Cyber Spy Say: There's Bad News and Bad News

You're already infected. They're already inside.
It's not "game over" time, but you need to do something about it because it's just going to get worse.
But hey, cheer up: you're no different than anyone else.
Article by Amir Mizroch in WSJ Digits.
Emphasis in red added by me.
Brian Wood, VP Marketing

Ex-Cyber Spy’s Message to Board Members: You’re Not OK

In his new role as CEO of Darktrace, a cyber-security firm based in Cambridge, U.K., Andrew France OBE is meeting a lot of anxious board members at some of the biggest firms in the U.K. and abroad. The cost of cyber crime to the global economy is around $445 billion annually, with the U.K. alone losing $11.4 billion during 2013, according cyber security company McAfee.
The sad reality is that in every single deployment we’ve gone into we have found a preexisting infection,” he says.
That’s largely because targeted attacks that used to be in the provision of state-sponsored capabilities are now in the hands of cyber criminals who have found a market for their wares, he says.
And he should know.
Before joining Darktrace this January as CEO, Mr. France spent 30 years at the U.K. government’s signals intelligence agency, GCHQ, as its Deputy Director for Cyber Defense Operations. His job was looking after the U.K.’s “crown jewels” – the crown’s most sensitive data.
“A few years ago, cybercriminals were the types that had to have gone to university, had to be able to code, had to know Linux and Windows, and had to know how to operate in that space. Now you can go on the Internet and download an exploit kit that basically asks you: who is it you want to target? Somebody’s selling that to you. And now I can do all of that from my mobile phone anywhere on the globe. A company will never be able to keep up with all that. What they can do is manage the risk more effectively,” he says.
His company, which relies on sophisticated mathematical models that detect cyber security threats, has announced that two other former high-ranking cyber intelligence officials, this time from the US National Security Agency, are joining its executive team.
Datrktrace, he says, is growing fast, mostly because the “wild west” of cybercrime is outstripping companies’ ability to keep up. In fact, they’re never going to keep up. The trick, he says, is for company executives and board members to realize that data now represents the real wealth of their corporation, and decide how to deal with the risk to it.
This is a board-level issue now. Boards need to put information security onto their corporate risk register. In 2014 this has got to be just as much as they think about disaster recovery, supply chain and credit rating,” he says.  Mr. France says technology that’s going to be developed in the next twelve months — technology that hasn’t even been thought up yet — will be immediately used for nefarious purposes. And that’s why companies need to think differently about how they look after their data, their “crown jewels.”
Mr. France recently sat down for an interview with The Wall Street Journal.
Edited excerpts:
WSJ: If the Internet is the Wild West, who are the bad guys?
Mr. France: Trying to attribute who does this is really hard, because who is the person who’s actually hitting the Enter key? The cybercrime community is made up of a group of people whose only job is to reconnaissance a network and find a way in. They’ve worked out that they can sell that on to the people that will put a first-stage implant down. Those will then sell that to people who do manipulations and who can move data around, who will then sell that on to people who can cash out through things like bitcoin in a way that defeats all of the regulatory, police, and investigation capabilities. This is growing in a really spectacular way. A few years ago it was one person trying to do all of that. But now it’s a large-scale business. So back to the Wild West analogy: the traditional cyber security market is a bit like the undertakers after the bandits have been in town. Their job is to pick up the dead bodies, bury them, and they’re given a round of applause for how fast they’ve tidied up.
WSJ: Are there enough technologically-savvy people on U.K. boards to take on this challenge?
Mr. France: Some see it as not their problem. When they got to senior positions, if they came up through the analogue ranks – not the digital ranks – they haven’t realized that a lot of the value of their company is in the data. Also, cyber security is a traditional IT function, so it’s the IT guy who is trying to spend money to build this false sense of security. This creates a perverse incentive where someone says, “tell me everything’s OK, you’re my IT guy and I’m paying you a lot of money, tell me everything’s OK.” And the IT guy says everything’s OK because he’s under pressure to say that. But it’s never OK. It’s not a matter of if, it’s when. This is going to happen to you.
WSJ: So what does a smart board need to do?
Mr. France: Get a really good Chief Security Officer or Chief Risk Officer who comes in and owns that risk for the board. Sometimes a CRO will own the physical and cyber risk. Ideally what works best is a chief information risk officer that owns the risk for the information as well as the benefit from it.
WSJ: Do these job titles even exist?
Mr. France: They do, under slightly different names sometimes. In the US there are a lot of CRO’s, in the UK there’s a lot of CTO’s who have either CRO function or chief information risk function. The important thing is that the boards have to look at somebody and say, “You own the digital information risk for this company.”
WSJ: Is that happening at FTSE boards?
Mr. France: To some extent, but, for instance, the ten most wanted jobs in the US now didn’t exist as a function ten years ago. These are new roles. So everyone’s trying to work out what this means. They need to ask: What risk am I carrying?
WSJ: How would you rate FTSE 100 boards in terms of their cyber savvy?
Mr. France: I think it’s beginning to resonate. The U.S. has always been ahead of us, because they’ve had really bad things happen, and people have lost their jobs over that. If we don’t manage this in a sensible way, the next big event that happens in the U.K. — because there will be one — will become the precursor to everything that happens afterwards. So if, for instance, there’s a large data loss at a large company, everybody on the board gets fired, then the perverse consequences of that are that it’s going to be harder to do cyber security. I see it all the time: you go in and say, “This is happening in your network.” And the guy goes, “I don’t want you to tell anybody.” They’re afraid, because they’ve probably spent a lot of money on cyber security. But if your IT guy tells you your company is absolutely secure, sack him, he doesn’t know what he’s talking about. It’s much more nuanced than that.
WSJ: Are they getting it?
Mr. France: It’s hard to say because I’ve been that guy outside the door myself, where I’ve gone in and said that we’ve found stuff, and they didn’t want anybody to know, because this could affect the share price. It creates a perverse incentive at the very time when you should be sharing information, and talking about the problem, looking at standards, capabilities and training.