André Pienaar: “Welcome to the C5 Channel. C5 is a specialist venture capital fund that invests in cyber security, cloud computing and artificial intelligence. Today Arno Robbertse, the chief executive of one of our portfolio companies, ITC Secure has come to have a cup of tea with me here in London. Arno, ITC Secure advises some of the world’s leading corporations about their cyber security. Your conversations with the chief executives and the boardroom directors of these global corporations, what’s on their mind as they go into 2019 and they consider their cyber security risk?”
Arno Robbertse: “Thank you very much André. And thank you very much for having me here today at C5. Working with these executives over the last 20 years, helping them manage the risk of cyber, we’ve really seen it develop over the years from the early days of the Internet to the advent of security applications and security at the perimeter, focusing on the insiders and our people inside our companies. But right now the big threat they’re all worried about is the risk in their supply chain, the companies on which their own business depends upon, the companies which they share data with and who process the data an their behalfs. These third parties are risks only not just to their revenue and their ability to operate but also to the obligations that these companies have to their own clients and the regulators.”
André Pienaar: “This reminds me a bit of how the application of the Foreign Corrupt Practices Act evolved because initially it was all about managing anti-corruption risk inside the enterprise and then increasingly it became about your partners, your vendors, your suppliers. It seems as if the same thing is happening in cyber security. Are there tools at the disposal of enterprises for managing this third party risk, the risk that’s essentially sitting outside of the enterprise?”
Arno Robbertse: “That’s exactly right Andre. This is a very new area that enterprises are having to grip at the moment. For the time being, they way they have been solving this is through their own contractual, through contracting correctly with their partners but also through doing manual questionnaires. So asking their partners, how do you address cyber risk and a few key questions.”
André Pienaar: “Sounds very labor intensive.”
Arno Robbertse: “It is both labor intensive but it’s also a snapshot in time. The day after this questionnaire is filled in there may be a new vulnerability or a new breach that could compromise their supply chain. So these executives are realizing this is something they need to be able to track and monitor on a ongoing basis and also they need to be able to obtain objective information that is not just questionnaires filled in by the company. And this is one of the areas that we’ve seen change very, very fast in the moment with the use of tools such as cyber security ratings. So outside-in views of any company in the world in order to assess their cyber security defenses, both in terms of the technical controls and process they might have in place but also be able to identify whether a breach has actually happened and the company might not be aware. The third party might not be aware.”
André Pienaar: “This sounds a lot like credit risk ratings which of course has been with us in the business world for some time. And we’ve got some very big global brands around some of these rating agencies. Do you think we’ll end up in a situation where every firm, every enterprise will get a cyber risk rating that will impact whether someone wants to contract with them, want to do business with them? How do you see that developing?”
Arno Robbertse: “We’ve already seen a few of these rating providers gain traction in the market and have their cyber security ratings bound into either third party contracts or actually from investors binding in what the cyber security rating of their investment company is and holding them and obligating them to maintain that rating throughout the life of either the contract or the investment. And with these cyber security ratings as they do with credit ratings, you’re able to compare two companies. You’re able to aggregate that up into an industry risk. So you’re able to create benchmarking and establish highs, lows, medians, where we want to be as a company. There’s another metric for executives that can be objective to help them assess where is their own company. And I think what companies forget there sometimes is they are a third party in their own right. So we’re helping a lot of these businesses look at themselves so that their own contracts and their upward chain doesn’t come into any kind of compromise.”
André Pienaar: “This sounds like a terrifically useful tool not only for global corporations and enterprises but also for private equity and for venture capital. And as you say, you can assign a risk rating to a company and ask them to maintain that for the life of your investment which from a venture capital perspective is terrifically helpful.”
Arno Robbertse: “And now with the services that ITC and others have built around that we’re able to deliver that on a continuous 24 hours a day basis. So it’s no longer just a snapshot in time but it is live to within a couple of hours. So therefore reducing the amount of time that any, reducing the time there for the impact that any cyber breach may have on your investment or your third party.”
André Pienaar: “Well that sounds transformative. What are the other areas of innovation that you see chief executives and boardrooms are finding useful to manage their cyber risk? What are the other areas of innovation that they also worry about?”
Arno Robbertse: “We’ve seen a lot of businesses embrace digital transformation and have a cloud strategy or cloud adoption strategies. And with that opportunity of that processing in the Cloud, the flexibility and the opportunity that comes with that it also comes with risk and it comes with security aspects.”
André Pienaar: “Well, here at C5 we are great believers in the transformative power of the public cloud. And certainly one of the big changes I’ve seen in my career as both as a cyber security professional but also as an investor is how cyber security has moved into the Cloud. And with world class companies like Microsoft, Google, Amazon Web Services the public cloud has become perhaps one of the best and most secure cyber security options.”
Arno Robbertse: “And I think you’re exactly right. And what these providers such as the Azure Cloud, the Amazon Cloud or the Google Cloud have done is they have also found out where their responsibility begins and ends. So with the new shared responsibility models that these cloud providers have put in place it is greater clarity to the companies about what the responsibility is, number one. And these cloud providers are making the tools and technologies to secure the cloud and advised to secure their cloud solutions more readily available to companies. So understanding where that responsibility begins and ends, has been great clarity for businesses in recent years. But the cloud migration and the digital transformation strategies remains a high topic for executives.”
André Pienaar: “That’s tremendous. And we’ve heard so much directly from the large cloud providers about how much they are doing to really drive cyber security to make the public cloud even much safer than using your own data center. And I think that’s going to be a key driver for digital transformation going forward.”
Arno Robbertse: “Completely and in the early days of cloud these providers gave you the infrastructure, easily accessible, easy to use through user interface and the rest was your responsibility. They are now realizing that if somebody’s using their platform on Azure or IWS or Google and they have a breach, there is some shared responsibility to the provider even if it’s perceived by the public or by the company. So they are being much more pro-active in how they help companies.”
André Pienaar: “Well great institutions like the BBC is architected on the public cloud and use the public cloud not only to protect their listeners but also to drive their own digital transformation strategy. And I’m sure that’s a great source of comfort to all of us. Arno what are the other areas that you see chief executives are worrying about when they look at the cyber security landscape for 2019?”
Arno Robbertse: “A really important aspect has been the changing regulatory landscape that we’ve seen, not just in Europe but globally.”
André Pienaar: “This, you’re referring to things like GDPR?”
Arno Robbertse: “That four letter acronym that was almost unavoidable in 2018. But that was just focusing companies who have a presence or operate in Europe.”
André Pienaar: “Which is pretty wide given that many U.S. corporations, companies from Africa, from Asia, the Middle East, all have some exposure to the European market.”
Arno Robbertse: “And a lot of these companies didn’t realize the level of their exposure until they began to look. Which really is what GDPR was intended to do. For companies to look themselves in the mirror and ask themselves: What data do we collect, do we have the right to collect it, how are we processing it, who else has access to it and how are we securing it? So that’s been a great maturity for companies who touch on Europe. But also as we look into 2019 that regulatory landscape is due to change even more with the ePrivacy Directive in California. There’s going to be a tipping point as to how the U.S.”
André Pienaar: “The ePrivacy Directive, tell us a bit more about that.
Arno: “It’s a specifically, a data privacy directive focused on the State of California and very much like GDPR, imposing requirements on the processing of personal data and the disclosing of companies about how they’re data’s being processed and making sure that it’s being collected in the right ways. And if that were to be successful and gain traction in California, be very interesting to see how that expands through the rest of the states in the U.S. Then on the global footprint we’re seeing changing data privacy regulations in South Africa. There’s new ones coming in India, Japan, Australia. So looking to capitalize on this best practice and this big example that GDPR has set in Europe. In addition to that we’re also seeing the first GDPR related fines being imposed on companies now at the moment. So that’ll give a lot of indication for companies to take this even more seriously.”
André Pienaar: “Well privacy and cyber security increasingly seem to be coming together as almost one issue. And the value of our data as consumers and users are, I think, now definitely being recognized and hopefully that will also raise awareness amongst consumers and users that they have a responsibility to protect their data, to make informed decisions about who uses their data and how they apply their data. But this area of cyber security is expanding and growing by the sounds of it. And with regulation, I guess, comes litigations, so much more difficult issues. Are there enough people, are there enough professionals in the space, where is the talent coming from?”
Arno Robbertse: “Talent is one of the big issues that both companies and service providers in the area of cyber security have. It is a new growing, ever-expanding market with new degrees being offered at university and new additional training courses, governments more recently focusing on apprenticeships, retraining and bursaries in this area. But it’s still the number one shortcoming that we have in the sector. If we read some of the statistics then in 2019 already there will be over one million unfilled cyber security jobs globally. So being able to attract, incentivize and retain talent is absolutely key. And that’s a very important part for ITC because that is what we make available to our clients, being able to bring those talented individuals in to give them an environment where they can do challenging, rewarding work, focus on their personal development and build up their skills to the benefit of our clients.”
André Pienaar: “And diversity must be part of the solution here. finding talent amongst people who have not historically been given opportunity to work in the cyber security space and also being more diverse from a gender perspective. And I was delighted to hear that the Digital Minister for the U.K. today announced the start of a cyber training school specifically focused on woman leaders in cyber technology. Diversity is a very important theme that we follow and believe in here in C5. And that seems to be part of the solution also in cyber.”
Arno Robbertse: “The attackers that are launching these attacks against us, us individuals and our companies globally every day do not come from the same race, creed or gender. They do not follow the typical education process that we’ve seen through IT into cyber security in the past. They come from very diverse backgrounds. Therefore the teams that we build to defend our infrastructures whether it be through technology, through training, through the governance and risk management of cyber security, we need our teams to represent the attacks that we are facing.”
André Pienaar: “Arno it was terrific to have you over for a cup of tea. Thank you so much for coming to talk to me. We can go on for hours more but we’ll wrap it up there.”
Arno Robbertse: “Thank you very much Andre.”
