Keynote at the Consumer Identity World 2017 EU in Paris, France
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the Consumer Identity World 2017 EU in Paris, France
Keynote at the Consumer Identity World 2017 EU in Paris, France
Thank You majo per so data consumer data. We've heard lots about how much we've been gathering all of this consumer data, but we really have to protect it. That's the key thing. That's my key message here, because you know, consumers are our lifeblood, to be honest for you, firstly quick disclaimer, none of this is any of the opinions of my employer. It's all my own work. So you burst into Raptor applauses at the end, directed entirely at me. So I think sat Adela said it, you know, very, very succinctly.
When you talked about trust consumers, people, you, everybody in this room will only use technology. If they trust it, the moment they get burnt with it is the moment they start telling their friends and then start telling, well, the rest of the world, actually through social media, not to trust something, this is why many sites like Amazon, for instance, you know, will not even ask for additional payments, confirmation, the CVV, for instance, because they want to make everything as smooth as possible. And that's a risk they chose to take.
They don't want any kind of hiccups or any kind of bad experience or too many clickthroughs in their entire process. A report from 2016 by the Verizon D B I R actually tells it fairly clearly. Many of you who might be, you know, vaguely interested in information security will not be surprised players, but some of you will that it takes many companies over 200 days to know that they've either got a malware infection or even that they've actually had a breach and been been attacked in some cases. And this was quite incredible for me, 2,982 days was the longest presence.
That's about eight years, I think. So they must have been running windows 98 or something like that for a very long time. And the most incredible one, the 69% of them were discovered by someone else, not the company themselves. So that's pretty, you know, that's a great place to start without trusting, right? Imagine again, 2016, they said that in 60% of cases that they analyzed attackers were able to get in in minutes, minutes, that's pretty bad.
You know, so if we were to, you know, if this was put on the front page of BBC or CNN or fake news Fox, then we, we, you know, trust would be trust would be gone for, for all of our consumers. Nobody would trust us.
You know, and these are average. This is not specific at any kind of industry.
This is, you know, average across a, a range of industries. So is it cuz of these guys, is it because we've got stupid users or even our consumers are stupid? Is it because they're doing dumb stuff? They're the ones that are having, yeah, you're supposed to be looking at me. They're the ones that are, that are, that are, you know, having the malware installed on their laptops.
They're the ones that are actually, you know, doing dumb things with their credit cards and then blaming, you know, you for it or is it this guy hack a man normally, you know, a teenager in the basement of, in parent's house who hasn't seen daylight for a few weeks, but actually are they getting more and more sophisticated? You know, we can always blame the Russians if nothing else. Right.
You know, so, you know, thats, so we've got this sort of, you know, how do we actually start protecting ourselves against these kinds of these kinds of issues? So let's talk about embedding security. Now the fact is that when, when I talk about users here, I talk about consumers in the same breath as well.
So, so to bear with me on that, but the reality is here is that we need to talk about actually making sure that security itself is embedded not only within our organizations to protect our data, but also our consumers as well. And we can ensure therefore that we are not sat in the middle of these two that, you know, we are the smart ones. And actually our users and consumers are in between, you know, are either side of us because I think this image sums it up. This image is a padlock gate, which requires only one padlock to be removed for the gate to be opened.
So it allows multiple users to use that gate. It's fairly clever, right? Fairly clever, but it trust, it relies on the fact, the last person to use. It will lock the gate. That's exactly the same with our consumers. It relies on everybody ensuring they're locked up. We find very, very challenging to do. And that's why we end up with this attitude that, you know, humans are the weakest link in our security.
Well, actually I disagree with that. You know, my opinion on this is that they're not the weak link. They're the only link. They're the ones that we should be communicating with. They're the ones that we absolutely have to be hammering this stuff home to afraid. I dunno who to attribute this quote to. I did see it fairly recently and I'll, I'll find out who somebody else knows. And then please do, let me know. So how do we communicate in a way that makes sense to people in a way that actually we can work with them?
There's two ways, language, funny enough, but it's actually not just the language, not just words, it's the way we use the words and the words we choose and choice architecture, which will make much more sense once we get to it and sort of the language first. And I think I love this story of general Patton before he leads his, his armies into battle and certain death and you know, lots and lots of, you know, lots and lots of horrible. Unpleasantries his pep rallies.
His speeches were littered with profanities, absolutely littered with profanities and telling everybody that they were going to die to the point where the journalists of the day felt that they couldn't actually reprint or print out a copy of his speech in the newspapers. It was just, you know, it was just too awful. And when asked about this Patton's point of view was an army that can't swear as an army, that can't fight its way outta the paper bag. He was talking to the army in the language that they understood in the rough and the ready army and, and the truth and the, the native facts.
And that's something we have to do with our consumers. We have to recognize who our consumers are, recognize what kind of niche they operate in and talk to them in their language about why certain things are important. Why we ask them to do two factor or multifactor authentication, if at all, why we ask them for passwords of eight or more digits, although that's a, you know, a contentious point at the moment anyway, but you know why we ask them to do things not to not only protect themselves, but to protect the whole community, their entire ecosystem.
The second one is choice architecture and it's another lovely story. It was in a high school in the USA and they had a problem with teenage girls putting on lipstick and kissing the mirrors in the bathroom. And I dunno if any of you have heard this one, but of course, you know, lipstick is very difficult to get off mirrors, especially if they're covered in them. And the principal put out a message, do not kiss the mirrors, blah, blah, blah. And of course more girls kiss the mirrors.
So she worked on something else she bought in, you know, a large group of girls and they did this, you know, for everybody. And the janitor was there as well. And she said, look, I've asked you not to put lipstick on the mirrors. And the reason is it's so difficult to clean off.
You know, it doesn't bother me as such. It's just so difficult to, to clean off Joe, could you show us how hard it is to clean this lipstick? So he picks up the mop, what is it in the toilet pan? And it rubs, it does that second time.
He says, I have to do this three or four times before it all comes up. So you can kind of imagine that there was a lot less lipstick on those mirrors, you know, shortly afterwards Now.
And again, it's a similar thing you're talking to our, to our users, our people in a way that makes the right choice. Correct. So for instance, and you know, we could be talking about tying internal security breaches to bonus or performance, for instance, actually actually highlighting the impacts that particular breaches might have on the business, or even on the prices that you can offer to your, you know, to, to your consumers. So it's about actually telling people that their actions matter and connect all the way through, you know, to how it will impact them directly.
And I think, you know, the may angels, the, the American, you know, poet basically said, you know, they'll forget what you say, forget what you, what you did, but they'll never forget how you make them feel. You really have to tie in this, this whole sort of storytelling matrix together in order to get your point across to people.
Don't just give them the dos and don'ts you give them the whys, the where force the antagonist, the protagonist, the, you know, the love story, the smoking gun, et cetera, cetera, whatever works for you, but using that storytelling and weaving that into the way you communicate and ensure that people will, will know why it's important to protect the data, not just cuz GDPR says so, but actually because it's important and it's important to the trust that the users and the consumers having you as a brand, you know, or a service.
So as you probably gathered from those earlier slides, it's not a case of if we get hacked, it's more a case of we're already hacked. And that's true.
In many, many cases for everybody here, I doubt there will be, you know, many companies in this room that haven't had a breach or are in the midst of having a breach or even have been breached. And don't know it very, very few organizations will even know, you know, will, will, will actually have not been breached at all. So what do you do about it now, I'm gonna ask a question. You don't have to stand up and fold your arms and put your leg around your elbow or something like that.
But I'm gonna ask a question, which is how many of you know that you have a formal and practiced cyber incident response plan. Okay. And that was some halfhearted hands up as well. Right? I think I do. I'm pretty sure I do. I'm gonna say yes, there's not many of you, maybe 10%. The average is around about sort of 20, 25%, you know, on, on the, on the whole, as to having some kind of response.
And that's kind of obvious in a sense, because Gartner said last year, that 80% of security budgets going to protect, they're going to firewalls, basically firewalls and Blinky boxes and you know, paying expensive vendors to supply expensive services that supply maybe ex expensive results that may not be quite so good as you want. So only 10%, unless it rounded figures, 10% goes into detect. So actually when you are breached, when you have been hacked, 10% of their budget is actually looking into being able to see that they've been hacked and 10% goes into respond.
I think that actually that 10% budget makes up for the tea and biscuits for the meeting where they said, sure, you actually write a plan here. Let's write a plan and then don't quite get around to it.
So this is, this is pretty shocking, really, you know, and protect is actually 15 years outta date protect was when we used to build a fortress, you know, protectors when we had a defined perimeter of firewalls and blocks and you had to come into the office in order to connect to the network, etcetera, you know, hands up if you work like that, hands up, if you can only connect to your network from inside your office and nowhere else, one is always one isn't it? Although it was half hearted.
Again, next time we ask a question, let's power, those arms up. So it's ex incredibly rare. Our perimeter has become entirely perforated with, with holes to allow us to work. Now kind of the good news is Gartner says that by 2020, they've put on, they've looked in their crystal ball and taken a look is it's gonna be even out a lot more. So it's gonna be roughly 60% will be spent in detect and respond.
Now let's focus on respond, cuz respond is actually the most important part, cuz it's actually makes the most sense, you know, respond is something you really need to do, cuz it's definitely going to happen, you know, protect and detect. Well brilliant.
Yeah, they're the first layers in the onion, but let's actually make sure that we can get a plan together. So again, I've just covered this. So are you gonna be one of these companies that is, is going to put in place a plan for dealing with instance when the time comes? Because again, it's go back to such Adele. Our consumers need to trust us. So let's get a plan together. I think this was a very carefully planned environment here and what could possibly go wrong, but let's get a plan together because the plan is what is most important here? And the very first thing is create one team.
It doesn't matter how big your organization is, how many thousands or tens of thousand hundred thousands of people you have. You have one team there may be lots and lots of subsequent teams underneath, but they all report into one team. Otherwise you end up looking like this guy at the end here because nobody actually knows it's everybody's responsibility. Therefore it's nobody's responsibility to deal with things. And as we're gonna see the collaboration, the coordination is absolutely vital. When we're creating this plan, you also need to practice the plan.
Now there's different ways of doing this. There's obviously, you know, just running through the documentation and making a few phone calls. You can do a tabletop exercise. You can actually co down the business for a couple of hours while you do something or, or even get all the C level execs into a room, you know, without telling them and tell 'em, they've got then got to work out, you know how to get outta the way of a, of an instant that's great. Or you can also ensure that all those little incidents that you have use the same process.
And then you know, that that process is being worked and worked. It's being stress tested. So it may not be a reportable instant. It may not be something that's big enough to make the headlines, but it's still an instant of some description allows you to test it and work it and work it. We also need to collaborate, excuse me. We also need to collaborate and communicate. I obviously forgot the words on this side, but the collaboration and communication is incredibly important. And this is the key thing here.
When we talk to our clients and our consumers about when we've had a breach, every single company that's made, the headlines has made the headlines because they completely screwed up the communication and the transparency part, you know, there's a major car driving service recently that hit the news. There was a talk talking in the UK, for instance, there's, there's Adobe, who've done this. There's you know, so many companies out there that actually start to actually not even tell the truth.
There've been some blatant incidents of people, of companies lying to their consumers about what's happened to their data and where their data has gone. That's the absolute no, no, because there's a guy there called Troy hunt. I dunno if anybody has heard of Troy hunt Australian and he, he has a site called, have I been imposed, et cetera, check him up. Troy hunt.com. He knows when you've been breached.
So, and, and he tracks your responses. And in fact, he commends these four here. Now I said, I've not heard of endure Ethereum on the, in the news. I read about them yesterday. Funny enough.
Now, when I talk about, have you heard of their breach? I'm talking about in the major news outlets, et cetera, but all four of these and a whole host of others have suffered breaches, but have been commended on the way that they respond to their customers. The way that they manage their customers, lost data and how they deal with them. And that is the list of people that you want to be a part of. So your consumers actually end up with more trust with you than before the breach. And believe me, it does happen. Company called geo sec was, was breached a number of years ago.
Their response was incredible and their actual, their, their, their, their sales, cetera, went through the roof because people saw them as people they could trust. So really done. Just remember, there's three things, you gotta take away, three things we're gonna try and keep them as soon as possible. So embed that security through your organization, talk to people in the languages that they understand, give them the choice. That is the right choice for them to take. Don't think it's a case of if, but well, you have been hacked. I put good money on it.
And then when it does happen, don't forget to apologize. That's again, a key aspect of this communication to your customers and, and generating trust is apologizing, but then be helpful, honest, specific tell 'em what to do, what, why they need to do it. What are the impacts of it, how you're going to help them moving forward. And that doesn't always just mean shoving them 80 bucks worth of, of consumer credit checking or anything like that.
Actually, this is an opportunity to really, really shine. And that will be my closing point here is embrace the darkness. It won't be as bad as it, as it as you think it is when it actually happens. Thank you very much. I'm here all day and.