TECHIE
to cut is to not cut things that are useful. Figure out what’s not useful. Figure out what you may have invested in that you’re not using or that you’re not using to its capacity. If it’s not doing the job for which you bought it, reassess. And that’s when a lot of companies will then go and outsource. They’ll say, “We have all this technology and we don’t know if it’s working. Let’s just scrap it all, cut our losses and outsource.” HULEN: I want to affirm that. These are sophisticated systems and if you’re not living and breathing them, you don’t have the background and experience of looking for those anomalies and being able to determine what’s good and bad and how to tune the environment. Outsourcing is a huge factor to bring that talent to bear. Becoming an expert in these areas of cybersecurity is not the right application of the money. However, the money still needs to be there. HOROWITZ: I think a good measure is to
say, “If the people whose data we’re protecting were in this room, what would the conversation be like? Would we be talking in front of them about spending less money protecting the data they assume we’re protecting?”
DE LOMBAERDE: It sounds like everyone is
on the same page about the need to get cyberliability insurance. What does that cost? Is that market mature to get consistent pricing?
HULEN: I don’t think the market is mature. The insurance companies are absolutely learning what this looks like. I would also say that, if you have a policy with $250,000 in coverage, that’s not enough. We’re talking about millions of dollars of coverage that deals with things like ransomware and especially with the data recovery side. Some companies unfortunately are buying little policies for a couple hundred dollars a month and that’s just not going to cut it. Somewhere in the range of $1,000 to $2,000 a month in cyberliability coverage for a $30 to $50 million business is more in line with where it should be. DE LOMBAERDE: As we start to wrap up,
what should business leaders be thinking about two, three, five years from now?
50
FALL 2020 | NASHVILLEPOST.COM
‘If it’s not doing the job for which you bought it, reassess. And that’s when a lot of companies will then go and outsource.’ DEBBIE GORDON, CLOUD RANGE
GORDON: It’s not getting any better. Call me
cynical, but I think we all agree that the threat landscape is growing. This is modern warfare. A lot of people think a hacker is just some kid sitting in his basement messing with things but it’s much bigger than that. We are going to see things that can affect our power grid and our water and things that we take for granted in life.
HOROWITZ: It’s pretty rare that the victim quickly becomes the wrongdoer, right? But now, when cyberattacks happen, it’s almost immediate that the finger starts to point at the organization to say what were you doing to keep this from happening? And complacency is no longer the excuse that it was even 10 years ago. Then it was, “Who are these crazy children in hoodies attacking these companies?” We know better now. I’m not selling insurance but I feel like I am. And I feel like companies regard what we do for them as insurance — and it essentially is. You have to help them understand what the reality of this is but it feels like you’re selling based on fear, which doesn’t feel good. But it’s true! You sit across from these really smart folks who have made excellent decisions to grow this business and be successful. But they’ve got their head in the sand for something that could literally bring them to their knees and it just happened to three of their peers last week.
HULEN: On the threat landscape: One thing we’re seeing is more automation and distributed computing and AI-based threats. The bad guys are becoming very, very skilled and cloud-enabled technologies and scripted infrastructures can spin up machines all over the world very quickly and press an attack on a victim. On the defense side, look for more continuous testing, continuous vulnerability scanning and penetration testing. So we’re not just looking at, “Once a year, we’re going to get the audit done.” Rather, we’re going to continually make sure that our environment is as protected as possible and that our people are becoming those human firewalls. DE LOMBAERDE: We’ve had one more question come in. “As the parent of a student preparing to go to college and looking at cybersecurity as a career — he’s sitting here with me now — what do you recommend he study?” GORDON: A lot of schools are now adding cy-
bersecurity as a specific area of focus or a major or they’re having some specialization in computer science. Everyone thinks cybersecurity is a technical career but, really, there’s art and science to it. There’s critical thinking, there’s decision-making and communication. Many CISOs aren’t technical people; they’re leaders. So even if your school may or may not have a cybersecurity program, it is about being a well-rounded decision maker with good critical thinking and then understanding the fundamentals of cybersecurity. There are so many jobs that cybersecurity could represent. Not all of them are technical and they’re not all hackers.
HOROWITZ: And make sure he stays on the good side! The bad side, they make a lot of money but you want to keep him over here with the good guys. HULEN: Coming from a long, strong technical background, I would say computer science focusing on networks and infrastructure security. That’s typically where these things come up out of. But I will absolutely affirm everything Debbie has said. It takes all kinds here on this battleground: business-oriented and security-oriented people. You cannot win without a full complement of people.
