Neuberger Berman's Ganim: CISOs Have Their Work Cut Out

Ganim's address focused primarily on the challenges facing CISOs from a variety of sources, which, due to their scale and degrees of sophistication, are unlikely to be satisfactorily dealt with anytime soon, given that during 2012, the number of devices connected to the internet globally exceeded the world's population for the first time, according to Cisco research.

If anything, the acuteness of the data security challenge facing CISOs is only going to intensify—Cisco estimates that by the start of next year, the number of devices connected to the internet will be in the region of 15 billion, while by 2020, that number will grow to 50 billion devices, equating to seven devices per person.

"Bring-your-own-device (BYOD) has helped significantly to contribute to these numbers," Ganim said. "Will any of these devices, whatever the number might be, be capable of accessing or storing your data? Of course, not all devices will be a threat, but even if just a small percentage of them are a threat to you, that is very alarming." 

Citing Sophocles
Ganim opened his address by citing a quote attributed to the Greek playwright and dramatist Sophocles: "Do nothing secretly; for time sees and hears all things, and discloses all."

Ganim said that if Sophocles were around in today's corporate environment, he might want to amend his quote to reflect the need to keep certain information relating clients, employees and business partners confidential. "Data privacy is critical to all and seeing Sophocles is no longer around, I've taken the liberty of updating his quote to better reflect our current time: ‘Technology, like time, sees and hears all things, and discloses all.'"

I can assure you that in the days and weeks to come, you will be bombarded with more headlines of hacks here and breaches there, but let me tell you, that's very misleading ... because the truth is, it's much worse than all of that.

BYOD
The most pertinent section of Ganim's address dealt with the challenges facing financial services firms when it comes to cyber threats. "The advances in technology have drastically changed the relationship between work and personal life. The use of personal devices to access data is growing rapidly, and there are advantages to both employees and firms in terms of cost savings and convenience," he said.

"However, you need to have a robust BYOD plan in place to take full advantage of the benefits offered by BYOD, while still adequately protecting your data. The BYOD policy needs to be well documented, it needs to identify which devices and operating systems it allows, and you need to determine whether data will be stored on the device. If so, you're going to need some kind of mobile device manager to secure that data, and an understanding that the firm owns the corporate data stored on all personal devices," Ganim said.

How Bad?
Looking ahead, Ganim commented on a question he hears regularly from colleagues pertaining to the acuteness of cyber-threats. "How bad is it out there? I thought about showing you a list of the latest breaches and the cost estimates—and there are many—but I would rather summarize it this way: I can assure you that in the days and weeks to come, you will be bombarded with more headlines of hacks here and breaches there, but let me tell you, that's very misleading ... because the truth is, it's much worse than all of that."

Ganim used a shark as an analogy of the various cyber-threats capital markets firms face, where the shark's fin represents reported breaches where the visual confirmation of the fin gives rise to caution.

"However, the greatest threat lies below the water's surface and it is what we tend not to see until it is too late," Ganim said. "This is the unreported breach—we don't know what it looks like, we don't know who did it, why it was done, or what the impact will be. We don't know this because there is no visual representation. Most breaches are never reported, so the visual truth—what we read in the headlines—is not consistent with the factual truth."

In Closing ...
Ganim closed by offering advice to attendees with respect to how best to go about managing the cyber threats that all capital markets firms will inevitably face. "You must pay attention to the warning signs, but don't make the mistake of feeling so overwhelmed that you throw your hands in the air and give up," he said. "Also, don't make the mistake of being so rigid in terms of policies that it might impede your organization's ability to serve its clients—the most resilient, successful organizations are the ones that are both realistic and proactive regarding the risks that might lead to them being vulnerable."