Root Causes 244: PwC Survey Reports Cyber Security as Biggest Risk to Companies

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  So we wanted to talk about some recent research that came out. This is from PricewaterhouseCoopers. It’s their PwC Pulse Survey. And it’s called Managing Business Risks. I’m sure if you do a search on PwC Pulse Survey, Managing Business Risks, it will probably be pretty much the first thing you see. This is very recent and there’s a lot of it. It’s a long article. We are not gonna try to cover the whole article but there were a couple of things that kind of jumped out that seemed very important for IT professionals, security professionals, and our kind of crowd. So, what’s the first on your list, Jay?

• 

  Jason Soroko

  Tim, there’s a lot in that survey. PwC covers a lot of territory and a lot of very traditional stuff. So, a lot of people might think that we are referring to some sort of cybersecurity specific thing and, in fact, this report is very wide ranging and it’s really, really meant for the upper brass of corporations.

• 

  Tim Callan

  And to be clear, like wider-ranging than just IT matters. Like they’re asking what do you think about inflation and what do you think about the Ukraine. I mean it’s very wide-ranging. But go on.

• 

  Jason Soroko

  People who are making the big decisions about everything from finance to what are the risks I’m facing from every front? IT and everything is incidental typically within this typical survey as it has ever been. I think though there’s a huge, huge C change that we are starting to see. I think that PwC is picking up on part of the change and I think that one of the major points that has come out of this survey is cyber is the Number 1 business risk.

  As stated in the survey. And a very large number of the response, more than a third, basically listing cyberattacks as a serious risk as well. So, we are talking about the majority of people who responded to the survey, people very high up within enterprises, not necessary IT people, we’re talking about them saying my biggest risk overall, even in a world where we have Ukraine, where we have rising interest rates, where we have all kinds of things that affect businesses negatively, things that you have make shifts for as a corporate executive – cyber risk is Number 1.

  And there’s a statement that has been made here that caught my eye as the reason why I wanted to cover this in a podcast and that is, cyber threats are no longer solely the domain of the CISO.

  Tim, to me, that’s huge because one of the biggest problems that I have, you have, a lot of us who come from the computer security industry is trying to make the big decision makers understand that security really needs to be a top down enterprise for the whole organization. You need to see this as more than just a cost center from which you just solve a problem and move on to the rest of your business. It’s something that – Tim, you’ve made this point before about how every single business out there is digital. Digital transformation has happened everywhere and there’s very few businesses that don’t have to rely on computer communications from some kind. Business to customer. Business to other businesses. Your ability to operate yourself. Your ability to report on yourself. The dashboards. Your inventory systems. Everything, Tim.

• 

  Tim Callan

  Everything. And they’re all connected and they are all cascading. So, just, I’m gonna do a quick plug. If you want a deep dive on this topic, go back to our Episode 197 – Tim’s Digital Haircut, where we talk about how businesses that you think of as being just completely offline – restaurants, barbers, retailers – are not in any way. They’re completely digital to the point where they can’t operate if the computers aren’t running and, for your average enterprise, absolutely. Everything would grind to a halt. They would get nothing done.

  Now it’s interesting. So, you talk about don’t just think of this as the domain of the CISO. There’s a department; the department handles it; I give them enough money; I don’t want to think about it ever again. Some of the other things on this list are big and broad enough that it would affect the whole company. Everyone would be worried about it. And I’ll just grab a few just pretty at random – inflation, U.S. regulatory environment, recession, U.S./China relations, COVID-19 variants and other public health crisis, climate change. Like these are things that would affect all kinds of people. Supply chain disruptions. These are things that affect all the people and department inside of your company. If you were worried about supply chain disruptions or COVID-19, everybody would say how does this affect me? What do I need to do differently? And to your point, Jay, which I think is good one, is for many, many years, people didn’t think that way about the computer stuff. The computer stuff was the computer department’s department, if you will, and not mine to worry about. But suddenly, it’s topping the list.
  

• 

  Jason Soroko

  So, that means that your CIOs and your CISOs who deal with this stuff, they’re the quarterbacks in the company for this. It used to be that they were playing their own game. It wasn’t part of the business game. Whatever the company as a whole was doing, the CISO was off doing something else.

• 

  Tim Callan

  It’s no longer tennis. It’s now football.

• 

  Jason Soroko

  Like we always like to joke about IT departments quite often were looked at as the disablers of the company. In other words, no you can’t do that. No, I won’t reimage your computer. Department of No. The Department of No. And now it’s great because now no longer is this a different game, now it is the same game and the CISO is the quarterback.

• 

  Tim Callan

  And what’s Number 2 on this list and I think this is directly relevant. Number 1 is more frequent and/or broader cyberattacks. Number 2, second most worrisome thing, talent acquisition and retention. And I think that’s directly contributory because on this podcast we talk a lot about this IT skills gap which has existed for decades and there’s no end in sight and if you’ve got more worries than ever about keeping your cyber operations running part of what you want to do is you want to bring in the skills to help you not worry about that and it’s hard to get them.

  There’s a talent gap. There’s a skills gap. In this field in particular – I’ve seen other research other places that suggest that that IT skills gap is greater than any other skills gap in any professional segment in the world.

• 

  Jason Soroko

  Tim, you might think, well, isn’t the bullpen for IT jobs or specifically security jobs a big bullpen and we are good to go. Tim, I’m gonna say this anecdotally because I don’t have the numbers at my fingertips but I think that that’s simply not true.

  I don’t think the bullpen is anywhere near what it needs to be and I don’t think it’s just because, as you and I like to joke, computers are hard and security is even way harder.

• 

  Tim Callan

  Yes. Security is hard. It is.

• 

  Jason Soroko

  It is. And I don’t even think it’s that because people don’t shy away from hard problems but my issue is you were at conferences recently, Tim, I’m always talking to people – the funny thing is, it’s always a bit of a joke amongst the folks that we end up talking to, it’s always the same faces.

  And, here we are, industry graybeards, that’s what we call ourselves at the top of the podcast, and even some of the guests we have on, these are folks we’ve known for years and years and the numbers of just the fresh faces who haven’t worked with you before, can’t wait to have a good working relationship handshake, I don’t know. I don’t see enough of it and definitely not in computer security.

• 

  Tim Callan

  While we are in anecdote world, I’m reminded of a couple of things. One of which is a thing that I frequently say, which is, that PKI people do not fall from the tree. Or crypto people do not fall far from the tree or certificate people they don’t fall from the tree. And you see that over and over and over again. That people in this industry, as you say, there’s a lot of longevity in this industry and then connected to that, I’m reminded of something that a friend of mine likes to say, he says it a lot, which is that PKI experts are not made overnight. That it takes a long time to really get this stuff dialed in. A lot of knowledge. A lot of training. A lot of experience. And if you don’t get it really dialed in, very bad things can happen and you can be surprised in very unpleasant ways.

• 

  Jason Soroko

  And what’s interesting is that a lot of the backgrounds of those people, Tim, especially the PKI, the people who have to be hard forged in a lot of years of a lot of things, they come from different backgrounds and I think if you are looking for how do I build my bullpen so that I can fulfill these needs for my long term business risk, you’ve gotta look in the areas that you might not have looked at before. It’s not necessarily, the computer scientist. That’s gonna be some of them but I gotta tell you, a lot of folks that I’ve worked with don’t come directly from that area. I know a lot of folks come as diverse as the intelligence community or people who were previously came from an arts degree but were incredibly good at thinking through problems within security. I come from academia and it’s like there’s a lot of people who don’t come from the traditional, hey, this is a computer problem, let’s solve it by hiring people who come right out of computer science course. You know what? That’s only a piece of your cross-disciplinary problem that you need to solve.

• 

  Tim Callan

  It is. It’s also a great time to talk about the benefit and value of growing your own. I know lots of really excellent leaders who started now they are in IT but they started as a sales engineer, or a salesperson or as a digital marketer but they had the skills and the predilections and they had sort of the fundamental capacity to learn and to learn certain kinds of things and they wind up in development roles or QA roles, important QA roles, or things like that and, especially with that skills gap that we talked about before, being smart about thinking broadly about what your bullpen is certainly is a good idea.

• 

  Jason Soroko

  And, Tim, here’s maybe one of my final points about why would a cybersecurity vendor, people who work in the cybersecurity vendor space, be talking about, raise the flag to tell people about something like this PwC study and I’m sure that there’s a cynical point of view out there that says, oh, well, the reason Tim and Jay are bringing this up is because - -

• 

  Tim Callan

  Because they needed a podcast. They gotta keep the beast fed.

• 

  Jason Soroko

  And furthermore, these guys are in the business of selling cybersecurity product and stuff and so they want a wider audience to sell their widget and, by the way, this is really all about the fact that there is a wider audience for those widgets.

• 

  Tim Callan

  And for what it’s worth, we did need a podcast but go ahead.

• 

  Jason Soroko

  But, look, here’s the thing. We were just talking about fulfilling a bullpen strategically for corporations. Guess what? Your CISO doesn’t have the political clout within any organization to be able to make that big of a strategic decision.

  And so, therefore, if this survey is truly true, and I believe it is and really, people who are at all levels of the brass, the C-suite, are now in on this with the CISO, then you are all the folks with the clout within the company and the knowledge and the wherewithal to be able to make the big decisions of I’m going to do what Tim said, which is I’m gonna grow from within and to fulfill some of these positions that are now important to the whole company.

• 

  Tim Callan

  I’m gonna support initiatives. It may be about budget allocations. It may be about headcount allocations. It may be about I’m gonna give up my customer-facing initiative that I really want because I accept that we’ve got to do certain things to secure ourselves. And I’m gonna delay that. I’m gonna go ahead and say I’m gonna get that initiative four months later and I’m not gonna go pitch a fit and I’m not gonna go into the board room and yell and scream until I get my way. That’s some of the ways that people in these roles can help for sure.

• 

  Jason Soroko

  So, using corporate speak, this is way more than about procurement within a cost center. This is about, no, everybody in the brass of a corporation is now a player within this. The CISO is merely the quarterback who is closest to the medal, but you all have a role to play in solving this problem and I’ll tell you, it’s not about just going to RSA and walking down the aisles and going, hey, these are six vendors I’m gonna spend some money on right now. This is much, much, much bigger than that, Tim.

• 

  Tim Callan

  I agree. So, good. It’s good to call our attention to that. I think that’s a valuable piece of research and a good lesson to be learned from it.

• 

  Jason Soroko

  I think so. But, anyway, I know people who listen to the podcast, you are probably living this and so it might seem like an old story but to me, it’s a fresh story because of the fact that I’ve never heard - - you know, one of the big auditors, one of the big four or five comes straight out and say cyber is the biggest risk especially in a world that has a lot of other business risks right now.

• 

  Tim Callan

  Alright. So, again, just I’ll say it in case you didn’t get in the beginning - - it’s PwC survey. PwC Pulse Survey Managing Business Risks. I’m sure if you search for it you can find it pretty easily.