This column is part of our new series, ‘From the C-Suite’, focused on how leaders from the private sector are driving change and innovation in the national security and business security space. We’ll bring you insights on the threats as they see them and notes on their personal journeys, motivations, failures and successes as they navigate the national security space.
Kelly Bissell is Global Managing Director for Accenture Security. In his role, Kelly runs Accenture’s Security business, which spans strategic consulting, proactive risk management and digital identity to cyber defense, response and remediation services and managed security services – across all industries.
The Cipher Brief: A year ago, you wrote a piece about why CEOs should be the ones to fix the internet. The three key areas you hit on were active collaboration, connect and protect and innovate. Just over a year later, how has that concept evolved, and have you seen more CEOs adopt that mindset?
Bissell: I think most of the CEOs are now aware of the problem, when they weren't aware of the problem before. Awareness is the first step. Secondly, I think there are many, many more, cyber CEOs out there today. They know what the problems are with cyber and they know how they impact their business, so now they're pushing down in the organization around the things they need to do that really matter the most. It’s not just a compliance checkbox, but they understand the things they need to do across the value chain of their business from the refinery plant to the trading system to the gas pump, if you will. But there are still many CEOs that are not aware. They still think cyber is just an IT problem and some technical people will take care of it. So, there's much more to do.
The Cipher Brief: What are some of the more effective ways you've seen CEOs finally get that aha moment short of being hacked?
Bissell: It's like my grandmother used to say, "The smart person learns from somebody else's mistakes." There are many CEOs now who have lost their jobs and it’s not just the CEO but many executives across the board. Equifax and Target are good examples of that. This is really where CEOs need to take this seriously. Again, it's not an IT issue, it's a CEO imperative. They have to get educated and they have to get leaders in place who are driving this across their enterprise.
A practical example of that idea comes from a bank that decided to hold all of its line of business managers responsible for cybersecurity, one who is responsible for online banking, asset servicing, insurance, mortgage and loans, investment banking. So, all those leaders across the bank now have a metric when it comes to cybersecurity. If they're breached, their own bonus is impacted. That's how you get the organization to move, because it can't be just at the top and just at the bottom. It's got to be in the middle too. The struggle is that most CEOs are aware of it, now they've got to take action on it. And that example of holding those lines of business manager's responsible, that's a really important key.
The Cipher Brief: Many in our network, most recently General Keith Alexander, talk about having to have awareness at network speed. He's said, "If you've got a rogue aircraft coming into U.S. air space, we're able to monitor that in real time," was his example. And I still don't think most of the leaders of the organizations that aren't technically oriented understand the speed at which things happen and the speed at which they have to react. How do you talk about that with people and the speed that things are coming?
Bissell: Merck is a perfect example because that ransomware attack transitioned across their entire global enterprise, 43,000 systems, in two minutes. So, I think we've woken up the market. The industry has woken up to the fact that we have to operate at network speed in the way General Alexander mentioned and General Michael Hayden already told us "The cavalry ain’t coming."
So, we have to transform the way we think about how we protect an enterprise, whether it's a government or a company. I'll tell you that those series of events caused us to really think differently about how we detect and monitor on the inside and on the perimeter, which is where most companies do the monitoring, but also in the dark web. So again, General Alexander is right. We've got to operate at network speed, but we've got to go deeper if you will into that into where the attacks are formed.
The Cipher Brief: How do you help your clients think about that in terms of what defines a crisis for their company?
Bissell: It is what's going to disrupt your business to keep it from continuing or causing you to lose customers or erode their trust. What constitutes a crisis is anything that gets in that way, because it could be a supplier issue. So now you can't get raw materials to produce your product. It might be that your website's not available, it might be defaced, it might be an insider, like an employee doing something they shouldn't be doing, that erodes that trust. So, we keep it simple and whatever erodes the trust of your customer or your brand that constitutes a crisis.
The Cipher Brief: Bill Evanina always says, "America has an inability to not click a link." And if you think about pushing it down, I mean, how far do we have to go in this country when one person can do significant damage, maybe create a crisis like you've just defined it in this day and age, because it's only getting more complicated? Now we're talking about AI coming in. The attack vectors are just going to continue to multiply, come in from angles that you don't expect at speeds you don't expect yet we still have a largely uneducated workforce in terms of understanding it at a very basic level in this country. How do we?
Bissell: I think you said three things that are really distinct but connected. Human nature is we can't not click. So, let's not try to solve that problem. Let's create a compensating function so that we can actually protect around that click problem. The second thing is even with 7,000 cybersecurity experts in our firm, we can't do it by ourselves, we just can't. The problem is too big for any one company to do it by themselves. So, collaboration is critical. This is where you know Accenture and Microsoft and Cisco and all of these companies work together in unison, that's what has to happen. We're over the talking about it stage and now we're into the doing it stage, but we’re still in the early stages of doing it.
The thing that we struggle with as a country is the private and public connection because there's always a separation between the private and the public. But I believe this problem demands cross collaboration, almost seamless, in General Alexander’s term, at network speed.
And this is where the Department of Energy, DHS, FBI, US Secret Service, and some big players need to come together, and even little players come together to actually be fluid. That's what we've got to do. We're in the early stage of that.
The Cipher Brief: There are a lot of people outside of the cyber field, national security field, who don't want anything to do with the government and we've heard all the reasons why. Do you think it's getting better and what's it really going to take?
Bissell: I do. I think that the coalition of the willing is there. I mean, when I'm in a meeting with some of these people I’ll say, "I'm going to put a dedicated team and put money behind this to get it done." So, that's what it takes.
If we get a handful of players to make a commitment to do it, that's good. But, at the same time, we have a legal issue. We need a legal framework in which we can fluidly work across the transom without retribution.
That framework has to be put in place, and I can't do it. The government has to do that. And this is where I think we're having good conversations around the need for that legal framework and what we do, but not just with the U.S., but also with Interpol, Europol, because cybercrime is spanning the globe. So, I believe we have to start super simple and then we can build upon that as opposed to trying to build everything we could possibly need at one time. No big bang, but incremental is what we need to start with.
The Cipher Brief: Where do you see new trends developing that we're going to have to focus on pretty quickly?
Bissell: The problem, as I see it right now is, we had sticks and stones and then we had bows and arrows and then we had muskets and then we had better rifles and then we had machine guns, and now we've gotten to where we are today. We are no different in the cyber world around an evolution of weaponry.
And so, my worry is that today our attackers are a bit more agile and better funded as we all know, so they're adopting the new weapon. So, they're bringing a gun to a knife fight. We've got to figure out what is the better weapon, if you will, so that both the government and the private sector have to pour more into innovation around those new detection capabilities. Not only detection but even I would say prevention, detection and even disguise with software defined networks and a bunch of other things. So that's sort of the playing field, if you will. What I worry about is that these advanced technologies will get the bad guys deeper into firmware, into hardware manipulations, not just the software stack. They're getting deeper and deeper and deeper into memory and so forth and we have to as well.
And then we have to think differently about how we change the problem around the data? Maybe we need to look at the data differently. Maybe we need to auto detonate the data where we don't really do that much anymore. So, when you copy the data, if it leaves the realm, maybe it self-destructs, if you will.
I think we just have to think differently about the problem and how we might make it safer while we create advanced capabilities to defend.
Editorial note: Accenture Security is one of the corporate sponsors of The Cipher Brief Threat Conference September 13-15 in Sea Island, GA.
Read also 'How Recorded Future Sees What's Ahead' from Recorded Future CEO Christopher Ahlberg
Read more expert-driven national security insights, perspectives and analysis in The Cipher Brief
