Leading information security company, Herjavec Group, recently published its latest report, Cybersecurity Conversations for the C-Suite in 2017. Founder and CEO Robert Herjavec sat down with the New York Stock Exchange to discuss some of the findings of the report, the growing complexity of the cybersecurity landscape and the personal lessons that he learned from his father.
One of the key points of the report is that the number of channels and devices that businesses use is growing all the time. Can you talk about the security challenges this presents?
There’s roughly 5.5 million new devices connected to the Internet every day, a 30% increase year-on-year from 2015 to 2016. At Herjavec Group we call these “access points” and every one of them is a new attack vector that can be used to breach networks.
Compounding that risk is that the nature of the threats to today’s networks has evolved. While the theft of money is still a big problem – ransomware is undoubtedly a growth industry – today’s network hacks are more about the theft of data, which is then used as a weapon. The recent DNC hack is a great example of this – that breach was solely about compromising systems to acquire information.
Herjavec Group is one of many companies that works with a range of technology partners — how has current tech landscape blurred the lines between competitors and collaborators?
I’m not sure that it has. I heard a great saying a few years back that goes “the quality of your company is determined by quality of your competition.” We are very aware of who our competition is, and for one of us to win others have to lose so we’re in zero sum landscape.
We tend to compete against the large-scale integrators like IBM and Fujitsu, but it’s good for us to be the small guy on the scene as we can be nimble and react quickly to the increasing complexity of the market.
What are your thoughts on the phenomenon that has been called the “democratization of hacking,” where the tools to breach networks are easily bought and sold on the Internet?
It’s a grave concern. In the past we used to actually hire hackers because they possessed an uncommon skill set, but today the availability of hacking tools means someone who wants to do harm doesn’t need a high level of technical knowledge.
To answer your question, simply put, companies can’t keep up and that’s why the largest growth area for our business is managed security. Companies know that with the proliferation of new threats it’s impossible to stay up to speed and that’s why they’re looking for a competent, reliable managed services partner.
It is often said that cyber security today is a board-level conversation. Do you find that boards are taking steps to educate themselves on cyber risk or are they still largely reliant on the CISO?
It’s an important point because these days the bulk of my time is spent with boards. From my perspective it’s an extremely positive thing because boards are looking to edify themselves so they can make informed decisions about things like security policy, budget, infrastructure, staffing and so forth.
That being said, the CISO is still the critical actor in all of this – it’s one thing to talk about security, to learn about it, but it’s another thing to have a plan and to execute on it. The board needs to set the vision, but the CISO needs to deliver.
How big a driver is regulation and compliance in the change/growth of the cyber security market?
It’s everything. At the end of the day, our company and our competitors sell stuff that our customers would rather they didn’t have to buy. No one gets up in the morning and says “I’m so excited to spend this stack of money on cybersecurity products today!” But compliance demands mean they have to have good systems in place.
There’s no question that a lot of regulation can be cumbersome, sometimes even contradictory, so there’s a lot of improvements to be made at the policy-setting level, but at the end of the day I’d rather have something than nothing. If we’ve learned anything from the DNC hack it’s that many organizations are still underprepared to defend their networks. If regulation and compliance ultimately lead to better-equipped companies, I’m all for it.