SC Magazine interviews WhiteHat CEO Craig Hinkley during RSA 2016 about the state of cybersecurity and the importance of application security.
Terry: Hello everybody! I’m Terry Robinson, Associate Editor at SC Magazine. We’re coming to you today from the RSA Show in San Francisco. I have with me Craig Hinkley, he’s the CEO of WhiteHat Security. Hi Craig, welcome!
Craig: Good day Terry! It’s great to be here with you.
Terry: Web application vulnerabilities continue to underpin attack methods used by cyber criminals to breach wider infrastructures. What web application security approaches can best protect data and applications especially in the Cloud?
Craig: So maybe first let’s talk about the size of the problems. It’s important folks to understand that data breaches represent $364B in the industry. I mean, it’s massive and the breaches are increasing. In a 2013 survey, 62% of respondents said they had a data breach. In 2014, that went to 71%. We don’t have 2015 yet, Terry, but I can tell you it’s certainly going to be larger than that. So when you think about it, this is a major problem. When companies now are looking at their overall information security and cyber security programs, what they’re realizing is that 35% of their data breaches are coming from web applications, yet, only 3% of spending in IT is going towards web application security. So the first thing I think everyone can do, they can really look at ways of allocating the budget to go address a third of their data breach problems. Really, it’s about how you bring a continuous scanning technology to the table that allows customers to really understand where they’re vulnerabilities and risks are and then how do they prioritize those to then go mitigate those vulnerabilities and risks. The challenge we have in the industry is that we’re in the talent deficit. There are a million jobs open right now inside cyber security.
Terry: So how can enterprises protect data access through web applications and safeguard them against incursions via the web? What about effectively identifying, assessing and protecting the websites from direct attacks?
Craig: The first thing that a customer needs to do is detect. They need knowledge, “where am I vulnerable, where am I going to be hacked”? In the past, people have tried to use tools, but tools are costly, they’re expensive, they have high false positive rates, so it really leads to companies not knowing where to focus. So part of that is, how do I get a detection mechanism and knowledge information that combines tools and human expert intelligence that gives you actionable credible intelligence to go, and know where to focus. The next thing is, once you detect it, how do I then go protect my websites and web applications in near real time.
Terry: Over the last year in particular, there’s been a lot of buzz around how security leaders should talk to the C-suite and board about security. Why do you think this has gotten so much attention in reality?
Craig: It’s to a point now where the reliance of companies on their e-commerce, their digital business… everything is monetized through the web. I think the importance is becoming so relevant to the boards because they understand if there’s a breach, then they are not just dealing with the financial implications now, it’s the IP, it’s the brand, and it has real monetary impact on the financials of the company. Also, the regulatory requirement has stepped up, and as I mentioned before, the FTC in the US can now walk in and fine a company. I was talking to the chief compliance officer of one of our major customers and he was expressing this concern that, while the FTC can fine you, they have actually not put out any real guidelines around that. So I think part of this is the board is realizing that they have to now be accountable and responsible for the overall posture from a cyber security perspective, and they are going to be held accountable. That’s why, when you look at a CISO today, they’re really challenged with, “I’ve talked about cross-site scripting, and I’ve talked about sequel injection”, but boards don’t care about that. Boards care about “what is the program they’re putting in place” to address those risks, and what are the KPIs we can use to show we’re making progress, so that the CISO’s really got to translate the technical aspects to real business outcomes and both business and operational risk. That’s what boards care about and at the end of the day; a successful CISO has got to be able to pivot and provide the technical information for his technical audience and stakeholders, but now really the business and operational risk metrics towards the board because a board doesn’t want to be fired, or a CEO doesn’t want to be fired because they got breached and then come, lo and behold, they haven’t been doing the right things internally to address those issues from the outset.
Terry: Well Craig, thank you so much for joining us today.
Craig: Terry, it was an honor and pleasure. Cheers!