Interview: If your company’s board isn’t talking about cyber security, ‘then you need to get rid of your board’

CyberArk’s Thomas Fikentscher and Pronto Software’s Chris Dickinson talk regulations, identity management, and the tricky issue of cyber insurance.

At Cyber Security Connect, we often hear from companies in the industry, but what about the companies that rely on that industry?

We were recently lucky enough to grab some time with CyberArk’s regional director, Thomas Fikentscher, and Chris Dickinson from Pronto Software, one of CyberArk’s customers.

In a wide-ranging conversation, we talked about the impact of the current cyber security environment on business, the importance of identity security, and how the insurance industry is helping – or hindering – Australian businesses.

Cyber Security Connect: So Chris, one thing I’m curious about is what is the current state of cyber insurance when it comes to a business of your size? Has it changed recently, in how it impacts your ability to secure your company?

Chris Dickinson: There have been big, significant changes in the insurance side of things just in the last 12 to 18 months, where a lot of organisations were believing that they were kind of covered but their insurers have slipped in some changes into their professional indemnity insurance that excludes all cyber events. So now we’ve had to, as an organisation, go to a broker – the banks are very much running scared.

And so, cyber insurance is one of those things that you can either pay a lot of money for or you just go without. What that meant for us as an organisation is that we’ve had to essentially front up to a panel of multiple insurance companies to find someone who would be prepared to actually insure us. And what that means is that we’ve now got to justify our existence in the world. And what we do as an organisation and the security of the organisation, not necessarily from a technical perspective, but the security of us as an organisation and what we do.

We’ve had to go to extreme lengths to prove our capability and along with that comes all our compliance that we have to do – our ISO certifications and auditing that we have to do every six months – and talk about the technologies specifically that we have inside our technology stack overall to prove that as a service provider for financial information that we are doing everything that we possibly can do to protect our company’s assets and our customers’ assets.

So, it’s actually been quite an ordeal and lots of questions, lots of questionnaires, lots of fronting up to insurance companies, lots of risk assessments, you name it, before the insurance companies will actually even talk to you. So it’s been quite … I’m gonna say, excruciating, because you can’t just go and say “Hey, I just want $20 million worth of cyber insurance,” you know. Now you’ve got to actually negotiate and beg and say, “It’s okay, don’t worry, we’re doing things in a secure manner.”

This is putting a lot of pressure on Australian organisations, but also particularly on organisations like ours, in the service delivery that we do, because our customers expect cyber insurance.

CSC: Has the last year or so been a real wake-up call for this kind of thing? Was this something you were worrying about before Optus and Medicare hit the headlines?

Chris Dickinson: Cyber insurance, in particular, is always something that we’ve gone, “Okay, what coverage have we got?” And what’s interesting is that we believed previously, with the way the insurance worked, that professional indemnity insurance would cover us from an overall liability perspective, and we used to carry hundreds of millions of dollars of professional indemnity insurance.

But then, all of a sudden, you realise that, well, actually you’re not insured anymore. You’ve really got no coverage whatsoever because previous cyber insurance policies would only cover you for your own internal costs. Now there’s a liability argument there within the organisation and our customers. So many companies are probably going to find that they’re going to be left short – unless they review their cyber policies. It’s certainly something that we’ve always been doing and actively been carrying for some time, but now we found ourselves very much underinsured.

CSC: Where does a company like CyberArk fit into this problem of helping a business navigate that kind of landscape?

Chris Dickinson: What’s interesting with insurance companies now is that there’s very much a strong IT focus. Once, I guess, it was probably a whole bunch of risk and compliance people and lawyers, trying to design insurance policies. Now, there’s very much a deeper technical aspect to it, where we’re dealing with technical specialists who understand it and they understand privileged access, and they understand super user accounts, and all these sorts of things.

So, you get challenged a lot more and for us, with CyberArk, we’ve been able to show that we are treating and managing our privileged access accounts in an appropriate manner. You know, we’re not just taking a loosey-goosey type approach to it. We’re actually managing, maintaining, monitoring, and protecting the key, because, you know, every breach generally comes down to the usernames and passwords, right? So we have to make sure that we protect the golden keys in an appropriate manner and that’s really what CyberArk is now doing for us across the company.

CSC: So identity security is the key thing to keep an eye on at the moment – can you or Thomas dive into that a little bit more? Either you or Thomas?

Chris Dickinson: Identity is one of those things that … Once upon a time, say, there was a system administrator account or SIS admin account. That SIS admin account was very much shared and there was not very little control over it. We went on almost a trust model, to say, “We trust you as a person with those credentials,” right? Where now, you can’t take that approach. You can’t look at it from the point of view that I trust a human being anymore because, you know, unfortunately, human beings are fallible.

So, now, we have to put a lot of technology wrapper around it to make sure that the person who’s got access to those very key credentials is the right person, they’re authorised to do it, and we’re watching what they’re doing and that’s for their benefit as much as it is for the company’s benefit.

We need to be able to protect them just as much as protect the company.

Thomas Fikentscher: From a technology perspective, identity security is important, but I think if you analyse the root causes of breaches for the last two years, three years, four years – however long you go back – you will find that they almost all start with a breach of identity. So that’s the source of the problem. And you know, everyone now knows that.

I think across all industries, across all professions, people have understood and have come to a conclusion that this is super important to get right. Chris is correct – if you go back to the old corporate-centric networking protection model, it was a little bit easier to manage. We all know that we live in a world where you want to have access to everything from every place around the world at every time of the day. And that’s how business is done. And we know that digitisation obviously drives these access points as well.

So that’s all identity because identity connects us to our devices and those devices talk to other devices. You’ve got this concept, David, of digital transformation, which ultimately means the connecting of things weird and wonderful that didn’t use to be connected. Why do I have to connect my fridge and do something with that – everything somehow gets connected. So identity, I think, from that perspective, I strongly believe, is at the heart of it all.

CSC: So if you get that right, everything else falls into place?

Thomas Fikentscher: Well, yeah, it’s not that simple, but I think it’s a good starting point and foundation for cyber security.

Chris Dickinson: Yeah – I mean, it’s security and credentials. And it’s not that complex, really. Because if you think of yourself as an individual, you’ve got keys to your house. Who do you trust with those keys, who are you going to allow into your house with those keys – proper identity access management is all about that, right?

It’s all about, I’ve got a set of keys to get into my private assets or corporate assets. Who am I going to trust with that key? You know your mom and your dad, you kind of trust they’re never going to do anything wrong to you but your neighbour … you probably think twice about that. It’s a simple concept really but we trust, inherently trust, people way too much, unfortunately. And nowadays we just can’t do that.

CSC: Chris, you mentioned regulations earlier. Do you feel the government’s doing enough to support businesses of your size when it comes to the regulatory environment? And to tell you what’s expected and required of you in those regards?

Chris Dickinson: I think part of the problem is they’re making it up as quickly as it goes along. Right? And I think they work from crisis to crisis, and then they realise that they’ve got to tighten the screws up but they don’t really put any forethought into it. We have a lot of dealings with the ATO, for argument’s sake. And because part of our software is single-touch payroll, and we’ve got interfaces to the Tax Office, if you look at what they’re actually doing and making us do, it’s clearly coming from a legalistic background, right? They’re clearly not understanding identity and identity access, because they just say, “Well, you just got to do this and right…”

Well, hang on a second, it doesn’t work that way in the real world. And so, they’re making you jump through hurdles and putting more governance and compliance and structure around things without necessarily thinking about the practicalities of it, and how it’s actually going to function in the real world. And the challenge you have is that you’re arguing against lawyers, which makes it very, very difficult from a compliance perspective, and some stuff that they actually do is just completely brain dead and I don’t get it, but you know, we have to comply, so therefore, we must do it.

So I think governments are doing the best they can but they are very much making it up as they go along.

CSC: Thomas, I imagine you have some thoughts of your own?

Thomas Fikentscher: We get bombarded with compliance and new frameworks – the problem is, they’re not necessarily aligned.

I think the overall holistic strategy is a little missing. We still have a lot of different industry-specific stuff – that’s happening. The Australian energy sector has their cyber security framework, right? It’s a bunch of Excel tables with lots of security controls you have to look into but how is that aligned to the Essential Eight, which is more from a federal perspective or standard? Is there overlap, or is there a difference in there? So I think that sort of bigger vision of what that’s going to look like is missing and everyone is trying to catch up.

Then you’ve got the banking sector – only APRA regulated, right, and APRA has prudential standards, they come up with specific stuff. The latest one is CPS 231, because they realise, hang on a minute, it’s all third-party risk, right? It’s actually not the banks themselves, it’s the surrounding ecosystem. So we need to force them into operational risk management of third-party risk. So Chris is right, it’s a little bit on-the-fly. It’s driven by the events of the day, but it’s not necessarily synchronised across those different sectors.

Chris Dickinson: I think it’s all too little too late as well. I think the problem with privacy and identity access, and identity fraud, and all those sorts of things … We’ve allowed, social media, we’ve allowed all these different platforms to share content, and now they’re trying to wind all that back a little bit and say, “Oh, hang on a second – we’ve got to take privacy seriously now.”

I think we’re just constantly playing catch-up.

CSC: There’s a saying when it comes to military matters, that you’re always fighting the last war. And that sounds like exactly what you’re describing here – this is all just catch-up. There’s no ability to look forward to see what’s coming down the track.

Thomas Fikentscher: Data privacy laws are an interesting point. If, as an organisation, I collect a lot of information about customers or my partners, I should have an obligation to run some rings of security and controls around that – it’s not necessarily a novel idea. But we’re finally caught out because, again reactively, the stuff is being stolen now. Right?

So a threat actor extracts the data and then publishes it on the dark web, and … “Hang on, we have a problem!” I mean, that’s very reactive. And you look at record-retention policies across Australian industry sectors – that’s a dog’s breakfast. Everyone has their own policies. There is no clarity. “Oh, I have to have to keep this one for seven years. I have to keep that one for three years…” But based on what principle? Why do I have to keep marketing information when I go to the electronic store for seven years? I don’t get that.

So for me, there are, again, no clear guidelines when it comes to that. So I think it’s one of the reasons why we are one of the most attacked countries – because the adversaries know that it’s actually a patchwork and it’s not really very concise.

CSC: So what’s the solution to that problem – get you guys in the government to fix everything up? Is there actually a silver bullet solution?

Thomas Fikentscher: So from my perspective, there’s no such thing as a silver bullet. You have to chip away at the problem.

I think there is certainly an increased amount of dialogue and coordination, even at the federal level right now, to try to harmonise things a little bit more and I think that will probably gradually get better and we might see many more comprehensive policies.

I was very encouraged to see a significant turnout of people at our recent event because you can see that the community is interested and people are getting into that space – it’s growing and that can be a good thing. I still believe that the business side needs to come into the game, not just the technologists, the businesspeople need to acknowledge their responsibility and be part of the community. That will make life so much easier because the decision-making will be faster. I think the policies will be clearer.

But it’s not all doom and gloom!

Chris Dickinson: Yeah, 100 per cent.

If your board is not having these conversations at the business level, then you need to get rid of your board. Because this has to be at the top and they need to recognise the problem for what it is in our digital landscape. And they have to take full ownership; all too often it still remains at the IT manager’s level to ask, “Oh, is everything secure? Are we okay?” And of course, he says, yes, it is.

But then they get breached and then the board ends up in a lot of trouble, but the board needs to be guaranteeing. You’ve got to have a governance structure in place, they’ve got to make sure that they’ve got the checklists, and that they don’t just take it for granted that you’re protected and secure. Make sure that it’s actually being carried out – and the only way you can do that is through good governance, compliance, and auditing.

CSC: Thomas and Chris, thank you so much for your time.