ISMG Editors: The Changing Nature of the Security ProfessionAlso: US Hospital Closing Due to Poor Cyber Defenses; More Cybersecurity Layoffs Anna Delaney (annamadeline) • June 16, 2023
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including how cyber risk is becoming more closely tied to the economic health of nations, why a rural U.S. healthcare provider is closing due in part to ransomware attack woes, and why some cybersecurity companies have laid off staff this month.
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor; Michael Novinson, managing editor, ISMG business; and Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity - discuss:
- Why cybersecurity is increasingly moving from being a tech-centric profession to a risk-centric one and how to measure cyber risk;
- Why a rural Illinois medical system will shut down partially due to fallout from a 2021 ransomware incident, which is part of a wave of attacks exacting high costs from the healthcare industry;
- Why cybersecurity firms Dragos and Sumo Logic have joined a slew of companies in laying off employees due to slowdowns in revenue growth.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the June 2 edition on why communication skills matter for CISOs and the June 9 edition on how Verizon's DBIR reveals a surge in BEC scams.
Anna Delaney: Hello and welcome back to the ISMG Editors' Panel. I'm Anna Delaney, director of productions at ISMG and here is our weekly editorial take on the trending cybersecurity news stories. Have a stellar cast joining me today, Marianne Kolbasuk McGee, executive editor for HealthCareInfo security; Tony Morbin, executive news editor for the EU; and Michael Novinson, managing editor for ISMG business. Good to see you all. Good morning. So Tony, tell us more. I was saying, I hope that's not you on the cliff there.
Tony Morbin: No, it's not, but it is a risk image. I don't think I would quite take those risks. And I'd certainly be taking a few mitigation strategies like having a rope around my waist.
Delaney: So Marianne, where are you today? You're outside enjoying soaking up the sun?
Marianne McGee: Yeah, this was taken at the Boston Common a few weeks ago, which is where I go. There's Swan boats in the back - can't really see them. But it was a pleasant day. It was Mother's Day weekend and, you know, the weather was perfect. So one of those rare days.
Delaney: Very good. We have the same situation in London. We're just holding on to the sunshine whenever we can. Michael, tell us more.
Michael Novinson: Of course, this is a little bit of deja vu, thinking back to my trip to Block Island last month, about 10 miles off the coast of Rhode Island. This is a lighthouse. It's a very northern end of the island that's been abandoned for a little while. But it looks cool from the outside, just bikes up there. It's a pretty decent walk through the sand in order to make it to the lighthouse. But it does look like a relative time from the late 1800s. So just very pretty views all around.
Delaney: Good. And I'm sharing some urban art from London's East End Shoreditch. There's plenty of vibrant wolves in the area. And it's always fun to catch on or catch up with what's new in the area. Okay, well, starting with Tony this week, you've got some interesting analysis to share on a trend which is gaining more momentum in recent years. Just now, cybersecurity is moving from being traditionally tech-focused to risk-oriented. Tell us more.
Morbin: Absolutely! Very much risk to play with this month in the various events around the U.K. certainly. Not so long ago, cybersecurity didn't exist as a profession. So it's not that surprising the routes that people have taken to get here. It was varied as the people from the bedroom gamer or telco engineer to finance manager or IT consultant. But even today, most have come from a technical background in some shape or form. There's one very senior head of cyber in law enforcement confided in me once that he was made responsible for cyber as the most technically competent person in the office, though his technical skills initially amounted to being the only one who could fix the printer when it got stuck. But today, there's increasingly a shift among CISOs from a tech-centric to a risk-centric profession. And the reasons are obvious. Cybersecurity is now a vital component of our new digital society. Digital transformation has increased cyber risk, exacerbated by the pandemic. So our reliance on a connected world pervades everything and cyber risk has a level of interconnectivity that no previous risk has had. Cybercrime is now greater revenue than any nation state on Earth. And critical infrastructure is a legitimate target for state actors conducting cyber espionage or hybrid warfare. Our entire business can cease to exist, or our mission to deliver health care, critical national infrastructure or other outputs can be fundamentally undermined by a successful cyberattack. Consequently, cyber risk is now a tier one threat. It's no longer acceptable to see it as an issue that's too technical for the board to understand, or one that can simply be delegated to the CISO. The CEO, the CFO and every other board member and senior manager must now take responsibility for the cybersecurity of their operation, instilling a security culture in the organization as a whole. And the CISO is the expert who will help them make it happen. We often talk about how to explain cyber risk to the board. But we actually need a reversal of that process. With cybersecurity now, arguably, the Number 2 risk faced in many enterprises, the board and line managers need to be asking, "How can I reduce the cyber risk in my operation? What controls do I need? What skills, what staffing, what budget?" and in the language of business, the question will need to be fact-based answers. How much will it cost to reduce the risk by x percent? How are you measuring and quantifying the risk?
Delaney: Tony, I guess the big question is, how do you actually measure cybersecurity risk?
Morbin: It is indeed the thousand dollar, the multimillion dollar question. There are methods to assess any kind of risk as the insurance industry can testify. You can even get alien abduction insurance to cover post abduction medical bills. Unfortunately, cybersecurity seems to be less predictable than alien abduction. And it's such a potentially catastrophic and growing risk. Many insurance companies miscalculated, lost money and had to leave the sector or hike up premiums. They'll likely put the blame on lack of actuarial data. But others suggest that their understanding of cyber risk was lacking, with more focus on the impact and less on the likelihood of a successful attack. Alternatively, you can measure the risk yourself using models such as that provided by the FAIR Institute, which puts a monetary value on risk. As one CISO speaker from a luxury goods company mentioned at FAIR's inaugural London summit this month, he was able to use this approach to put a financial impact figure on the loss of sales resulting from a data breach, explaining how data showed that they would lose 10% of their highest spending customers and 50% of their occasional customers if they lost their customers' data, and this would reduce sales by X percent. How you present those risks to the board needs to be tailored to the specific organization and the decision makers involved. But measurement and quantification is increasingly an important part of that discussion. By prioritizing and addressing identified risks with appropriate controls, we can reduce risk in a measurable way. And that's how we calculate our ROI on cybersecurity expenditure. When it comes to controls, of course, we'll run through all the basics: patching, segmentation, encryption strategies, such as zero trust standards and frameworks, ISO 27001, NIST, MITRE ATT&CK framework, the need to automate, deploy AI where appropriate, but more fundamentally, it's become even more essential for CISOs to understand the work processes, the business outcomes sought, the organization's risk appetite, and then deploy the latest technological solutions available in line with an accurate risk assessment of the threats faced. While self-interest, protecting your bottom line or your ability to deliver on your mission, is a great motivator for organizations to implement appropriate cybersecurity, sometimes regulation is necessary because there may be things that organizations don't care about, but which have a wider impact, including secondary impacts. These can range from environmental impacts to negative impacts on the privacy of individuals such as sharing confidential information. But just as there are inadvertent secondary impacts due to the failure to address cybersecurity risks, it now appears that there are also unintended benefits. The more digital society is, the greater its cybersecurity attack surface, but digital maturity is also correlated with more sophisticated cybersecurity resources, enhanced telecommunications infrastructure, highly qualified human workforce. These factors, according to a new report from Moody's have a beneficial impact on a nation's economic health. The latest report says that a sovereign nation's cybersecurity strength is strongly correlated with economic and institutional strength, with more highly rated sovereign states, demonstrating stronger overall cybersecurity positions despite higher exposure to cyber risk. As a result, nations in the Five Eyes intelligence Alliance - Australia, Canada, New Zealand, the U.K. and the U.S. - as well as the European Union and others who have enacted more proactive cybersecurity measures, are now seeing cyberattacks shifting to other regions with less cyber preparedness and resiliency, particularly to issuers in emerging markets. So in conclusion, cybersecurity is now a risk that everybody needs to be cognizant of as individuals, business leaders and nation states. It's a business issue, not a tech issue. The consequences of failure can be devastating. But taking a risk approach, we can quantify and prioritize what needs to be done to mitigate that risk. And it does appear that for those unable to rise to this challenge of identifying and quantifying the cyber risks we face and implementing appropriate controls, we can indeed reduce the risks with beneficial impacts on our organization, and on our society as a whole.
Delaney: Excellent, Tony. You've given us plenty to think about and you were at the FAIR Institute's conference recently. How was it? Any key takeaways for you?
Morbin: Well, it was excellent. And I've kind of stolen a lot of the material from that for my talk just now, because it was really talking about this move from a technological approach to a risk-based approach. The key part of the whole FAIR approach is to put a financial value. And also, I guess one other thing I didn't really cover was motivations and incentivization, that they should be incentivizing your cybersecurity as opposed to necessarily purely incentivizing profits. So if your bonus depended on implementing certain levels of cybersecurity, you're more likely to see that being taken seriously. So that was a lesson one, the main one really was quantifiable measurement of your risk enables you to prioritize what are the biggest risks and implement the appropriate controls that are financially appropriate to the level of risk. So it's a real quantification that was the key.
Delaney: Thank you so much, Tony. Marianne, tell us about how a ransomware incident which occurred in 2021 has come back to bite the health care industry.
McGee: Sure, actually, this kind of piggybacks also on what Tony was just talking about with, you know, cybersecurity risks, the financial impact, the devastating sort of consequences that some organizations do face. And in fact, you know, we've seen severe disruptions that ransomware attacks have created for many hospitals and health care entities. But the financial toll and related problems that these incidents have can actually be fatal for some smaller health care entities that already have any sort of serious troubles going on in the background. And that was the case for a 44-bed rural hospital in Spring Valley, Illinois. St. Margaret's, which has announced that it and its clinics are permanently closing on Friday due to - in large part, not completely, but in large part - a 2021 ransomware incident that worsened the entity's financial woes and just added pressure on to the already existing staffing shortages and pandemic-related problems that they were facing. And in addition to St. Margaret's hospital in Spring Valley, the facility's sister hospital, a 49-bed hospital in nearby Peru, Illinois, is also permanently closing on Friday. Now that Peru, Illinois Hospital, which was formerly called Illinois Valley Community Hospital, had been temporarily closed since January, also due to the same financial problems related to the ransomware attack and other things that are now being blamed for the closure of St. Margaret's Hospital in Spring Valley. Now, St. Margaret's, in a statement posted on its website, said the cyberattack prevented the organization from being able to bill and to get paid in a timely manner for the services that it provided its patients, which all contributed to this closure. Now this isn't the first time a health care entity in the U.S. has closed its doors in the aftermath of a ransomware or other devastating cyberattack. Over the last few years, there have been a handful of other small clinics and doctor practices that said they were closing up shop permanently due to the inability to access their electronic patient records after a ransomware attack, as well as the financial impact of the incident. Now in terms of rural hospitals and the cybersecurity difficulties they face, this week, the U.S. Senate Committee on Homeland Security & Governmental Affairs appears set to push along a bipartisan bill that aims to help these small entities. That bill, the Rural Hospital Cybersecurity Enhancement Act proposes to require that the U.S. Department of Homeland Security's CISA agency develop a comprehensive rural hospital cybersecurity workforce developmental strategy. Now the aim is to help these rural hospitals develop the cyber skills and expertise needed to better defend against cyberattacks as well as more effectively respond when these incidents do hit. These rural hospitals and clinics are often under enormous pressures related to staffing shortages, as Tony was just mentioning about the skill shortage. But these rural hospitals not only faced the shortage for it and security expertise, but also often for clinical workers. And if these rural hospitals do have to either close temporarily as they deal with a cyberattack, or permanently like St. Margaret's, being unable to recover after the event, it's a major setback for the community. In many cases, many of these rural hospitals are the only hospital or emergency room for many miles, putting patients in those communities at jeopardy for safety issues if there's an emergency. So it's kind of scary to see these things happen.
Delaney: And Marianne, can you share a sense of what it's like for one of these rural hospitals? What they go through when they experience and recover from a ransomware attack just to understand that the scale of what they have to go through organizations.
McGee: Sure. In St. Margaret's case, it's reported that, you know, they had incident response sort of preparedness, you know, in case something like that happened. But bottom line, you know, once the system is shut down, it's the behind the scenes, things that you can't do. We can't send out your bills, you can't do this, you can't do that. And this is, you know, this mounting effect on the operations. And in many cases, these rural hospitals, they have like one person who does the IT, they do the security, they might be, you know, troubleshooting the helpdesk, kind of like what Tony was just talking about. And, yeah, they're just unequipped. They really don't have the manpower to do what they need to do. And that's unfortunate.
Delaney: But there is this bipartisan bill, which has been discussed today, isn't it? I was going to ask you are there any initiatives going on at a grassroots level to help and bolster the defense?
McGee: Yeah, well, the problem with the rural hospitals, but this is also sort of for health care, in general, is that, you know, the salaries are not competitive, necessarily. And if they get these people that will have a little IT experience in a hospital, you know, they get very easily blurred away maybe by another health care facility in a larger setting or maybe in another industry. Um, so the bill, you know, that's been looked at are being proposed, and the Senate kind of looks at the various ways that, you know, some of these rural hospitals can address some of their workforce problems when it comes to cyber.
Delaney: Well, thank you very much, Marianne. Michael, I would have liked to have moved on to sort of more upbeat story, but I'm afraid it can't be avoided. You've reported on further recent industry layoffs, which seem to be happening in a kind of domino-effect style. Talk us through the situation.
Novinson: Absolutely. I'm sorry to bring more rain to an already rainy day. But it really makes me think of that movie Groundhog Day, you know, the one with Bill Murray couple decades ago that came out. And basically being you looked at the Groundhog, does it see its shadow, that means six more weeks of winter, if it doesn't see its shadow, then spring arrives early. When thinking about the economic downturn, I think there was a sense that maybe we're at a crossroads really, people started to feel the effect just over a year ago, May of 2022 was really the first rumbling. So we started to see layoffs in June of 2022. Typical recession or downturn last 18 to 24 months. So now that we're a year, and the question was really heavily hit rock bottom, and are we starting to climb out of it? Or is this going to be a downturn that lasts longer, and unfortunately, it does seem like things are continuing to be an issue in the United States, we continue to have the issues with stubbornly high inflation, which means continuing interest rate hikes, some issues with the supply chain are still lingering. And none of these are really great signs. Also the big failures in the spring that I know we've spoken about here as well. So all this has just put a dampening effect on the environment for cybersecurity companies. So we have seen companies and these were companies that were really trying to avoid layoffs either company culture wise or a sentiment that they're in a good space to play in. So we've seen four sets of layoffs since the start of the month, they're all a little different. So I'll talk through each of them. So first, we heard SentinelOne, which is a publicly traded company, probably the highest-growing publicly traded company in all of cybersecurity, growing at 70% a year. But they're set to lower their forecast going forward, which is not something you see a lot in the security space. It makes analysts very unhappy, their stock price got hammered. Essentially what had happened for them is there's some consumption-based products. This was based off their Scalyr acquisition, getting into that data lake space, data analytics. And essentially, the way those products work is the more data organizations send into the lake, the more they have to pay SentinelOne. And for SentinelOne, it's just been kind of continuously up into the right, regardless of this contractual minimums, but organizations are just shipping more and more of their data, all of their data into there to try to get some value out of it. But with the economy continuing to be an issue, a lot of companies recalibrated and Q1 and said, "We really need to send all this data," and a lot of organizations instead of continuing to increase the amount of data, they're extending, went back to the contractual minimum. And that really took a bite out of both their Q1 earnings as well as their projected earnings going forward. So they're looking at a layoff of about 5% or 100 people. Then we have two late-stage startups, very well regarded technology that also had avoided layoffs until now. We're proud of that. But they did have to succumb in recent weeks. The first is Dragos, a really well-known company. OT cybersecurity Robert Lee has testified in front of Congress a bunch. They were very transparent in terms of what they did, it was was 55 workers or 9% of their workforce, and just the trends you're seeing at so many other places with longer sales cycles and smaller initial deployments or purchases. It's something that Robert had sent in his email to employees that he has put on the blog that really had been avoided in that OT ICS space because it is so critical and such a priority that they weren't seeing the same slide under either, other than even other areas of cybersecurity, but eventually it did catch up with them. And given the revenue missed in Q1 and therefore lower projections, they did have to cut back some. Similarly, Expel' detection response just last month named the best MDR vendor in the entire industry by Forrester beating out companies like CrowdStrike, SentinelOne, despite being a fraction of the size, similarly did a layoff of 10% or 60 workers in a similar scenario where they're seeing a slowdown in customer spending. Then, the fourth and final one I mentioned to you is Sumo Logic. They're an interesting one, because they're kind of on the other end of that they just got taken private by Francisco Partners that closed last month. And Francisco Partners has a playbook. They most notably did this with Forcepoint when they bought Forcepoint in 2021, they boot the existing CEO, they have somebody on their own roster, a managing partner, director in their firm who they install is the CEO. And then they do some pretty heavy cuts like well beyond what a Thoma Bravo would do. They really cut out anything they think is ancillary, outdated, and they've been pretty secretive about it. There's been a lot of noise on LinkedIn of people saying that they've lost jobs, and they're looking for work. There's been some reporting on it in recent days. The information recorded on the email that their new CEO sent to employees, but that didn't actually say any numbers in terms of how many people were affected. The San Francisco Chronicle on Tuesday reported about one notification that Sumo Logic had sent to the State of California saying that 79 workers were impacted in California. So that's about 8% of their workforce. But Sumo Logic employs people in well over a dozen countries, as well as lots of states in the U.S., the corporate headquarters are in California. So what we know is 79 people affected in California, we don't know how many people are affected elsewhere. But yeah, they really did start off in that data analytic SIEM space, it seems like Francisco wants to pivot them. I know, SIEM has become a bit long in the tooth. So I mean, I think what we can expect, there are some pretty steep cuts and then kind of a rebuild, maybe some talking acquisitions, which we've seen with Forcepoint. And the stabilization, but it seems like pretty severe cuts out of the gate.
Delaney: Do we know what types of jobs are being lost? Or does that really vary across companies?
Novinson: It's a good question. And companies tend to be a little secretive on this, they're always going to say that it's not going to affect service delivery or customer support. I mean, no company is going to come out and say like, "Oh, yeah, expect longer response times." And to the extent that they do delineate, they always will say it's not to our technology, it's not our R&D we remain, it just aren't going to market people. So if they say anything, they'll always say it's focused on go to market, because whatever customers and prospects don't want to hear, "Oh, yeah, we're cutting back on our R&D, we're not going to spend as much looking at emerging threats." Yeah, no, nobody's going to say that. So either they say it's a go to market, and they don't say anything. But it's hard to say, I mean, in general, high-growth companies continue to hire. CrowdStrike, Palo Alto Networks, companies like that haven't had to slow down at all. And if companies are having to move in the other direction, it means that they've had some type of a speed bump, but it definitely doesn't have to be fatal. These companies can recover. And again, almost all of them have technology that's really well regarded by analysts, but it doesn't mean that they have to recalculate and shift their growth plans.
Delaney: Okay. Well, Michael, thank you so much. Hopefully, the industry will pick up very soon, as you say. So finally, just for fun, in order to lighten the mood somewhat, I'd love for you to share something or good news story, for instance, in the industry that you've picked up on recently. Fill me with hope.
Novinson: I'll start, which is that as challenging as things are in cybersecurity, the big benefit economically is that there's not the commodification that's going on in the consumer sector, if you look at companies like Uber or Lyft, or the rental car companies, where it's just a Race to Zero and everybody's price conscious, and they're just choosing whatever is cheapest. The big benefit in cybersecurity is people selling quality product, companies like CrowdStrike and Zscaler are proud that their product costs more than competitors. They're very open about that, but it's more effective. And the fact that CISOs and other buyers and organizations are making decisions based on efficacy and quality rather than price is going to be a massive saving grace for cybersecurity.
Delaney: Good to hear. Marianne?
McGee: Yeah, I was just going to say that over the last several months, you've seen various security research reports come out saying that ransomware attacks are sort of subsiding somewhat and, you know, the ransom payments are getting smaller. So, that might be a good sign. But then at the same time, you know, there's always been - what the good news is - that it could be that these attackers are now skipping over encrypting systems and just going right to extortion. So you know what to say but for hospitals, in particular, they can - not that they want their patient data exfiltrated - but if they can skip the encryption part, that might be helpful.
Delaney: Take any good news we can. Tony?
Morbin: Well, in the absence of any good news, what made me smile was somebody else's misfortune, when further details recently came out from crypto tracing firm Chainalysis about bitcoins stolen from 996 wallets controlled by Russia's foreign military intelligence, Foreign Intelligence Service, and Federal Security Service, which they had been using to pay hackers, including the people involved in the SolarWinds attack. And after it was stolen, the money was then sent to the Ukrainian addresses. So not a good news story as such, but maybe.
Delaney: Very good. And I was also going to jump on the Ukraine bandwagon, saying that, you know, their resilience has proved positive in a horrendous situation. And obviously, they've been practicing this since they'd been attacked in 2014 onward by the Russian offensive campaigns, but anyway, I think we can learn from Ukraine's defense and we'll be talking about it for many years to come. Anyway, everybody, thank you so much. This has been brilliant as always. Tony, Marriane, Michael, thank you very much. And thanks so much for watching. Until next time.