Financial Education & Research Foundation (FERF): Over the 2010s, how did thinking around information security change? And then from there, can you comment on how things have specifically changed since the outbreak of COVID-19?
Troy La Huis: Look back 20 years and you think about the threat actors, the sophistication of the threat actors, and the motivations of the threat actors. Not to say that they were not sophisticated – certainly they were, and certainly there’s a fraction of them that have always been highly sophisticated and highly motivated. But it was almost like a hobby, and there was not quite the target environment for threat actors that there is today. The thinking around information security going back 10 to 20 years was that it is important, but maybe not critical.
We’ve progressed over the past decade-plus and moved dramatically to cybersecurity being a highly critical area for any organization, because everything is driven by those threat actors. The threat actors have gotten more sophisticated, more numerous. The tools that they’re using are leaps and bounds beyond what we saw a decade ago, in part because they’re sharing information, they’re collaborating, there are higher stakes, there are nation-states, there are organized crime syndicates. All of that has raised the profile of cybersecurity within the business community, and then of course that has driven the criticality to any organization.
What we’re seeing then, of course, is more exposures affecting individuals. You can look back a handful of years, and you can see some corporations that have had breaches that have had an impact on, almost, half of the country. When you add that up, certainly it’s changed the mindset where, 10 years ago, organizations certainly had budgets and they were focused primarily on prevention. Prevention being: How do we stop these attacks from occurring? And if we can stop the attacks, if we can put this nice perimeter around the organization, that’s really sufficient. But of course, if you spend any time in the cybersecurity world these days, you hear the old adage “It’s not if, but when. It’s not when, but how often.”
Organizations have shifted from a prevention-only mindset to prevention detection and response, recognizing that even with the best prevention techniques, there’s always some way that a threat actor – especially nation-states, organized criminals, and seasoned threat actors – can exploit some vulnerability in your organization. You’ve got to shift that mindset from being singularly focused on prevention to inclusive of prevention, detection and response. If you look at what’s happened just in the past handful of months, it’s absolutely taken that spotlight and magnified it. Organizations spent a fair amount of money putting together these cybersecurity programs. They got comfortable with where they were in comparison to the technologies being used and the methods that employees and consumers connected to these organizations. That changed very dramatically in March.
Now prevention, detection, and response has taken that spotlight, and I think it’s probably a good thing. Not to say that there was a waning necessarily in broad strokes, but I think we were getting a little bit numb to cybersecurity. I call it the psychology of cybersecurity, where if you’re seeing these messages popping up constantly, you get a little bit of that fatalist point of view that, well, it is going to happen, and I’m only going to do so much. We’ve kind of refocused on technology and security over the past handful of months. I think that’s a positive thing overall. The other thing that I think we’re seeing and we’re going to continue to see is, at the time that employees quickly moved to working from home, consumers and businesses also needed a way to communicate with each other different from the way they have traditionally.
And so now we’re seeing our consumer or customer preferences are also changing. They still desire the same services, but now of course they’re going to get them in different ways. And we have to think about the security aspects of those relationships as well. The difference is, employees are probably more patient. Some people may disagree that employees are patient when it comes to security; however, they’re more patient than consumers who say, I used to know exactly how to get this to happen. I want it to happen faster now because technology has enabled this, and I don’t want to have to jump through multiple security hoops to get what I need. So that’s going to be a challenge and I would say a good challenge for the cybersecurity community and for businesses in general. How do you improve that customer experience? And how does cybersecurity shift from a back-office function to something that’s really front and center in those relationships with the customers?