Podcast transcript: How to get more for your security dollars

37 min approx | 27 April 2023

Susannah Streeter  

Hello and welcome to the EY and Microsoft Tech Directions Podcast. I'm Susannah Streeter and in this episode, we're focusing on the benefits of simplifying security. Underperforming and needlessly complex security systems aren't just a drain on day-to-day budgets, they can also open the back door to cyber criminals and create a much more painful financial headache. The numbers are startling. In 2022 alone, the average data breach cost increased to $4.35 million, an all-time high. With the economic downturn looming and budgets coming under increasing pressure, it's an ideal time to start streamlining security to find efficiencies and greater protection. But embarking on this process won't come without challenges, not least persuading those in charge of security at the C-suite level, to adapt to new ways of working. They may have become used to relying on a web of tools thinking that the more complex the defense, the better it is. It's hard to break old habits but complexity doesn't necessarily spell greater cyber protection. And spending smart is often better than spending big. So what does that mean in practice? Just how does security simplification help to detect threats quickly minimize risk, and strengthen security posture? How has security changed over the decades? And what does the future hold? Well, that's what we're here to discuss on this podcast. I'm pleased to say I'll be joined by two leaders who will be providing lots of insights on how security simplification provides a more streamlined, integrated approach, given their wide experience in this realm. Before I introduce them, please remember conversations during this podcast should not be relied upon as accounting, legal, investment, or other professional advice. Listeners must, of course, consult their own advisors. 

Now I'm delighted to welcome Dave Burg, who is Americas Cybersecurity Leader for EY. He's got a broad portfolio of experience serving clients across the commercial and US public sectors. Really great to have you on the podcast. Dave, where are you talking to us from?

Dave Burg  

And today, I'm coming to you from McLean, Virginia, which is just right outside of Washington, DC.

Streeter

Well, really interested to hear all your insights coming up. Also, please welcome Kelly Bissell who is CVP Security Solution Services for Microsoft. Kelly has more than 30 years of experience in cyber risk mitigation, security forensics, financial crimes, and regulatory compliance. Welcome, Kelly. We've got lots to talk about. But first, tell me where you are today.

Kelly Bissell  

Hi, Susannah. It's nice to be here. I'm out of Atlanta, Georgia, on the east coast of the US.

Streeter  

Fantastic. Well, great to have this meeting of minds. And I want to ask you, Dave, what have you seen in the last two decades shift in cyber security strategies and philosophy?

Burg  

We've actually seen quite a bit and I think there really are two parts to the question that you asked. The first is really the philosophy. The philosophy that we've seen has shifted from one where companies worked very hard on trying to have a hard outer shell to really try to keep the bad guys out. Once in it, you can manoeuvre anywhere you want inside the enterprise to one where there's certainly a desire to keep the bad actors out. But then once someone is authenticated inside the enterprise, the philosophy is to really try to control very carefully and granularly the movement, the access to infrastructure, to applications, and even to data. But I think the bigger shift that has happened is really more on the strategic side. And it comes from what we hear from board members, or what we've heard from board members really over the last couple of decades. You know, a couple of decades ago, I think most board members and senior executives were certainly aware of cyber to a degree, but they thought of it really as being the kind of thing that where the greatest risk was maybe the theft of a credit card number or some sort of sensitive information, personally identifiable information related to an individual consumer. All of that really changed when in 2017, we saw those destructive malware attacks that took place all around the world where billions of dollars of damages occurred in about a 24-hour period. Today, cyber stories are on the front page of the news really every single day in the boardroom and at the senior executive levels. There's no question about the importance and the criticality of cyber, and in fact, there's even, you know, a great deal of willingness to spend time, money, energy and resources on cyber to try to more effectively manage these risks. So really a great deal has changed in the last 20 years.

Streeter  

And Kelly, what stands out for you?

Bissell  

We've seen also the big shift when it comes to the number of tools that a CISO has to stitch together. I mean, it's proven too complex, too slow, and too costly. Now, this is unsustainable to the CISO. But not just the CISO. But the CIO and the CFO. They're looking for a better platform, a more simple way that they can secure their environment at more cost effective approaches. So really, what we're talking about is how do we secure the inside better with less?

Streeter  

And are you really seeing clients now think about transforming and reducing risk while increasing business value? Do they understand the opportunity?

Bissell  

Very much so. We're in a new era, I would say, where many CISOs have already moved to that new way of thinking, transforming the way they think. And so really, what they want to do is figure out, how do I actually choose a partner that will help them in the long run, move from a best to breed, 83 tools on average, to a platform, so that they can actually fit these functions neatly together, and reducing that vendor footprint, will allow them to lower the cost, and be more agile as their business changes. And a nice side benefit of that is also addressing the talent problem, because if we have fewer tools, we need fewer people to manage those tools. So we couldn't really be more secure with less.

Streeter  

Interesting how simple that concept is. But Dave, would you say that cyber is really different from lots of other areas, in your view?

Burg  

Many of the business functions, if we look at the finance role, we look at a marketing role, a human resources role, they're a little bit easier to define. And they're typically solved from a technology perspective, with a uniform platform. Cyber is challenging, because cyber typically comes in and has to layer on top of other types of technologies, other types of infrastructure that were selected or chosen for really for reasons that did not have a lot to do with security. And so we look at cyber as really trying to layer kind of a patchwork of technologies to cover the entire landscape of the enterprise. And one of the problems with that patchwork is that not only do you have a lot of different kinds of products, but you also have seams between those products, seams. There's always some sort of size between them, a gap if you will. These are the kinds of things that the bad actors will look for. It's one of the things that bad actors will look for. So the cybersecurity professional has to figure how to cover the landscape, make it all work together and have, you know, an analytic capability to be able to take information from all these different sources, and make sense of it all prioritize actions, and then very quickly try to, you know, fix problems. So it's a very non-uniform, challenging and also constantly evolving space, because the technology that we use, literally is alive, it is constantly changing. So the security function, the cyber team has to change at the same exact speed as the as the technology changes.

Streeter  

So Kelly, what's your take on this? Why are so many companies clinging on to tech, which isn't suited to them? When they actually know they need to stitch together those seams to stop, as Dave's saying, the cyber criminals breaching them?

Bissell  

Well look, Dave's right. But it's because CISOs in the past had no choice, there was no platform that they could leverage. So they had no choice but to build all those seams that Dave is talking about. But today's different. I mean, at Microsoft, we started this journey of moving to a platform more than two years ago. So now customers have a choice, they can move to a more simple platform that makes them more secure, and more simple.

Streeter  

So Dave, what are you seeing now from some of the most senior levels in the largest companies in the world? How is this all playing out?

Burg  

Great question. Part of my job and responsibility is to go speak to typically public company boards in a variety of capacities, and in many industries and sectors. And so one of the things that I hear in these conversations increasingly is there's, as I stated earlier, there's a great deal of awareness of what cyber is, but there's increasing frustration about understanding the cybersecurity program. So what we'll hear is, yeah, we're willing to continue to fund the investment in improving or maturing a security program, but board members and senior executives are also saying, but I don't really understand the value that I'm getting from this. I don't understand the length of this journey, I don't understand whether or not the progress that's being made is happening fast enough. And so I would say I'm really hearing, and so is my broader team, we're hearing increasing frustration. I don't believe we're going to see a decrease in spend, at least not right away. But they're really looking to understand much more clearly the business story, that business rationale, inputs that lead to a question around the benefit, or the outputs from this focus. And from this effort, 

Streeter  

Would you say Dave that the drive is coming more from the CEO or the CISO? And then depending on the approach, how are companies reacting in different ways? How are they navigating this?

Burg  

Well, I think the two go together. And what I mean, what we'll hear and what we see are CEOs saying, Yeah, I'm gonna support the program and you tell me what you need. But then the CISO's got to respond and say, well, here's exactly what I need. And I think that what we see is not a perfect match between the two. Part of this is increasingly complicated by legacy decisions. So investments in certain technologies or security products, long time periods to integrate successfully, these products or these investments, the other, you know, big challenges, many of the large strategic decisions are made by a CEO or buy a strategy team, for example, the decision to buy something and acquisition or to carve something out, a divestiture. And oftentimes, the CISO is really left to deal with the consequences of those decisions, sometimes without a lot of warning. So it's important to have synchrony between the two, I see a lot of reactivity as opposed to strategic harmony or hand holding on these kinds of big decisions. And yet, both at the end of the day have the same goal in mind. But it is a challenging process between these two very important functions.

Streeter  

Yeah, clearly very challenging. So Kelly, how should companies find a way through this potential confusion? And to what extent would you say they really need a long-term vision, particularly given pressures for cost control? 

Bissell  

They do need to take a long-term decision on this security platform, because the most expensive thing a CISO can do is rip out a product and put another product in place without any additional business value. The cost is too much. And so most CISOs have already started on this journey, they take really a simple four-point approach. One, they map out all their crown jewels, where their biggest, important data are across their network in business processes. Two, they keep in mind where the business is going, both short-term and long-term. It could be mergers and acquisitions. It could be R&D activities, it could be, you know, changes in their business. Three, they really sit down and figure out. How do I create a new strategy with great partners like Dave and others at EY. And they map out here's where they are today in here's where we're going to move onto a security platform like at Microsoft, to collapse all those 50 areas into a smaller group. And then they start moving toward that vendor consolidation at renewal. So when the vendor comes up for renewal, then they can pull it out, put Microsoft or another platform in place, and then they can start reducing CapEx and OpEx savings. And this goes back to what Dave was talking about going back to the CEO, and the CFO making a business case, to be able to secure their company for less.

Streeter  

To what extent would you say that if companies don't start moving, they could be facing a perfect storm? That's what it's been described as with so many factors colliding right now?

Bissell  

You're absolutely right. Look, the perfect storm, as I see it, is we have unsustainable cost and a lack of available talent. Two, we've got all these multiple tools that they have to manage. 83 on average, remember. So operationally that's difficult to manage. Three, we've got increased regulation with a lot more teeth than they used to be. So impact to the company. The attacker is getting far more advanced than they had before. So the perfect storm, all these things coming together at one time. And if they don't change the way they're protecting their company, they're putting their company at risk, too much risk. And so at the board level, you know, legal risk, regulatory risk and at the CISO level, so we really need to transform the way we think about security, so that we can keep our company safer. 

Streeter  

So, there's mention, Dave, of regulation there. What are your views on the significance of regulation and why companies should really be alert right now?

Burg  

Yeah, regulation is fascinating. I think it really is a double-edged sword. And what I mean is that on one hand, when we study the issues that companies and senior executives are concerned about, and we look back over the last decade, regulation and fear of over regulation is one of those top five issues, it has been sustained in that position, it likely will remain sustained in that position. But on the other hand, surprisingly, perhaps, it is regulation itself, that is driving many important actions and activities surrounding cybersecurity. What I mean is, in heavily regulated industries, for example, in financial services, specifically in banking, capital markets, we see waves of activity from bank regulators that put an enormous amount of pressure on the largest and most sophisticated, the most important banks in the world. What we see as a consequence of that, as the regulators perform what are called horizontal examinations, what they do is they will look at a cybersecurity function or other control functions. But for the sake of this podcast, they will look at cybersecurity functions, they will study the best-of-breed approach that they see. And then they will hold every bank accountable, really to the high watermark in that particular area of focus. And the results from that produce banks spending a great deal of time and energy focusing on improving deficiencies that they have in the program. What that leads to is arguably some of the very best cybersecurity capability, really, of any sector, or of any industry in that banking sector, because of regulation. So on one hand, it can be viewed as a nuisance, as a burden, and as burdensome. On the other hand, I think what we see in reality is that regulatory push, is creating some of the strongest security programs that exist.

Streeter  

Now Dave there is already a huge amount of spend going on. Do you think we could see financial fatigue setting or is it already setting in? 

Burg  

Well, I think it is setting in. I think that what's interesting is when we look at spend, particularly say over the last six months, and we're certainly right now in a challenging economic time, but when you look at spend on IT programs, versus the spend on cyber, we're seeing far more sensitivity around the spend on IT programs than we are seeing on cyber program. However, as I mentioned earlier, as Kelly discussed, what we hear from boards, and management teams, is this factor of we're spending a lot of money on cybersecurity, which really, we don't understand what the ROI is. And I think what we'll see as we work our way through this economic period of uncertainty is more pressure being placed upon cybersecurity teams and management team from the board to be able to demonstrate better results, better return on investment, better outcomes, from the billions of dollars that are being spent on cybersecurity technology, cybersecurity people and cybersecurity programs.

Streeter  

So given what you're saying there Dave, do you think Kelly that cyber should be seen more like R&D? And if so, in what way?

Bissell  

Yes, I think you're right. I think many people think that cyber is more like IT, meaning you set it and you leave it alone. But you're right, security is more like R&D, because it's really a journey where R&D accompanies, it never really stops. And same with cyber, it doesn't stop because the attacks continually change. The attackers are innovating. And on that innovation curve, you also have to travel that curve, so that innovation around cyber protections never change. So since the attackers are constantly changing, so must our defenses. And this is why security simplification is far more important because it's easier to manage a tech stack if we have fewer moving parts, and it'll give us agility. So as the company changes, as the attacker changes, we can pivot very quickly as a cyber team.

Streeter  

Would you say there is a bit of a fear of the unknown? Dave? I mean, the thought that complex webs might have worked so far, why rip it all up? Is that the attitude that you can see?

Burg  

It's a great question. I think the answer is that we do see that. Maybe the best area to illustrate that is in the area of operational technology. And what I mean is, it's the technology that is wrapped around many of the manufacturing and production environments for companies that are making really any kind of a product. And so what we hear from our clients, whether it's retail clients, whether it's industrial manufacturers, defense contractors, and beyond is that that environment, that operational technology environment, that manufacturing environment, it's very fragile. It works well. We are concerned about disrupting the way that it works by either upgrading the technology or layering additional security technologies. And that, again, could disrupt the lifeblood of these companies that must make product all the time, all around the world at very predictable rates. So yeah, I think that we certainly do see this sort of fear of, of the unknown, of making wholesale changes in certain pieces of technology, infrastructure, and operational technology is one of those grey areas.

Bissel

And I would say that the idea that complexity equals greater security is a fallacy. Or maybe it's an old way of thinking, because complexity actually causes risk. And we see it today where most breaches happen, because maybe they don't have multi-factor authentication turned on. They have poor password policies, simple configuration problems, lack of patching. These are the basics that are an outcome of complexity. So really, we got to move from complexity to simplicity. And so that old way of thinking should be thrown out the window. And we should move on this platform side. So we can really do more with less

Streeter  

Dave I think it's important right now to address the concentration risk here. I mean, there is a worry that putting all your eggs in one basket means that you're riskier. What would you say to that?

Burg  

The concern that many would express is that if you consolidate down to a small number of technology providers, possibly even down to one or two, what happens when one of those one or two providers has some sort of disruption or an outage? And I think that's a, you know, it's a valid question. I think that what we, what we've seen, and what we think is important is that, in fact, that argument can kind of be flipped on its head, which is to say that an integrated tech stack, for the sake of this podcast, an integrated security stack, that has some sort of a manifestation of an outage or a weakness, must show resiliency. And what does that mean? Resiliency means a plan to very quickly recover, to restore, recover, get operational, but also, we must have the ability to be able to find an issue. Issues will always occur, and be able to correct it and correct it fast and comprehensively, with a high degree of confidence. So I actually think that the concentration risk argument is so important, because the inverse is almost impossible to manage. What we've seen, really over the last year, when some significant vulnerabilities have been identified, the lack of a standardized technology or security stack, created an enormous amount of effort and a low level of confidence that the effort to deal with or to remediate or to patch, or correct a vulnerability was, in fact, addressed comprehensively. So I think that this is one of the most important things that we're talking about today. And I think that the idea of moving to a unified security technology of a technology stack is extremely important for a lot of reasons. I think, again, it's that ability to be able to respond quickly. But the benefits of standardization of streamlining of simplification to the benefit of the business, as well as the business's ability to integrate new technologies and new services is a very, very important idea. And that's one of the reasons why we are so excited about working closely with Microsoft to address this very important question.

Streeter  

So let me bring in Kelly. Dave's talking about standardization, but I imagine a one-size-fits-all approach is not always the right strategy, given that all organization's risks are all different. So how do you learn from the individual company experience?

Bissell  

Right Susannah, look, there is not a one size fits all. The way we look at a customer that's a small or medium business is very different from a large enterprise. But we do have standard approaches, we have best practices. But we take those things and apply them to each company, so that they can manage their risks across their value chain. Because if we think about how a pharmaceutical company works from labs and research and joint ventures to clinical trials, manufacturing, distribution of drugs, that is very different from the way a bank works, or an oil and gas company, so I think to take standard approaches and best practices and apply them through the lens of industry, and the requirements of a particular regulation is exactly the way to approach this.

Streeter  

Okay, so let me bring back in Dave. So Dave, why would you say improving the portfolio is just so critical to increasing value delivered to the business? And can you give me say some examples where streamlining really has had huge benefits?

Burg  

What we see in the cybersecurity function is an accumulation of technologies designed to cover, you know, a piece of the puzzle as I described earlier. And so where we have worked with companies to help them rethink this, they're very surprised to actually see how much inefficiency is baked into the portfolio. What I mean is redundant technologies that do the exact same thing as another technology, perhaps there are many copies of that, of that technology that are being licensed and operated in the environment, that's just pure, pure inefficiency. So you know, one of the examples that I can think of was, we worked for a very large energy company, we worked with them to inventory their security products. We found that they had well over 100 of them, and we helped them go down to far less than 10 of them. And it's a massive reduction in the complexity of that portfolio. And what they found was that as they reduced the number of security products, they were able to run many very fundamental functions far, far faster, so they became more efficient. This is the kind of demonstration of value that I think that the cybersecurity function must begin to show in measurable business ways in order to prove value.

Streeter  

So efficiency benefits, absolutely key to keep front of mind. Kelly, what else? I mean, what would you say an organization really needs to be focused on when simplifying their security capabilities?

Bissell  

As I mentioned before, really focusing on the crown jewels in understanding their current security portfolio. And then how do they rationalize that with a platform plan? And I've had customers say, Look, you know, we're a Microsoft first strategy, and then we tuck in other security products that maybe aren't on the platform, but really to take this, how do I simplify? How do I reduce cost both CapEx and OpEx? And how do we move forward through a business plan to the board or to the audit committee as the way to do it, and I have many, many examples where customers have saved, you know, 26%, of their security spend. And so they are using that money to fund other projects, so they can actually move in a better secure world, you know, for their environment. And so it's not only reducing costs, but also spending the money more smartly. And that's where we need to go as a company. 

Streeter  

And as we've been talking about, these are long-term considerations. So what is the technology roadmap they need to consider? It's not a short journey, is it?

Bissell  

It is not a short journey. It's two to three years. And this is where we have to really think about, again, a business plan for how to move forward with this in the right fashion, and the right order. And we really suggest they take a practical approach, you know, what tools do they have? Where do they up renewal? And how do I move that platform over time and chip away at that iceberg? But I think most companies can achieve this in four to eight quarters of their business to move to that simple approach with a more cost-effective view.

Streeter  

And do you think, Dave, if what's kept in mind is this fact that you can increase capabilities and reduce costs at the time, will help really speed up the decisions. Many onlookers would say just how is this possible?

Burg  

Yeah, well, I think that in some respects, this scenario that we're talking about, this business situation that we're talking about, and this is a business situation. In many ways, it's very similar to the introduction of the ERP platforms 20-25 years ago, and the wave of ERP implementation, and the idea there was to take complex systems that were managed by disparate applications that were not integrated with one another and integrate them into a holistic package. I think that cybersecurity has reached the point where we really need that kind of integration Kelly mentioned. I think one of the most important terms here is simplification. Simplification is very important to enable more and more automation, more speed. Speed is critical in cyber. When we talked earlier about concentration risk, a lot of the concerns around concentration risk can be addressed with speed. And what I mean is, when a vulnerability, when an issue, when a gap, an opening, that is able to be exploited, is discovered, the speed with which that hole can be closed, is critical. If the hole can be closed fast, the bad actor loses its avenue of attack. So I think that these ideas they go together, very importantly, I think that time is of the essence. Time is now to address this complexity challenge to move toward more simplicity. I think we need to do this now because the approaches that we've taken for the last two decades and this. When I think about what Kelly and I have seen in our own careers over the last two decades, you know, we haven't solved the problem. One of the ways to solve this problem, or at least to make substantial or more substantial progress, is going to be simplification, standardization, streamlining, so we can go far, far faster, and make the challenge that the attacker faces much, much more significant than it is today.

Streeter  

So in many ways, Kelly, these should be seen as competitive decisions, shouldn't they?

Bissell  

Yeah, that's right. It's a corporate competitive decision. So how could they just not think about as from a tech decision, but a corporate viability, a corporate competitive advantage? So security has to snap into that mentality. So not be stuck on your favorite product, but how do they move forward as a business case to be more simple, more agile, more cost effective, so they can enable the business to move forward quickly?

Streeter  

So ultimately, Dave, do you think we should look again, at how we view cyber. It's often considered as defensive? Should it be perceived differently?

Burg  

I think it should. I mentioned earlier, kind of the challenges and the conflict between the CEO and the CISO. So the chief information security officer, you know, part of the reason that that conflict exists is that the chief information security officer has historically been seen as the person that would say, no, you can't do that. And you can't do that, because it creates too much risk. I think that we can really perceive and we can view cyber differently. When we start to say, yeah, we can do that. And we can do that securely. And by the way, it won't slow you down, we can help you go faster and faster over time. So in other words, if we start to see and help chief information security officers look and operate much more like a chief technology officer that is an enabler of the business, I think we'll see cyber perceived differently, I think it is very, very important. And I think that not only is it important, it's part of the reason why this simplification theme is so important, you want to go fast, you want to be able to do more with less, you want to enable the business? Well, we've got to make significant shifts and changes away from the models of the past, which we talked about earlier. So yeah, I do think we've got, we've really got to work hard together to change the way that the cybersecurity function is perceived by the business.

Streeter  

And Kelly, we're coming to the end of the podcast. So just want to get your view on whether we're seeing real differences in the public versus private sectors toward security simplification?

Bissell  

Public versus private sectors, they're the same and different. They're the same because they all need to be secure in a more simple way. This is a systemic issue across the market, but they're also different. I mean, the way the public sector thinks about costs and compliance, they might trump specific product feature likes, so they actually probably put more weight for simplicity and cost control for very large private companies like banks, like Dave talked about. They actually may put more emphasis around compliance but also feature rich and so they do approach it differently, but I think across all private and public sector, they're moving down this path of being more simple, more cost effective, and so that they can be safe across their enterprise. And that is the key.

Streeter  

So we've talked a lot about simplification in this podcast. And I want some takeaways from you. Now, if you could give one crucial, simple takeaway to anyone embarking on this journey. Dave, what would it be?

Burg  

I think what it would be is imagine that you're going to be asked by your leadership team, to do more with less, you've got to be able to answer that question and answer that question now. So the takeaway is, anticipate that kind of question, whether you are the board member or the senior executive, or you're the security officer, you've got to be able to answer the question, How can I do more with less? How can I go faster? And that's where I think a lot of the strategy and the theory that we've talked about today can become practical, pragmatic, and practiced. And so I would focus on anticipating how to answer that question, and prepare to answer that question.

Streeter  

And Kelly, what's your big takeaway?

Bissell  

I totally agree with everything Dave said. My takeaway is the CISO should move as quickly as they can to move to this simplification approach. If they don't, management's going to ask someone else to do it. And you know, the way I see it, security is like an onion, there are layers of it, and at some point, they're going to cry. So they got to move quickly on to the simplification, do more with less approach, otherwise, somebody is going to ask someone else to do it.

Streeter  

Okay. Well, thank you so much, Kelly. I really appreciate it. And it's been really great to have you both on the podcast, Kelly and Dave, many thanks for all of your insights in such a fascinating discussion.

Bissell  

Thank you, Susannah. Super glad to be here.

Burg  

Yes, thank you very much, Susannah, and thank you, Kelly.

Streeter  

And a quick note from the legal team. The views of third parties set out in this podcast are not necessarily the views of the global EY organization, nor its member firms. Moreover, they should be seen in the context of the time in which they were made. I'm Susannah Streeter; I hope you'll join me again for the next edition of the EY and Microsoft Tech Directions podcast. EY and Microsoft. Work better, achieve more.