We recently spoke to Veracode’s new Chief Strategy Officer, Sam King, about various topics related to cyber security, such as the growth of cyber insurance and solving the diversity dilemma.
- From a security point of view, what lessons have been learned from 2015?
The main lesson from 2015 is that the adversaries are persistent and we are not as secure as we thought we were. With so many prominent data breaches last year - from the likes of Ashley Maddison to TalkTalk – more and more organisations are finally giving cyber security the attention it deserves.
- How do you see the security landscape developing over the next 12 months?
Security is more on the agenda than ever before, and this is showing no sign of relenting. I recently visited a global financial services company and every one of their board meetings now has a three-hour itinerary dedicated specifically to cyber security. A couple of years ago this was unheard of, but because of the increasing threat landscape we face today, it is an issue organisations of all sizes realise they have to address. .
While companies are seeking support to protect all aspects of their IT infrastructure, it is the application-layer that is the most common target for cyber attackers. For example, TalkTalk was exploited by an SQL injection - one of the oldest and most well-known types of vulnerabilities on the web. Despite having been around for over a decade and regularly featuring on the OWASP Top 10 list (the widely accepted standard for application security), this class of vulnerability continues to expose enterprises to large-scale breaches and brand damage.
An increasingly large number of organisations are turning to specialists to help protect themselves from these types of attacks. We are going to see this trend continue because although the need for cyber security is intensifying, there aren’t enough security experts available for each enterprise to hire. The competition here is fierce, and as a result we will see more security companies forming as well as existing ones continue to grow. The companies that are most successful will be the ones that help address the root cause of breaches.
- Massive growth is being predicted in cyber insurance. What new challenges/opportunities does this pose to businesses?
We’ve seen cyber security insurance growing in popularity as companies endeavour to mitigate the financial losses associated with a breach. In fact, this growing market is expected to triple to $7.5 billion in five years.
While it is clear that no environment is impenetrable, high profile breaches are constantly demonstrating the rather lacklustre approach that many companies are taking to mitigating well-known threats. A recent survey that Veracode carried out with the New York Stock Exchange found that nine out of 10 board directors think regulators should hold businesses to account if they don’t make reasonable efforts to secure data.
This accountability has more businesses seeking to protect themselves with cyber security insurance. But insurers stand to lose significant sums of money if they have to continually cover the losses from a breach. What I expect to see next is insurance leaders backing moves to regulate cyber standards, so that if their clients don’t take the appropriate steps to protect the enterprise, the insurance company won’t pay the claim. As a result, we could see more organisations employing more robust cyber security measures. As we have recently seen, common and high profile vulnerabilities feature in many organisations’ application layers, and this therefore an issue organisations must address if they want to avoid being held liable for the losses of their own data.
- The skills gap is becoming more of an issue in cyber security. What needs to be done to fill the gap?
We must ensure that school children are educated as to the importance of cyber security, empowering them to protect themselves online, but also to provide them with an introduction to the industry at an early age. Digital channels are becoming increasingly influential in our everyday lives and it is important we educate people as to how to stay safe online at a young age. Not only will this support young people as to the importance of protecting their data, but it could also play a key role to inspire more interest in the industry for the next generation.
The UK government certainly isn’t standing still in this respect. It must be commended for supporting the introduction of the ‘Massive Open Online Courses’ (MOOC) – which are free courses aimed at educating tomorrow’s cyber security professionals in the UK. Continued support for these kinds of programmes will play a key role to build students’ cyber security knowledge and skills, which will be vital as the UK becomes a more digital nation.
- And what about gender diversity? How can we get more women into cyber security?
In the past couple of years, cyber security has gone mainstream and this is likely to play a role in enticing more women towards the industry. However, this is a process that will require time and a commitment to education.
The cyber security industry is full of organisations talking to a population that’s more diverse than they are and this causes a huge problem. How can you understand and work with people from different cultures and backgrounds if you don’t have any experience of them? Diversity is the key to performing on a global scale, and this should at least start with addressing the gender divide.
It is also important to demonstrate to young women and girls that security isn’t just for boys. We’ve come a long way in the security industry in terms of being more inclusive. Security events used to be full of booth-babes, but we are seeing much less of that every year, helping to make women feel like a welcomed member of the security community. There is still progress to be made, one area that I’d like to see change is the way the media portrays people working in technology.
They are either male, or if the character is a woman, she is often nerdy, odd or socially awkward. No one wants to aspire to that. Instead we should show women who are competent technologists, and complete characters not caricatures.
Today, there are currently no female CEOs in publicly-traded IT security companies and this is certainly something that must change. Only through strong leadership and a real belief in equality can organisations achieve this much-needed change.