In The Boardroom With…
Mr. Patrick Dennis
President and Chief Executive Officer
SecuritySolutionsWatch.com interviews Mr. Patrick Dennis, President and Chief Executive Officer, Guidance Software
SecuritySolutionsWatch.com: What is your perspective, Patrick, regarding digital risk and the wave of cyber attacks in today’s IoT environment – are we more vulnerable today and is your new cloud strategy, and relationship with Amazon, part of the solution here?
Patrick Dennis: Let’s start by quantifying some aspects of this question. First, I believe digital risk is a much bigger problem than the average executive thinks. A recent body of work from McKinsey & Company estimates cybercrime costs between .5 and one trillion dollars annually. What may be more impactful is that organizations will realize nearly three trillion dollars in opportunity lost by 2020. That means digital risk isn’t just a cost problem; it is slowing the rate at which executives are willing to digitize their business. That, in turn, reduces their level of competitiveness at a time where technology is disrupting all markets. I see this as related to the IoT part of your questions since many organizations are using the Internet of things as part of their digitization strategy. I also believe that any of the 30-50 billion devices forecasted by 2020 can be hacked if they attach to the Internet, and by definition they all do!
Although technology has increased our quality of life, as your question states, it has also increased our vulnerability. If we do not address the security and privacy concerns, society could slide backwards. Everyone at Guidance believes that we have a societal responsibility to contribute to making the world a safer and more secure place.
The cloud announcement we made in early February was in part connected to IoT and in part driven by cloud native application growth. If you think about our core business, we deploy software on endpoints. They take many forms: laptops, servers, ATM machines, POS systems, and now more than ever, cloud-based virtual machines. We want to make sure that our customers can use the same Forensic Security software to protect their cloud-based virtual machines as the physical machines in the data center.
We think this is the right thing to do because the growth in endpoints is coming from cloud virtual machines and the associated applications. Fortune 500 enterprises must digitize the business to compete, and they are turning to faster software development methodologies like agile cloud technology. This means more modern applications will be built on platforms like Amazon, using software like Cloud Foundry, to develop applications that are native to the cloud. These applications require as much, if not more, security as they scale out to thousands of machines and millions of users.
Phase one is about reducing the complexity and time to install our software onto an Amazon infrastructure. In future phases of the project, we will do even more to make our software support modern, cloud native applications across industry standard public and private clouds.
Guidance can play a meaningful role in any corporation’s security and cloud strategy as we are completely focused on reducing digital risk.
SecuritySolutionsWatch.com: Do public policy makers, law enforcement or federal agencies play a role with organizations in this space?
Patrick Dennis: Yes. First it is important to realize digital risk is a global problem. Yet, law enforcement and federal agencies are often limited in scope to a particular country, which means that laws usually govern issues that are also not global in scope. As such, commercial organizations need to work with these groups to pursue prosecuting cyber crimes. However, the consequences for commercial organizations collaborating with these groups can often open the organization to lawsuits, public relations consequences or worse. We need positive incentives to encourage collaboration between the public and private sector to fight cyber crime. Guidance has a long-standing relationship with law enforcement and government agencies around the world. We know how important it is for these public sector professionals ally with commercial organizations to make meaningful progress against cyber criminals.
I have been spending some time with Ed McAndrew, a former cybercrime prosecutor in the U.S. Attorney’s office, discussing the topic of working with law enforcement on cyber crime. While we come from different backgrounds, we have had similar experiences with these types of matters. We agree that it is difficult to establish these types of collaborations, and for commercial enterprises to prosecute these types of cases if they choose to. Many of our policy makers simply do not have the requisite technology skills to help govern today’s digital economy. The pace of change is so fast both technologically and within the world-wide regulatory framework, it’s difficult to keep up. Nonetheless, if society chooses not to tackle these challenges, we will continue to enable our adversaries. We need ways to align incentives to drive public and private sector collaboration. Those of us in the industry must find ways to educate policy makers to help improve the cybercrime regulatory environment.
SecuritySolutionsWatch.com: Do you have any specific advice to the Boardroom about security and cybercrime?
Patrick Dennis: In many ways the last question and this one are linked. The board of directors is responsible for protecting its organization’s people, technology assets and shareholder value against risks. Furthermore, they are certainly engaged when there is a company crisis, which is how cyber crime and breaches are often treated. Much like the policy makers I described earlier, many boards lack the knowledge, awareness and confidence to offer security oversight for the business. I have seen many audit committee risk registers that have either no mention of digital risk or have a one entry that broadly describes the potential impact. These are both insufficient for most of today’s businesses that rely so heavily on technological innovation and are primarily digital
Boards need to open a stronger, more consistent line of communication between the security team and the most senior executives. It is important that the security organization educates the board and top management on digital risk. Opening this dialogue allows business leaders make the necessary trade-offs to grow and protect the business. The additional transparency also helps the board’s governing function.
Next, a board of directors should ask to see the overall security program. This program should include a combination of people, process and technology focused on reducing digital risk. This is a good time to make sure there is a balance between the focus on preventing incidents, and the need to respond to them. Boards should consider if the security posture of the company is appropriate given the exposure to digital risks, based on the weighting of the other risk factors. This should be a gauge in terms of the business and how the outside audit firm would assess the company’s security posture.
The starting point has to be linking the business growth strategy to the digital strategy, and the digital strategy has to include a way to keep the company secure. If the board and top management keep those things in mind, they will stay on the right path. If they agree on the tradeoff between growth and risk, the board can avoid surprises. Finally, if there is a comprehensive security program in place, the company is better positioned to collaborate with public sector counterparts when an event occurs. These are all rapidly evolving topics that boards should take seriously now.
SecuritySolutionsWatch.com: We read with great interest that the Enfuse Conference is coming up May 23-26 in Las Vegas. Who should attend and can you give us a sneak peak regarding some of the upcoming highlights at this years’ event?
Patrick Dennis: At EnFuse, we aim to bring together the most important constituents in an organization that play a role in reducing digital risk. It’s not our conference, it’s our users’ conference. It’s the only place in the world where real forensic investigators and IT security professionals, law enforcement with public policy makers intersect. We’re privileged that nearly 2,000 attend our event every year. This year, we are looking forward to having Computer Scientist Dr. Jennifer Golbeck, director emeritus of the Human-Computer Interaction Lab and director of the Social Intelligence Lab at the University of Maryland, deliver the industry keynote. Over the course of three days, I expect interest in social, mobile, analytics and cloud to be hot topics.
To read the full interview click here