Fraud Management & Cybercrime , Government , Incident & Breach Response
ISMG Editors: IBM Report Says Data Breach Costs Are Rising
Also: Check Point's New CEO; How the US Election Will Affect Federal Cyber Policy Anna Delaney (annamadeline) • August 2, 2024In the latest weekly update, Information Security Media Group editors discussed insights from IBM's data breach report, significant leadership changes at Check Point, and the potential impact of the upcoming U.S. election on federal cybersecurity policy.
See Also: Protect Your Amazon S3 Data: Why Versioning, Replication, and AWS Backup are Not Enough
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; Michael Novinson, managing editor, ISMG business; and Chris Riotta, managing editor, GovInfoSecurity - discussed:
- The new study by IBM revealing that the average cost of a data breach has risen by 10% to a record $4.9 million and that involving law enforcement in ransomware attacks reduces costs by $1 million through faster resolution and a lower chance of ransom payments;
- Firewall giant Check Point Software's choice of the former head of an Israeli cybersecurity incubator to be the second CEO in its 32-year history;
- The many uncertainties in the upcoming U.S. election, including Vice President Kamala Harris entering the race and the potential return of former President Donald Trump, which raise questions about how these developments might affect federal cybersecurity policy.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the July 19 edition on what the CrowdStrike outage taught us so far and the July 26 edition on the CrowdStrike outage - one week later.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney. Today, we'll discuss insights from IBM's data breach report, significant leadership changes at Check Point and the potential impact of the upcoming U.S. election on federal cybersecurity policy. Our fantastic team today includes Mathew Schwartz, executive editor of DataBreachToday and Europe; Michael Novinson, managing editor for ISMG business; and Chris Riotta, managing editor for GovInfoSecurity. Wonderful to see you all.
Chris Riotta: Thanks for having us.
Michael Novinson: Thank you!
Delaney: Mat, IBM has released their data breach report revealing an increase in the cost of data breaches. As someone who covers data breaches daily, are you surprised by this, and what other insights can you share?
Mathew Schwartz: Am I surprised? Let's look at some of the findings, and then maybe we can look at some of the takeaways from that. And an interesting topic to start the discussion, because this is the annual cost of a data breach report that IBM does, and it's the 19th annual time that it has done it. So, I like to caveat these kinds of reports by saying, okay, a million here and a million there. We hear all the time like cybercrime is whatever trillion dollar problem - that's a bit highfalutin, not so useful. What I do find useful about studies like this is we can look at year-on-year changes, and one of the changes here is that the average cost of a data breach by organizations that suffer a data breach that isn't too big, and we'll get into that in a second, has gone up by 10%. So, if you have a data breach, you're likely to have to pony up an average of $4.9 million if records have gotten stolen. One of the interesting takeaways in the report for me is how do you drive that cost down? Obviously, there's a lot of things you can do to try to prevent a data breach, but if that's failed, then what happens next? And one of the interesting findings was if ransomware has occurred and you get the law enforcement involved, you're going to spend nearly a million dollars less on your recovery. And this speaks to a lot of what we've been hearing in the last few years, especially around the help that the FBI can provide. That help isn't just coming in and trying to bust the bad guys, it's telling you how to respond to get the best results. And presumably they're trying to pick up some evidence as they go. This also apparently leads to many fewer organizations paying a ransom, which is also great news in terms of the cybercrime ecosystem. Every organization that pays is directly funding cybercrime and gangs' ability to hit future victims. So, it's not a good thing. The other thing that drove down costs, which was interesting, was organizations using or having managed security service providers who use more automated tools. So, the language of the report is artificial intelligence or AI automation - anything that helps you spot things more quickly and automatically. This also helps drive down costs. It helps organizations find a breach much more quickly when it does happen, which can also drive down costs, and also helps contain things more quickly, which is obviously very desirable. So, I thought those were two great findings. The flip side of it - what leads to higher costs? And the study found that 40% of breached data was being stored in public clouds. When this did happen, it led to higher costs - on average, $5.2 million per breach, as opposed to $4.9 million. Also, breaches involving shadow data took longer to identify and contain. So, this is another thing to worry about. We've had shadow IT, but when it comes to breaches that can cause shadow data, meaning the IT and security teams don't know the data exists, they are not necessarily enforcing the organization's own security policies to protect it, or when a breach happens, not being able to quickly figure out what went wrong as well as what attackers may have accessed. So, what helps drive down costs? Law enforcement and more automation. What can drive up costs? Not knowing where your data is; so, obviously find your data. Try to have better oversight of all of this, especially if it's in the cloud. Some nice takeaways from the report is that we get some dollar figures as well, which can be useful if you're trying to budget this out and warn senior managers about the risk that all this poses. But again, actionable advice always helpful.
Delaney: You mentioned law enforcement there. Talking about incident response strategies, how can organizations optimize their incident response strategies to minimize the costs and impact of the breach?
Schwartz: We've been hearing for a long time that practice makes perfect. While it's not necessarily perfect, it's a lot better than not practicing. So, for a long time in terms of business resilience, of which cybersecurity is a component oftentimes, we've been hearing that you need to practice things that can happen. So, in the event of a ransomware attack, what happens next? Very often, the response is not going to be just IT, not going to be just cybersecurity. You're going to need the legal team and crisis management. You're going to want senior management driving from the top, possibly the board of directors having input there as well. So, by practicing, you get better at handling the outage when it happens, knowing who to contact in the first place as well to speed the response. So, this is a case of don't go for perfect. Just jump in here, practice and continue to practice, continue to refine because things change.
Delaney: What do we know about organizations' spending habits right now? What are they prioritizing?
Schwartz: That's a difficult question to answer, and IBM, to its credit, did ask that question here in the context of if you suffered a breach, are you more likely to spend more on security? And two thirds of firms said yes. Now, wouldn't it be great if they had spent that before they got breached? Definitely yes. When they are increasing spending though, about two thirds of them are saying they're also going to increase it for events, for incident response. Again, these tabletop exercises, these capabilities to respond more quickly. So, reading between the lines, they didn't think they had what they needed, and they're trying to bolster that. So, the message here for other organizations is maybe trying to do that in advance.
Delaney: Very good. Great advice. Thank you for sharing Mat. Michael, Check Point is getting a new CEO. Tell us about him and how this new hire might impact the company.
Novinson: Absolutely and thank you for the opportunity. So, I am going to get to that later, but first I'm going to talk about another CEO change, and explain how that got us to where we are now. So, that's talking about Check Point's biggest, most consistent rival - that's Palo Alto Networks. Similar to Check Point today, they found themselves at an inflection point six years ago. They, like Check Point, started as a firewall and network security company, and it's been clear for a number of years now that the world's changing. People have now started working remotely as well. Firewall hardware was not going to be the way in the future. So, all of these companies that were born in the firewall era had to figure out how they want to change. So, there was a sense of Palo Alto Networks heading into the late 2010s that maybe they weren't innovating as fast as they needed to. They were still too dependent on the network firewall. And so, when it was June 2018, Mark McLaughlin, who had been the CEO there for a number of years, was heading out. People thought he was going to take a government job. Everybody had assumed that they would promote from within. They had a president at the time, Mark Anderson, who was well known, well respected, had just been moved into that president role, which often means CEO and waiting, but he didn't get promoted. Instead, what happened was that they brought in a man by the name of Nikesh Arora, who had never worked a day in cybersecurity in his life. He was second or third in command over at Google, had overseen a massive business and helped Google move into new areas, but didn't come in with any knowledge of cybersecurity. People were surprised by the decision. It ruffled a lot of people's feathers, who were used to the way that Palo was doing things and had relationships with the team that was there. People thought things were going pretty good there. So, why change everything up? But, it has worked out pretty well, as most of the people listening here know. So, to give you a sense, since Nikesh Arora became CEO in June of 2018, Palo Alto Networks stocked up 365%. So, pretty good return on investment - worth more than a $100 billion today. So, I said that all as a prelude to kind of the moment we are at today with Check Point. So, Check Point, similarly born in the network firewall era, has tried to make moves outside out there. It has tried to expand into security operations, cloud security, email security, MDR and EDR, but it's been more half measures, and they haven't been nearly as aggressive as Palo Alto Networks has been under Nikesh Arora. And I want to give you a sense in terms of how has Check Point done over the past six years. So, over that period where Palo's stock grew by 365%, Check Point's stock grew just 81%. So, that brings us to today, and what you have is Gil Shwed, who founded Check Point as a very young man back in 1993. He is only 55 today, despite having been there for 30+ years. He is stepping aside as CEO. A lot of folks either expected that he was going to slow paddle this search as he is very invested in the company, or that he was going to promote from within, but that's not what happened at all. Instead, what you have is you have man by the name of Nadav Zafrir coming in. He was the co-founder and managing partner of cybersecurity incubator Team8. It's an unconventional pick, because he's never overseen or led a conventional security company. Team8 is an incubator, and certainly he's helped portfolio companies there, he has advised them and he has served on boards, but these are early stage startups with a couple dozen, maybe a few 100 employees. Check Point is an entirely different animal. It has 7000 employees. This is a major company. So, this is completely new for him - overseeing a big company. But, what he brings is exceptional knowledge of emerging technology categories of the individuals who are founding these early stage startups. The mandate and expectation are that things are going to change at Check Point much faster and much more aggressively than they have under Gil Shwed. To give you a sense here, two of the most recent success stories out of Team8 are a company named Dig Security, which does data security posture management, and Talon, who which enterprise secure browsing. Both of these companies were acquired last year for a nine-figure acquisition each. Both were bought by Palo Alto Networks though. So, now with Nadav in the driver's seat at Check Point, do we see more of a pipeline of teammate portfolio companies going to Check Point or other promising early startups? Because there's a feeling that Check Point is behind the eight ball in terms of diversifying its portfolio and being a market leader in categories outside of network security, and certainly, the hope is Nadav can help get them there faster.
Delaney: Brilliant insights. So, you cover a lot of companies and see a lot of CEOs come and go. What are some common challenges a new CEO might face when taking over kind of a long established company, such as Check Point or Palo Alto Networks?
Novinson: It's a good question. Certainly, it's a cultural thing that people are used to the teams they have in place. It's not just all of the customers who've worked with you for a long time. You have this network of channel partners, managed service providers and value-added resellers, who are used to things being a certain way. So, when you bring in new blood, especially someone who's from completely outside of this world, they're going to look to do things differently. So, if they are going to market changes that certainly could affect customers and partners, it affects how much people get paid. Maybe they compensate differently, or maybe there's more compensation for selling outside of network security. So, if you're a reseller who traditionally sold firewalls, you make less money going forward; it can ruffle feathers. Certainly for employees, if you're internally compensating sales reps more for sales outside of network security, it can ruffle feathers and lead to some changes. Certainly, he is coming into a pretty established team. Dorit Dor ran the product business there for decades. She's still there in a different role. Rupal Hollenbeck was hired a few years ago as their president, overseeing go to market. She's based in the U.S., one of the few individuals based in the U.S., because the rest of their executive team, including Nadav, is based in Israel. The big question is going to what extent does he retain the existing executive team, or is he looking to bring in some new blood? Obviously, you bring in some new blood, you can change things faster, but you ruffle feathers, because people have connections and relationships. Then, the other question is about the role of Gil Shwed, who is not going to be CEO anymore, but he will continue to be chairman of the board, and he owns 23% of Check Point stocks, which certainly gives him a pretty significant seat at the table in terms of how things are done there. Check Point historically has grown in mid-single digits; so, it is a subpar growth compared to the security space as a whole, where you have kind of those big teams' growth of 15%-16%. So, they're growing slower than the industry as a whole, but they're incredibly profitable. They make about $200 million every quarter, also returning a ton of money to shareholders in the form of buybacks and dividends. How will shareholders feel if they're getting paid less? Is that something they're willing to trade off for a greater top-line growth? So certainly, a lot of questions around that, and then a lot of questions about to what extent, since Gil Shwed is still very involved, is he willing to let the company change? Certainly, he feels change is necessary, else you don't bring in a change agent like Nadav. But, does he still want the company to be massively profitable, or is he willing to take a bite out of profitability to, for instance, pursue a more aggressive M&A strategy to enable acquisitions or do bigger acquisitions. Those are all the questions. Nadav will officially start in December. And everybody's interested to see how quickly things change, or to what extent things change at Check Point, because things have been very similar there for a very long time.
Delaney: Very good. Thanks for your take Michael. Chris, let's talk about the upcoming U.S. election. There are a few uncertainties that have come up - Biden stepping aside, Kamala Harris entering the race and the potential return of Donald Trump. So, how might these developments affect federal cybersecurity policy?
Riotta: I heard a lot of sort of eerie similarities to the leadership shakeup happening right now. At the top of the ticket in the U.S., it has certainly been a turbulent summer for national politics here. I have no idea how the show writers are going to keep things going all the way through November. I imagine they must be running out of ideas. But for us, President Joe Biden's decision to withdraw from the presidential race raises new questions about the future of national cybersecurity initiatives. The president announced, to recap quickly, his decision in a surprise post to the social media platform X in July, as the nation was continuing to struggle with the fallout from the CrowdStrike outage that triggered the largest IT disruptions in global history. The president said he believed it was in the best interest of his party and the country for him to stand down, quickly endorsing Vice President Kamala Harris to become the next Democratic presidential candidate. I've spoken with a number of experts since then who say Kamala Harris could take on an even more forceful role in cybersecurity and AI as president. She's pretty celebrated by folks on both sides of the political aisle when it comes to these issues, for walking this fine line of supporting innovation while establishing important safeguards. One expert told me, Harris has a strong record of prioritizing technological advancements in cybersecurity, but how Biden's withdrawal may affect the future direction of U.S. cybersecurity policies cannot be fully known until we see who replaces him and the outcome of the upcoming election. So, the president's withdrawal comes at quite a tumultuous time for cybersecurity policy in the United States. The early July Supreme Court decision overturning a long standing judicial doctrine known as the Chevron deference, which we previously discussed in another episode, has thrown ongoing and future cybersecurity and AI regulations into a legally ambiguous state. Federal officials have also taken to Capitol Hill in recent weeks, warning lawmakers in urgent testimonials that agencies are still struggling to recruit top cyber talent. Crystal Morin, a cybersecurity strategist for the security firm Sysdig, told me that both political parties want the U.S. to remain a global leader in this field and added that she's confident that the momentum will continue regardless of who takes on the next administration. And speaking of next administrations if Harris were to win, many of her AI and cybersecurity policies could already be laid out for her. I've been doing a bit of reporting on some of the steady stream of long-term cyber policy goals the White House has released in recent months. Many of them extend well into fiscal year 2026, which begins in October 2025, and the administration most recently called for strategic investment priorities in future, cross-agency cybersecurity initiatives focusing on five key areas, which are defending critical infrastructure, dismantling threat actors, shaping market forces, investing in resilience and forging international partnerships. So, Harris has already spearheaded a number of the administration's tech initiatives. She announced in November 2021 that the U.S. had decided to support the Paris Call for Trust and Security in Cyberspace. The Paris Call consists of nine voluntary principles that support an open, secure, stable, accessible and peaceful cyberspace, and as head of the American delegation to the first AI Safety Summit held in the United Kingdom in 2023, Harris announced the creation of the U.S. AI Safety Institute and the adoption of a U.S.-backed proposal by 30 nations that prevents the use of AI in militaries. On the other side of the coin is Donald Trump, and it should be noted that during his four years as president, the U.S. became more assertive in cyberspace and more hostile to Chinese technology. Many of those policies have largely continued under the Biden administration. Many analysts say Trump's administration was pretty forward looking in many security areas in the international cybersecurity landscape but his legacy on cyber policy is complicated in part by his firing of CISA director Chris Krebs in November 2020 on social media. The agency rebutted at the time false claims about election fraud and hacking. Days before Krebs sacking, the agency released a statement calling the 2020 presidential election, "the most secure in American history," which led to his firing. And of course, this came as Trump and his allies attempted to overturn the election results by falsely claiming the election had been marred by fraud. So, that is what you missed in the season on the cybersecurity special of The West Wing.
Delaney: Oh, it certainly is. So, what would be the main differences? Suppose a potential return of Donald Trump. How would that contrast with Harris' approach to cybersecurity and AI regulation? She said she's well respected. She's the AI White House's czar as well, isn't she?
Riotta: That's right.
Delaney: What could it potentially look like?
Riotta: I would say that the main difference between both Biden and Harris and Trump on the other side of this coin is that the Biden and Harris administration has taken an initiative toward international collaboration, announcing partnerships with everyone, from the G7 Code of Conduct around artificial intelligence to these voluntary agreements and commitments that they've been receiving over recent years from international and domestic companies agreeing to sort of rules of the road and establishing safeguards that extend overseas to AI developments taking place in other countries, with our allies and partners. Whereas the Trump administration took more of a domestic approach to safeguarding and working with AI and cybersecurity innovation and policy, focusing a bit more inwards, and again, expressing that sort of hostility toward some of our foreign adversaries and their AI and developments happening in places like China, certainly Russia and Iran as well. While those policies have largely continued under the Biden administration, what we've seen in the last four years is more of a willingness to work across overseas and with partners in establishing those safeguards, rather than sort of focusing on our own domestic policy before them taking it overseas.
Delaney: The race is on. Thank you Chris. Let's see what happens. And finally, and just for fun, rolling with the Olympics geology, imagine a cybersecurity-themed Olympic event. What would one of these events be called, and what kind of challenges would participants face?
Schwartz: I might jump in with the bug-hunting biathlon, more of a Winter Games event, because it would demand snow, but you'd have to ski furiously and then do some vulnerability bashing. So, it could be a heady mix of the cerebral and the physical.
Delaney: Excellent. Love it. I can see it now. This is great. Michael?
Novinson: I was thinking cyber sharp shooting. I was inspired by the woman in the pistol event, Kim Ye-ji. She looked cool doing all of that, and yeah, just trying to imagine trying to shoot down bugs and vulnerabilities while looking fly at the same time. So, that's what I have for you.
Delaney: Very good. Chris?
Riotta: How about a malware marathon, where teams race to detect, mitigate and shoot down malware before it becomes a widespread issue.
Delaney: I've got hacker hurdles - thrilling race of course. Participants will hack through virtual defenses and crack code and solve cyber security puzzles. And of course, there's the gold waiting there at the finish line. Lovely!
Riotta: We need to set up some Cyber Games.
Delaney: I can see the medal ceremony. I can see the games. It's excellent. Great! Thanks for playing along, and thank you for such an informative session.
Schwartz: Thanks.
Novinson: Thanks Anna.
Delaney: Thanks for watching. Until next time.