Watch the webcast
Our panel tackles these questions, and looks ahead to what challenges will be faced in a world of artificial intelligence, quantum computing and the internet of things.
The panel is made up of:
Greg Griessel (GG), solutions architect, Cisco
Herman Young (HY), global chief of information security, Investec
Reagile Moatshe, head of supplier finance, Investec for Corporates and Institutions, was the moderator.
GG: “Distributing the necessary security controls and making sure that those are now enabled is definitely at the forefront for most people out there. We've seen shifts towards the cloud, towards many innovative new ways of working to enable people.”
HY: “The attack vectors have changed now that so many people are working remotely. The most prevalent attacks we're seeing across the industry globally are cyber extortion attacks, where they try to compromise data and install ransomware.”
Why cybersecurity is so important for shareholders, customers, and all other stakeholders
HY: “For me, trust is at the core of our business. Investors need to be able to trust that their data is safe, that their finances are safe, that the systems are available to operate. What we should do from a business differentiating point of view is to expose or to make visible that trust, or make it tangible.
GG: “One of the things that companies can do is to make sure that their cybersecurity frameworks are built off a foundation that is standards-based – something that they measure, something that the industry is using. Then they can say: if you have these controls in place, we can be assured that you are at a level of some cybersecurity.”
“When we look at the regulatory frameworks, we need to balance and make sure those are in touch with exactly what the company is doing, otherwise they are going off on a completely different tangent. Ultimately we need to standardise.”
On scorecards and why having a cybersecurity framework in place is essential in order to get industry buy-in
GG: “Irrespective of the industry and what other companies are doing, you need to work according to some form of a cybersecurity framework. That sets the baseline for what you do beyond that and I think if everyone can set some form of a standard, some form of an ISO standard, it definitely helps.”
“We need to work out a way of doing that in a tangible way, to understand where the bad actors are, what we are protecting against, and then, from the other perspective: look at how those threats are being propagated. There should also be some consistency in the ways of looking at it and making it relevant in terms of the scorecard.”
“If we look at the scorecards that we currently have out there, a lot of them are outward-facing and that isn't always a true reflection of what the company is doing on the inside.”
HY: “There are a few companies in the world that already produce cybersecurity scores based on the information they can glean from the internet. I think it's critical that we all, as an industry, buy into the scoring system we decide on, or the methodology and algorithms. I think it's critically important that we take the lead on this.”
Staying cyber secure requires a healthy dose of scepticism
GG: “The more secure we are for customers, the better it is for the industry as a whole and of course if we can prevent cyberattacks and loss of data, all the better.”
HY: “I can promise you that the moment [a score board] is industry-wide, the only thing a company’s board will want to know is: what's our cyber score? I think that will make the whole industry more secure.”
Where is the industry at the moment? Are we doing enough?
GG: “One of the things that we're seeing is a move towards a solution-centric / holistic approach. It's about how we look at the entirety of your cybersecurity challenges. What are the frameworks? What are the controls? What do you need to have in place? And then putting together end-to-end solutions to make that happen.”
“We've seen consolidation of vendors within the space and the reason for that is because more and more vendors are trying to get that end-to-end holistic approach with a customer.”
HY: “I think the biggest issue is that the industry tends to be super reactive: we have regulation; we have controls; we have politics in organisations; we have silos. None of those things work in our favour.
“Companies have to employ a strategy of saying: I've got this technology, it's not effective anymore so I'm going to rip it out and replace it with something else. The vendors and suppliers of these technologies have to be comfortable with that.”
Are vendors moving fast enough to meet the challenges?
GG: “Obviously having the right product and the right flexibility for the customer is essential. But then we have to make sure we can meet the challenge of what the attackers are doing by augmenting that against the right level of threat intelligence.
“We can block as much as we want but we know someone's going to find a way around it, so ultimately we want to try and get to the source and try and help take it down.
"Partnering with law enforcement, with regulatory programmes and all those types of things, is really essential.”
HY: “There are a few large cybersecurity companies that get this right. They're generally the more niche companies with a specifically defined product and solution focus.
“Cybersecurity at the end of the day is an adversarial game between people. We are basically playing a cat-and-mouse game.”
HY: “The opportunity for Africa is to see if we can leapfrog and learn from others. Maybe cloud is the answer: we put all our systems in the cloud and that means we don't need as much bandwidth."
GG: “Ultimately, what we are trying to do is make sure that any technology that is put down has still got some form of that cloud backing and the cloud protection that goes with it.”
Some words on the future
GG: “Firstly, cloud is definitely the approach for the future. You are going to see more and more investment into cloud-based technologies.
“Secondly, how do we use more automation orchestration, machine learning, artificial intelligence, and (probably more in the future) things like quantum computing?”
“Thirdly. is investment into education and making sure we get to the level where whole industry understands the need for cybersecurity and how they ultimately invest in it. One of the responsible things we need to do, from any vendor point of view, is to provide education back into industry and make sure that it is widespread.”
HY: “In the future, you will see increasingly more automated attacks and I'm not even talking about machine learning or artificial intelligence. I'm talking about scripting, just automation.
"If you get into the artificial intelligence type attacks, that will be another ball game altogether. What that will then imply is that your defences will have to be automated as well – you can't manually defend against an automated attack.
“Quantum computing is another risk we should be aware of as it may render all our current encryption obsolete. Some people are saying it's 20 years off, but it's almost the next Y2K problem. We have to start building quantum-resilient encryption today because replacing all the encryption will take time.
"There's even a risk to cryptocurrencies and blockchain with quantum because at the end of the day, it's all just public and private keys and if you have a quantum computer that can guess the private key of your Bitcoin wallet, the attackers can access it.”
"The Internet of Things (IOT) and Operational Technology (OT) security are also of concern. Most of these devices don’t have any security built in, on some devices you cannot even set a password. Once these devices are connected to the Internet, especially with the adoption of 5G, you may be inadvertently exposing your home network or company network to attackers."
Get Focus insights straight to your inbox
About the author
Patrick writes and edits content for Investec Wealth & Investment, and Corporate and Institutional Banking, including editing the Daily View, Monthly View and One Magazine - an online publication for Investec's Wealth clients. Patrick was a financial journalist for many years for publications such as Financial Mail, Finweek and Business Report. He holds a BA and a PDM (Bus.Admin.) both from Wits University.