have to change your password every 15 days or whatever. And then we’ve got compliance and certification. And so your team earns these certifications, has to have this training, gets this certification, gets this compliance certification. All those things are part of operational trust. And they’re good. I think that where we’re going, that’s not good enough. Where we are, that’s not good enough.
Daniel Newman: So if you heard the little pause there, I’ve been talking for about 30 seconds now, and this is the human part of building content these days. My beautiful pets started barking. And so-
Shelly Kramer: It happens.
Daniel Newman: … the life of at home. But everybody has to feel our long-term sympathy for what we’ve been doing forever now, because you’ve all done it. But so I hit mute. And then I started talking about how we do have to do better, and I had all these great ideas. But now what I’m going to say is just going to be mediocre. But no, and serious, we do have to do better. The continuous improvement, the human company relationship. It’s not all on the company and it’s not all on the people, but there does have to be that sort of symbiotic work to help people become more cognizant of the risks they create both for themselves, for the company, for their customers, and for the data that we are all entrusted with. And we are entrusted with a lot of data. I mean, technologies and systems are being built that make it safer. And we’re going to talk about that in our feature episodes a little bit.
I did want to sort of kind of wrap this particular episode. I did mention we’re going to put out this multi-part paper. And in this paper, like I said, we’re going to start kind of with what we talked about today, just big picture, what’s going on with security. We didn’t talk deeply about the SolarWinds or Microsoft hack, but we will actually in the paper. We’ll have some references to those things.
But what I really thought would be interesting to sort of talk about is the real costs of a data breach, and what they really do mean for a company. In our report, we talk a lot about this is we sort of set the stage to move to this deeper conversation around our trusted execution environments and confidential computing. But there’s research out there. And what really impacts a data breach. Which by the way, when you’re looking at a total cost, because there’s an economic impact to a data breach. And there’s some tangible economic impacts. That could be things like fines. And then there’s things like lost revenue directly implicated from the breach. And they say that that’s about 40% of the actual impact is lost revenue. So you have impacts to churn, you’ve got downtime that costs you.
And then, of course, this is what I would call sort of a soft cost is reputation, right? How long has it taken some of these companies over the years… I believe it was Equifax, right, was the big credit card. The reputation impact. Or Target, when it had its first breach of its credit cards. Now again, I’m a diehard Targeter, but it took me a while to go back. I was worried. And our card was one of the cards that got breached. And then how much harder, Shelly, does it become to acquire a customer to that point? You lost a customer, or you’ve temporarily lost a customer. And you and I both know this very well. It’s a lot easier to sell more to an existing customer than it is to find a new one. Well, when you lose people, they don’t come back easy. And if the breach impacted them personally in some way, or their company personally, it’s a long road back.
Shelly Kramer: It is a long road back. And one thing that I thought was relevant, and I’ve kind of been immersed in developing this paper that we’re writing together, okay, so you think about the hit reputationally and consumer trust from Target. Okay, one of the things you mentioned was downtime. And I think sometimes we hear downtime, and you go, oh, downtime. Yeah, downtime. Yeah, that sucks. But here’s an example that I thought was really interesting.
So in December of 2019, Norwegian aluminum manufacturer, Norsk Hydro, which is a global manufacturing giant, experienced a breach. Malicious code tore through its network and it forced the company to shift to manual mode. Okay, imagine being a manufacturing facility that is reliant upon technology and automation powering what happens every hour, every minute of every day, and having to completely transition to manual mode. The company has admitted so far that the bill for this could top 75 million. Okay? And that’s not protecting customer data. That’s not regaining customer trust. That’s this got into our system and messed us up. That’s a lot.
Daniel Newman: It is. And so, as we sort of bring this together, we hope everybody out there is enjoying this kind of topic. We realize there’s a little bit of riffing here, but this is so fluid in the landscape. And I hope you kind of make that connection between the most high level at the board CEO, CISO level, all the way down to every single day activities, whether it’s your husband carrying the backpack, whether it’s the little hacks that we see inside of our social media channels, the little things we do with sticky pads. That is sort of a spectrum there because these little things we do, it’s one person, it’s getting into one system, it’s rooting in that system. It’s spreading, and it’s like wildfire.
I mean, SolarWinds is a security company that actually had code injected. The code it was injecting into people’s systems that’s supposed to be securing them was being injected with malicious code in it. The irony cannot be lost on you. I mean, Microsoft is the world’s largest security company by revenue, $10 billion a year security revenue company, had a massive breach across its systems. And again, that’s not because these companies don’t care or don’t understand, or aren’t building things that are extraordinarily robust. It’s just it is, in its own way, a battlefield and we’re fighting it constantly. And every person has a role to play.
Having said that, I think on our next cast, what we should really start talking about is, hey, what is confidential computing? I think we should end it on the operational trust versus technical trust. And I think that’s going to be another thing that thematically will be understood better as we get into confidential computing. And I saw a graphic in a vendor briefing once. And it was along the lines of, we won’t look at your data if you’re hosting with us, if you’re working with us. That’s operational trust. It’s an agreement in principle that, hey, if you host your data and your servers with us, we won’t look at your data. Here’s the signed contract.
The second one is technical trust. It’s we can’t look at your data. And that’s really where we’re trying to head to is it’s like, yeah, you host your servers here. We can administrate them. We can reboot them. We can manage them. We can handle temperature controls. We can upgrade drives and make changes. But our people do not have the keys, the physical keys. And it’s like getting my Bitcoin. You cannot have my Bitcoin without this key. You cannot see our data, but can manage the environment. That’s technical trust. Unless you have the very specific key. That is a big migration at the enterprise level.
Again, just to kind of reiterate, nothing is going to fix stupid. Meaning as people do stupid stuff, we make data available. But how that then becomes a enterprise wide problem starts to get managed by implementing greater levels of technical trust into your system to say, you can’t get at us. You can’t because there are keys that no matter how close you get, you can’t get all the way there.
Shelly Kramer: And that’s where we need to be. I mean, I don’t see how there’s any argument against that. We may not be able to-
Daniel Newman: No, it’s hard.
Shelly Kramer: … be there today-
Daniel Newman: That’s the other thing. It’s hard. So is having six pack abs, and raising-
Shelly Kramer: But you have those.
Daniel Newman: Shh. I wear a puffy vest. That’s my inner techie. But there’s a lot of things in life that’s hard. And anything that’s worth achieving, isn’t going to be easy. But in this state, if you go back to all the things we just said, higher sales, higher customer retention because you can basically reverse all the fallout by adding. It’s additive, right? Lower barriers to conversion. And by the way, for all the CISOs out there that you sort of mentioned who’s head has to roll.
I mean, in the end, how do you be the CIO or CISO of Equifax or the CISO or CIO at Target when that breach, and walk into your next company and feel like you’re going to have a great opportunity get hired. I mean, look, you’re immediately going to go… I mean, you’ll rise. People are forgiving. Our memories are short. But at some point you’ve made your life a lot harder. You don’t want to be the person in charge of security on the day of a breach. You just don’t. And when your head does roll, if it does, you don’t want to be looking for a job for a while. It’s going to be hard to find that trust.
Shelly Kramer: No, I remember what I remember when I was first writing about the SolarWinds hack. And one of the things that I kept running across was that every senior CISO person, every senior security person said, “This is the occurrence that you spend your whole career going to bed worrying about happening. This is it.” And it’s a tough job. It’s getting tougher. That’s not going to change. So it really is interesting to look at what’s ahead with some of the nascent technology out there and just see the possibilities because they’re really very exciting.
Daniel Newman: It absolutely is. And we really look forward to talking to all of you about that. So with that, Shelly, I’m going to take the lead here and wrap this up. You get to start, I’ll get to finish. Thanks everyone for tuning in here to this Futurum Tech web, not a podcast. And we do really appreciate you sticking with us. And we hope you hit that subscribe button. We’ve got a lot of shows here. There’s shows with the team here, like me and Shelly, there’re shows with customers and vendors. There are shows with end users. We’ve got a whole variety here on the Futurum Tech Webcast. And we love bringing insights to you. Hit that subscribe button, follow us on Twitter, join us on whether it’s Spotify, Apple, wherever you watch it, we want to be available for you. So we appreciate you. Stay tuned for more on this topic. At least one more, maybe two more in this series. Check those links out in the show notes because we think you are going to like what we have to say, but we’re not going to say any more right now. We’ll see you later.