Advice for boards: policy and the big picture.
A fireside chat between Michael Chertoff (Executive Chairman and Co-Founder, The Chertoff Group) and Steve Daly (Chief Executive Officer, Ivanti—a company that traces its roots to Landesk) was nominally a chat about the boardroom's perspective on cybersecurity, but it proved much more far-ranging than that. Jim Pflaging (Principal and Technology Sector and Strategy Practice Lead, The Chertoff Group) moderated their discussion. They took questions from the audience and structured their discussion accordingly.
The threat landscape, and how policy and technology can negotiate it.
The opening question asked for an assessment of current US Administrative cybersecurity policy. Chertoff liked the cybersecurity Executive Order and the Administration push to migrate IT systems to the cloud, "but the proof will be in the execution." He saw some propensity for distraction in the Administration, and he hoped that a sound strategy won't be lost in execution.
As far as what the Government will have to deal with, Chertoff expected to see an uptick in threats worldwide. "There's been a great deal of anger for some time, both latent and overt," and he expects that anger to manifest itself in more physical violence ("and more cyber violence, too"). Not all of this violence will come from nation-states. He sees a growing need for artificial intelligence in screening. He sees unmet needs in identity management, and he thinks we need better ability to track known wolves (this last is especially true in Europe). Technology can indicate when a potential threat is about to become actual, and there's useful work to be done here.
The security conversation in the boardroom.
Pflaging asked how the security conversation has changed within boards. Chertoff immediately noted one trend: the rising importance of being able to certify the security of your subcontractors.
Daly said he was starting to see more importance attached to certifying security in due diligence, even in less regulated sectors. He thinks, however, that boards still underappreciate this. Paradoxically, he said, awareness of real risks remains low, even as boards become numb to those risks. CEOs can't wait for boards to push security; they must lead. Security must become other than a cost center.
Cybersecurity industry: M&A as a strategy.
Daly asked about making mergers and acquisitions a centerpiece of corporate strategy, said it was hard to find the right companies who were willing to be bought. "It's important to be disciplined about how much you pay, and what the acquisition's strategic fit is." He cautioned ensuring that a company you plan to acquire has a good, complete fit across your business before you conclude an acquisition.
Boards tend to assert themselves, Chertoff said, when a company enters new geographical markets or lines of business.
What about election hacking?
Chertoff took a question from the audience about election hacking. He began by drawing a sharp distinction between "election hacking" in the sense of manipulating voting machines and "election hacking" in the sense of what's come to be called "the fake news problem." These senses are two often conflated.
With respect to fake news, Chertoff said we have be cautious here. "In whose eyes is the news fake? Putin would love to control news. He's told me so." There are some ways one might work against fake news. You can, for example, distinguish natural persons from bots (a point Chertoff has made elsewhere). He's nervous, however, about where you draw the line on takedowns, and counsels against becoming too quick to restrict freedom of speach.
Securing voting databases, however, is a different matter, and Chertoff thinks there's work to be done here. "In some ways the disparate nature of our voting systems has worked to our advantage," but we can't count on that securing the integrity of elections indefinitely.
The Russian government is the principal adversary interested in US and other elections. Chertoff argued that, fundamentally, Russia wants to discredit democracy by sowing doubt more than it wants to rig elections to produce any particular outcome.
A role for government in advancing security technology.
To Pflaging's question, about the role of government in spurring advances in security technology, Daly was of two minds. If there's a market need, government may not need to help.
Chertoff thought that government could provide a useful spur to technology development where there's a market. But this requires stability and predictability in government investment. This, like a cybersecurity strategy, is easier to state than it is to implement.
International challenges in cybersecurity.
To the question about regional considerations that arise when one enters a new geographical market, Daly said that data privacy is always important. "We have to jump through a lot of hoops, but they're similar hoops."
Pflaging asked the question from the other side: What about foreign companies investing in the US security market?
Chertoff described the longstanding concern that US data would wind up in foreign hands. He sees, now, however, more emphasis on job creation. If you're a foreign company whose operations are going to close plants in the US, you'll have a hard time doing business with the US Government. "If you're creating US jobs, you'll do much better."
To a follow-up question from the audience about data access—are we heading toward more data sovereignty, and how will that affect technological advance—Daly thought that nationalism stopped at job creation. In Chertoff's view, the US Government is more concerned about security than it is about privacy, and that some shared international standards would be welcome. He thought ability to track and manage individual data elements is a challenge, and therefore an opportunity.
Final recommendations for board members.
Daly advised boards not only to focus on security, but to bring appropriate security expertise onto the board itself.
Chertoff urged boards to avoid micromanagement, give security priority, fix accountability, and talk to the CISO. He also advised boards to insist on metrics: "Having someone report metrics to the board motivates people to stay on top of the situation."