Ian Murphy: In this podcast Kai Grunwitz, Senior Vice President EMEA, at NTT Security, talks to Ian Murphy at Enterprise Times about the NTT Security Risk:Value Report 2019.

Kai Grunwitz: My name is Kai Grunwitz, I'm with NTT Security now for five years. I'm heading up the business in Europe and I'm pleased to be here with you, Ian. 

Ian Murphy:  You've just released the fifth risk value report. What's interesting is that you looked at people outside of the IT function. Can you give us a bit more of a view on what you did with the report? 

Kai Grunwitz: Yes. First of all, we have increased the number of interviews we have conducted this year. We have moved to more than 2,200 interviews worldwide, adding some new countries to get a different perspective on the perception of the business to the IT security space. Normally, you have the IT guys talking about cyber security and not the business talking about the cyber security, and sometimes there's a disconnect in this perception. So, for us, it was important to increase the number of interviews as well as focusing on the senior management, because the senior management is the driver of the business but also is the owner of the risk management as well. Therefore, it was an important perspective for us to focus on the business side.

Ian Murphy:  We have a disconnect between the business and the organisation and that's because IT thinks it's doing a good job on cyber security but end users often have no clue as to what's going on. What did the report show? 

Kai Grunwitz:  First of all, we see the perception of the senior managers on the business side, is that they think the cyber security situation has not improved in the last year. So, we are a little bit paralysed on that side, which is in fact not what we see in the day-to-day business because a lot of things are moving, especially since we have introduced GDPR. A lot of things are in motion right now. The senior managers are more conservative on the perception on cyber security on that side. On the other hand, we also see that they are sometimes over-optimistic about how secure is that data and how well they are prepared for incidents. It's a very interesting perspective compared to the pure IT security perspective.

Ian Murphy:  One of the challenges of disconnect is the impact on incident response. We all know we're going to get breached at some point. The question is when we've got a disconnect between the business and IT, how do we begin to deal with this? 

Kai Grunwitz:  You touch a very interesting point of the risk review here because 52% of the respondents said we are well-prepared for an incident right now. We are ready. We have prepared all stuff and we can handle that. Last week, we had the ISW in Frankfurt and the cyber security experts have said 53% of all companies are not ready for an incident. So, we have a kind of dilemma and that leads at the end to some big challenges when you really have an incident. If a couple of people are not available, they don't know what to do and the company is running in a kind of headless chicken mode for a while and not responding in a professional way to the incident because the top management is not ready for that. I think here we see a massive dilemma sometimes in the day-to-day life.

Ian Murphy:  But how do we do better at that? Incident response is incredibly complicated. It's a very fluid situation. The idea that we create a plan today and in nine months' time, we have an incident and that plan is perfectly executed, doesn't make any sense. What are you seeing that people are doing well and what are you seeing that people are not doing well? 

Kai Grunwitz:  Looking backwards at last year, I see more and more companies are professional in the way they communicate when an incident happens. Not only driven by GDPR where you have to report and communicate in the proper way but also, they are better organised with the marketing teams, PR teams and to have the right information in front of the press, in front of the customers etc. On the other hand, we still see the recovery mode is not well organised. A lot of people don't know what to do and they don't know who has to do what. You just touched that point because a lot of people don't know that they're part of the incident response plan or people change their roles within a year and they have a different role now and they don't know that they're part of the incident response because they've moved into a new role.

The incident response plan is not a static thing. It has to be tested as well. It's not something you can put in a drawer and then pull it out when it's necessary and start working on it. You need to test it like a fire drill. The people have to be aware that they're part of it and if something is not working, you have to improve it. It's a continuous improvement exercise as well. This is something we don't see that the companies prepare something and never test it.

Ian Murphy:  But how do we make those tests worth any value? We can all sit around a table with a set of folders and read from a script and say, 'This has happened, this is what I will do.' The reality is when it does happen, people don't have that folder in front of them. They may not even have access to the IT systems or the plan in itself, so how do we educate them so that when something happens, they know what they're doing and how do we make sure the people who've got to do something know as part of their role, this is their responsibility? 

Kai Grunwitz:  The first thing, you already answered. They have to teach them that they are part of that and they have to be aware, what is their role in that process. Storing the stuff on the servers might be not the best idea. On your laptop if it's encrypted that's even better. In reality I think that's the first challenge that the people who are part of the incident response process, that they are trained and in a continuous way. It's not once in a while. Things change, IT systems change.

A simple question, how you communicate when you have an incident? You cannot rely on the email system anymore so the people have to be aware, what is the communication method for us in the future? Do we have an external email system? Do we use only hand-written notes or something like that? It can be part of the policy and the procedures. This is an important point, that the people are also aware when you do changes of the procedures. We need regular sessions with the incident response teams to come together, not only do tabletop exercise. Sometimes it's also good to combine that with the red-teaming and blue-teaming situation to see how they can really defend and respond if something happens.

It has to be a test as close to reality as possible. We cannot do everything on that side, but the simulation has to be like a fire alarm. When fire fighters run into the houses they test everything like it would be a real fire. That's something where we have to start working on the cyber security as well because quite often, the incident response plan is just a plan. It's a piece of paper because you need to be compliant. You need to have a incident response plan and people have to prepare for the worst case.

Ian Murphy:  If I'm an attacker, the one piece of information I want is a copy of your incident response plan because I know what you're going to do. Are you going to disconnect all your systems? Are you going to call in the police? Would you pay a ransom? All of these things are gold dust to an attack. So, how do we create that plan, distribute it to everybody involved, which can be tens of people inside a large organisation, but at the same time keep it secure? 

Kai Grunwitz:  That's a good question because if two people talk to each other they can keep something secret but if it's three, it's already one too much. Therefore, it's always a challenge to communicate such things in a confidential way. You can create secure environments for these communications, create a kind of secure zone and high confidential environment. You have to be invited to have access. You cannot distribute any data out of the secure zone. That's, for example, one thing you can do.

We have to classify the information like we do with everything. What is the risk? How to protect it in a proper way depending on the relevance for the company so that's the normal procedure for me. You should consider the alternative communication methods. Do you want to have a Bitcoin account? You raise the question about do we want to pay a ransom? In the report, we saw that a lot of people are ready to pay a ransom and therefore it's an important point you have to clarify upfront. So, a pretty clear strategy for me.

Ian Murphy: There's a tendency with things like disaster recovery, as we've seen in the past, to just say, 'Oh, we have a plan' or buy a plan off a shelf because that ticks a box and we can say, 'We're compliant.' When you talk to customers, how often is there a feel that people are simply saying. “We have a disaster recovery plan.” Because it ticks a box rather than we have a disaster recovery plan because it means something? 

Kai Grunwitz:  Quite often, honestly. I have the feeling that a lot of people are driven by GDPR and other regulations. You need to have an incident response plan. So, a lot of people invest in that. They have external consultants, internal people assigned to that. I think they all hope that they will never be hit by a real incident. I see quite often a tendency that compliance is the main driver for the incident response plan and not to make the company more secure. My strong recommendation here is use the compliance to drive cyber security to make the company more secure, in line with your business requirements.

Ian Murphy:  We know that compliance has become quite a burden for companies but it has a lot of import. GDPR is a very good example of this. Since Europe went live with GDPR, we've seen Singapore, Australia, the state of California, India and other countries take that as a blueprint to build their own privacy and compliance regulation from. Yet, when we talk to companies, the global understanding of the importance of privacy and GDPR seems to be very low. 

Kai Grunwitz:  Absolutely and that's a big surprise of the report here because only 30% consider GDPR to be relevant for them and that's a big surprise because four out of five respondents said that compliance is a big and important item for their company. By the way, Japan has become a secure third-party country for GDPR, so it's also in Japan, it's getting more and more traction. That's surprising because a lot of people are, especially the business owners we have asked, they're not really aware how GDPR blends into their business, what it means, even with all the discussion we saw about penalty fees which are still significant.

This is a very surprising finding as you outlined because GDPR has really made a huge impact on a global level. It has also improved the situation in cyber security from my perspective because cyber security has become a broad topic. Cyber security is now at the table with the big guys, so they talk about cyber security from the beginning of transformational projects. If you want to go into the cloud, you need to make sure that you evaluate the risk associated to that based on GDPR as well, to make a risk impact analysis and then decide if you want to move into the cloud or not into the cloud.

Ian Murphy:  When we look at the impact of a breach or the impact of an incident, we tend to think, that's going to hurt a company badly.' We talk about reputational damage, we talk about damage to share price, we talk about financial damage. But when we look at some of the biggest incidents over the last few years, Marriott Bonvoy, Sony, Target, we see a different picture, don't we? 

Kai Grunwitz:  Absolutely because the short-term hit is compensated on a long run and they all have increased their share price; they have increased profit again so it's a short-term hit. The customer confidence and brand reputation impact that 50% of our respondents raised as a main concern with a cyber hit is only a short-term hit.

If they handle an incident in a proper way, communicate in a proper way, and all companies have become better, and do the mitigation in a proper way afterwards, they can compensate that and prove that they really care about the data because everyone can be impacted by a cyber attack nowadays. You can turn that around and give it a positive spin, take incident response plan as a key cyber security improvement methodology and not as a compliance tick box, in the long run, it can be turned into an advantage.

Ian Murphy:  With Yahoo, we saw 350 million wiped off the sale value once some of the breaches were announced. With Marriott Bonvoy, we know that part of their problem was supply chain related. How do we begin to move cyber security up the agenda during the mergers and acquisitions process? 

Kai Grunwitz:  That's a good point. In due diligence, my recommendation is always to include cyber security due diligence with the target company because quite often, you don't know what you inherited on that side. Therefore, it has to be in during the acquisition process and it should not be just a checkbox. Companies should look behind the curtain and understand how serious the target company is really taking cyber security. I think it should be as important as a normal financial risk evaluation. We need a cyber security risk evaluation during that period.

Ian Murphy:  It's very easy to take a report like this and pull out big numbers and say the sky is falling. The problem is, this is an industry that likes to the say the sky is falling because customers go out and buy things. How do we get more professional in our sales? Because sometimes it's not just about selling something to a customer, it's about telling them the truth as to where they are and whether this will solve their problem. 

Kai Grunwitz:  Absolutely. You have two effects I see right now. One is, we have a technocentric approach in cyber security. We always have a tool to fix one problem instead of building a holistic strategy and see how you can substantiate that with the right solutions and use what you have implemented to protect your investments because quite often, you have the latest technologies and we jump on it, bam.

The other thing is, sometimes it's not easy for a consulting company to be honest because the client expectations are different ones. Sometimes you have to tell them, 'This will not work' also in cyber security, we have been quite often in a situation that we try to please clients instead of telling them that this will not work, especially returning to our incident example. If the clients are not ready to listen and ready to follow the tough decisions sometimes it will not work out. Then you have to tell them, it will be a failure at the end and therefore, for me, it's very important that in the sales stage, we are pretty clear what could work, what could not work, do you need a new technology or you just have to re-work what you have already bought in the past.

On the delivery side, sometimes you have to be in a position where you walk away and recommend to find another partner because you cannot be successful together. It doesn't happen very often because most of the time, from my experience, the clients are really open for an external consultant with a broad experience, a global experience, but sometimes they dislike what they hear. That's always the toughest part of the consulting work, to tell the clients something that they don't want to hear.

Ian Murphy:  The reason I raise this question, is the amount of data now being pushed into the cloud. Customers seem to be taking the view that if we move the data to the cloud, it will be more secure. Now, on one hand, we can argue that the cloud companies have the staff, they have the technology, they have the ability to better protect that data, but as companies do that, they also seem to think that pushes the responsibility, the ownership of the problem to the cloud companies. When we turn back to compliance, that's clearly not the case. You cannot abdicate your responsibility. Do you find that the mid to large enterprises are falling into this trap of, if I push it to cloud, I'm no longer responsible? 

Kai Grunwitz:  Sometimes that's in fact the case. It's not a general statement but you see that with some companies, especially due to the fact that sometimes the cloud strategy is not fully controlled by the CISO or cyber security organisation. The departments make their own decisions to use specific software and not involving the cyber security department. This is sad but it is still true that it happens and builds this kind of shadow IT and shadow cloud environments. So, that's one aspect of that.

The other aspect I see is that all cloud providers, they have a clear demarcation line, what you have to do and what they do. Quite often, I get the impression that the clients ignore this kind of demarcation line. They really think they do everything for us. They handle the data, we are not responsible for GDPR anymore. They don't close the doors like the S3 incident we had quite often with AWS which was not an AWS problem, it was a misconfiguration. That's always the same problem. It's a misconfiguration.

You cannot pass over all responsibility of this. You're still responsible for the data, the access to the data. You're also responsible to manage the identities etc. So, it's a lot of things you have to take care of and you have to consider it in your cloud strategy. GDPR will not forgive that. We're working currently, as you know, on a kind of certification for cloud providers. It's still in a probation period but we are working on that to make sure that cloud providers follow all the rules to be compliant with the GDPR regulation. On the other hand, the clients have to do their homework as well. So, it's a win-win for both, if you do it right but you have to take your own responsibility as well.

Ian Murphy:  The risk value report 2019 is a very large document. A lot of customers are going to pick it up, look at it and go, 'Where do I start? What applies to me?' Where do they start? 

Kai Grunwitz:  That's an interesting question because I looked at all the 80 or 90 questions and said okay, where to start? First of all, we have categorised it by industries. I would recommend to start with an industry and country comparison because we have country and industry data included and compare how do you see yourself compared to your country or to your industry, so that you have a kind of benchmarking.

You have to read it in a very honest way because no one will ask you to answer the questions and you'll always have the tendency to answer a little bit more positive than you originally think about it because you don't want to expose yourself. So, take that into consideration while reading the data. I would start with the perception of the business leaders about the current threat exposure and the readiness to handle the incidents and then follow step by step. I would not start with the information security policies because I can only repeat that, compliance will not make your company more secure. Therefore, start with the meaningful information about how to handle incidents.

Ian Murphy:  Sounds like people have got a lot of reading ahead of them. 

Kai Grunwitz:  Oh yes, oh yes.

Ian Murphy:  Kai, thank you very much. 

Kai Grunwitz:  Thank you very much Ian for the conversation. It was a pleasure as always.