The following article is an example of the peer-focused research that HMG Strategy will begin delivering under the HMG Research Stack service starting in August 2021. To learn more about the Research Stack and the full suite of offerings available to business technology executives, contact info@hmgstrategy.com.
2020 was the “worst year on record” in terms of the 37 billion records that were exposed for companies and government agencies, according to Risk Based Security’s 2020 Data Breach Report. Meanwhile, the FBI has reported a 300% increase in reported cybercrimes since Covid-19, according to its 2020 IC3 Report.
For David Mahon, building and globalizing a cybersecurity program was the primary reason he joined Deloitte in 2018 as Global CISO where he plays a critical role in safeguarding global operations.
HMG Strategy recently spoke with Mahon about his 27-year career in the FBI and how he’s applying it to his insights to information security at Deloitte on a global scale.
HMG Strategy: There have been a lot of cyber risk developments on a global level, with SolarWinds and the Microsoft breaches. How do you manage everything all at once on a global scale?
David Mahon: We’re always busy. As I try to explain to people, is it’s a risk management discipline.
One of the challenges in the industry has always been the amount of people that have gravitated into cybersecurity from IT where it’s about standing up the network and looking after health and maintenance. This is very different. Cybersecurity is doing all of that and understanding that you’ve got all these bad actors trying to breach everything.
There’s a whole different mindset of the people you hire to do that — how you study the adversary, how you watch them, how you figure out their next move — hopefully before they execute on you. Then, you start building in controls to mitigate that.
What’s most top-of-mind for you in setting a strategic context out there for CISOs and our tech community?
DM: What I find is — and really why I came to Deloitte – is identifying where I can bring some value. How do you globalize the cybersecurity for your organization when you’re in Deloitte with 350,000 people, spanning 150 countries and serving every vertical from classified government agencies to retail? How do you globalize cybersecurity and find what the challenges are in one theme?
I wanted to consolidate and build out a global cybersecurity program. And that’s what I’ve been doing for the last three years.
The second theme is, ‘How do you actually develop your talent to do that?’ and ‘How do you change a culture?’ At Deloitte, you’re going up against 175 years of culture and I always say `Culture trumps strategy every day of the week.’ So, how do you go from several member firms that have their own CEO, COO and where some have a CISO, to ‘Let’s centralize as much as possible,’ but still be able to meet business needs? The answer to that is trust. That’s really what it takes, at the end of the day. People have to trust you.
What I always found helpful for younger generations is asking what exactly do they need to do throughout their career to professionally develop to take them as far as they need to go? That’s a huge challenge in this industry — how do you work your way up? I do a lot of coaching and fortunately, at Deloitte, we have a big training program, but employees have to figure out what’s in it for them as a profession. What’s in it for them to serve their clients or their corporation. Then, what’s really on the horizon coming up and if they can leverage opportunities such as HMG events to leapfrog where they are today and network in a way that helps them out in the long run.
CISOs still have room for improvement in being present in the C-suite. Do you agree?
DM: That’s true, and a lot of it is because they’ve been lower in the organization. Number one, as doers, is one way to look at it. The second thing is, if you think about cybersecurity and training, whether it’s ISACA or wherever you might get it from, it’s very tactical in nature.
I had the good fortune of being in the bureau (FBI) and the bureau teaches leadership, strategy development, and implementation globally. You were able to take what you did in that area and come into the corporate world. I just built a whole global strategy with my team, but it took a lot of time sitting with the strategy department for Deloitte and really digging into the details about how we are going to go to market further. We know where our $47 billion comes from today.
You’ve got projections to grow the business, but what’s that trajectory look like? Along the way, you’re using the cloud. You’re using other capabilities, work-from-home. There’s a way to map that all out in a way that you don’t have 20 different offices using 20 different collaboration tools, some of which you have no idea what the security vulnerabilities are. You can build teams in a way to do processes before things get into your space so they’re secure. So, it all depends on what you want to do.
You’ve got to understand that adversaries are bigger, faster, and smarter than you are, and they’ve already globalized. When people say `globalization,’ I keep trying to tell them that ‘your competitor is already globalized.’ If you look at the adversaries in their network, they’ve built an attack infrastructure that’s all over the world. They hop through that attack infrastructure through 6 countries before they hit you in the U.S. So, while you may not be globalized, your competitor is, and you’d better do something about it.
What’s the key messaging you want to share with CISOs and other executives?
DM: I would say globalization — understanding globalization by the way of your adversary, by the way of the attack surface and the delivery of their attacks. Understanding how — regardless of how big or small you are — you’re going to have to be prepared for that. What should vendor security look like? Should there be an industry standard? If you’re in the telecommunications industry where I was, and you were building network equipment, you had to meet certain standards before you could sell it as a vendor. Even with that, the corporations had a whole research team that tore it apart before they put 25,000 routers in the network.
If you look at it, the SolarWinds attack contained a couple of things. Obviously, they were going after the government, but they were going after your infrastructure. You’ve got to start to transition to — and you could see it with ransomware — infrastructure controls that were traditionally less of a target of the criminal element. They were always a target of the nation-states because you go to war. Look at what we did in Iran and Iraq — we took out their infrastructure first before we put a boot on the ground.
Going back to Iran and Iraq, you mentioned we took out their infrastructure first. Are you talking network infrastructure and technology infrastructure?
DM: Telecommunications infrastructure. You take out their command and control first. That’s what really caused the confusion in the Iraq war for the Iraqis. You take out your ability to communicate. If you take that out, what are you left with?
Key Takeaways:
Acknowledge that adversaries are already bigger, faster, smarter, and more globally coordinated than corporate cyber teams are, but organizational cyber teams must become globalized to avoid severe disruptions.
Trust is the main component in building an effective cyber resilience program with the Board and C-suite.
Understand globalization by the way of your adversary, by the way of the attack surface and the delivery of their attacks. Then identify how prepared your organization is to handle and mitigate an attack and take the steps needed to address the gaps.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our global network of member firms and related entities in more than 150 countries and territories (collectively, the “Deloitte organization”) serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately 330,000 people make an impact that matters at www.deloitte.com.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.
No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.
