 from Las Vegas, it's theCUBE. Covering IBM Think 2018, brought to you by IBM. We're back, IBM Think 2018. This is theCUBE, the leader in live tech coverage. My name is Dave Vellante and I'm here with my co-host, Peter Burris, we're talking all things cloud, AI, blockchain, quantum, information management, information architectures. And we're here going to talk about resiliency, Pat Corcoran is the IBM Business Resiliency Global Strategy Executive and Dr. Larry Ponemann is here, he's the head of the Ponemann Institute. Gentlemen, welcome to theCUBE. Thank you. Thank you very much. All right, Pat, set it up for us. What's going on here at Think Generally? And specifically talk about business resiliency and what it means. Well, I think at Think this year, we're resiliency, we're teamed up with security because a lot of synergy. When you look at resiliency, when you want to be adaptable, flexible, companies want to be able to adjust the situations quickly. The environment's changed. In the past, when you looked at recovering resiliency, people thought about natural disasters. But now, this past year, it's been on longer, but the past year, we've all seen a lot of major cyber events. So now, resiliency has taken out a different view, different approach, because it's not just a risk of a hardware problem or a site going down. Now we've got to address risk from the cyber and it's a totally different risk. So at this conference, we've teamed up with security and IBM to try to present a integrated package, integrated approach. And we're also working with Larry, sharing some results from a study from last year about the cost of data breach and the importance of business continuity to cyber attacks. Because most people today, they're not ready. They might look at protect, they might look at detect, but they don't know how to recover from a cyber. And that's what we're addressing here today. So Larry, we're going to get into the study, but what's the Ponemon Institute? Why did you start it almost 20 years ago? Give us the background there. So Ponemon Institute is a research company and we're linearly focused on cyber security, data protection, privacy, and other related topics. The reason why we started the institute, my background is varied intelligence and security over a very long period of time. I had to admit it, but over 45 years of experience. And the bottom line is we saw a real need for information. The decision makers needed to know what are the really significant issues of privacy or information security that could affect their organization. And we're very lucky. We chose an industry that was interesting and profitable and every day there's a new issue. So you never run out of research ideas. Amazing, I mean the last 12 months, it seems like this is a game of escalation. Oh, it's crazy. You put on the TV and CNBC and all of a sudden there's every board of director from a credit bureau on there, a big word, breach across the bottom. That's just a nightmare, right? But every day there's something in the news. And to your point Pat, it just seems to be getting more and more costly to businesses. It is more costly. And I think now when you look at the annual reports, when I go visit a customer, I like to read their annual reports. And the CEO and the CFO put down what risk are they concerned about? Almost every annual report now has cyber attacks in there because they have to be aware of it. And it's gotten so bad now. But like you said, the challenge is a hacker only has to be successful once. Companies have to be successful 100,000, millions of times stopping these people from getting in. And that's what we're trying to help them stop. Black hats to growth business. Well, it's a game for them, it is a game. And they're good at it, but we have to be better. And that's the harder challenge. But virtually every company has been breached. It's like the NBA. I don't think any team has ever gone undefeated in the NBA, despite your hope of the Warriors. Good game. Good game. It can't be done. So there, let's get into the study. And you've done this for a number of years. You've seen the patterns. What do we need to know? Yeah, we know that the cost of a data breach is very significant. You know, you basically talk to CEOs and board members and you say, what's the cost of a data breach? And they get that glazy-eyed look like, how do we know? But we've been trying to benchmark and figure out what that true cost is. And it could be millions, tens of millions of dollars in an organization just recovering from a major data breach, let alone you lose customer trust and there are huge long-term consequences. Our cost of data breach study sponsored by IBM has done this analysis globally and now we do it in 13 countries and this current year is going to be 15 countries. We're adding two new countries. And the issues, even though there are cultural and differences in geolocation differences, companies are companies. And all companies around the world are dealing with this phenomenon. And as Pat said, bad guys are getting worse or better if you're on the side of evil. And their ability to get data and use data against organizations and it creates a huge challenge for organizations. That's why actually you need IBM. You need the right technology and you need to write tools, the right personnel to get the job done right. So, I mean, at the simplest level, the cost of a breach seems like it would be a function of the probability of that breach times its impact. Right, yeah. And so what are you seeing in terms of those variables? Are breaches happening more often? Is the business impact great? Are they both sort of proportional or what's the relationship? Yeah, the cost is climbing globally. What we find is that organizations are ill-prepared to deal with these problems. We also know that a lot of organizations don't have the internal talent, the people they need to be able to identify and respond to these problems quickly. Our findings show that organizations that are using leading edge technologies and involve their BCM, the business continuity people, are much more likely to have a successful outcome. But it's a mess right now, honestly. And there isn't an organization out there that isn't not subject to a major data breach. Pat, when you talk to clients, to Larry's point, you ask them, do you know what the cost of a breach is? The vast majority presumably don't. Do you help them sort of quantify that, look at the business impact? We can, and that's a great point. They don't know, and they haven't looked at it. One of the challenges is, in many cases, the security arm, the recovery arm, and the continuity arm, more people, they're all fragmented. They're run by different groups within a company. So we want to work with companies to bring them together. And so we can do a business impact analysis to look at what types of risk are you most concerned about, how vulnerable are you to those risks, and what would be the impacts, tangible and intangible. Because you're brand, you look at some of the names that have been in the paper. You're in the paper and you're there for day after day because you're down for weeks. Your brand is being impacted. So that's an intangible cost, but it's a significant cost. So we do help you with an assessment. So Larry, Dave mentioned that you've done this for multiple years. Last year's studies showed that the improvements on time to identify and time to contain was about 5% over what had been a previous year. It's still not great, but it's getting better. Are we seeing this kind of 5% per year slog and what do we need to do to start accelerating the rate of improvement? Right, so the word slog is appropriate. You know, it's a slow moving train and you get organizations to make a small improvement and that leads to, in the long term, it's a really good outcome. But unfortunately, it could go the other way. The bad guys are getting very talented and so they'll see opportunities, windows to exploit organizations. And they want to hide their, they don't want the world to know that they've committed a crime. So the time to identify and time to contain may kind of move in the opposite direction. But in general, we are seeing small improvement. One way that organizations are improving is they're involving other experts, other teams. So it's no longer just an IT security problem or a compliance issue. It's more than that. As Pat mentioned, it's a brand issue and bringing other people into the process has created greater efficiencies. So I mean, the business people went to. This is an IT issue. This is a business issue. Well, we've done some work on this and thinking about what's the right regime for cybersecurity and it's not just the CISO problem or an IT problem. But what percent, well first of all, first question, what percent of organizations, and I'm not just talking about large organizations, think about your client base. What percent actually look at cyber as a board level issue? Obviously, RBC today, Verizon, yes, it's a board level for those high profile companies but across the board, is it 100%? Not even close. You just did a recent study, I think they looked at that, right? Yeah, we basically saw board level involvement. Do you view something as strategic or simply tactical? It's about 39% on the side of, yeah, we do. And then the remainder, they do not. And that's an inflated number because when you ask people on a survey, they have a halo effect. They're more like this, oh, sure we do that. Sure we get our board and CEOs involved. It's again, that slog word, it's a slow moving train, but we're seeing more and more boards getting involved. Also it helps are some of the new regulations that are coming down the pipe or there's a new regulation in New York State. It requires the boards of directors to sign off that they have had conversations with the CISO and they've identified the appropriate risk issues. So it's definitely moving in the right direction but it's slow. So we had, I had a conversation with a chief privacy officer client a couple months ago. And she told me that they had calculated what would have happened with the Equifax, who each, if it had been subject to the fines that are going to go into effect over in Europe. Right. And she said that Equifax would have been hit with $160 billion, with a B, dollar fine. Wow. Is that the type of exposure that we're really talking about here for companies that are not doing a good job, especially given some of the new regulations on the horizon? Well, absolutely. Just today there was this issue with Facebook. You probably were following that issue, where Facebook released. Oh, really? Who's Facebook? I don't know. They're a small social media company. But basically they've released information, profiles, detailed profiles on individuals. And I think it was like 25 million, somewhere in that range. If the GDPR was in effect and it involved European citizens, they would put them out of business. There'd be no way that they could operate in Europe. It would be hundreds of billions of dollars. So it could be devastating and compliance is on the move. It's, there's no question that Europe is going to be very tough on your U.S. companies that are not compliant with their law. One of the things that Peter and I learned when we started talking to CISOs and boards of directors about this was that part of their business resiliency strategy was response. That they sort of knew they were going to get hacked. They've been hacked. Instead of telling the board, no, we've got it all covered. He said, listen, this has happened. It's going to happen again. One more transparent. We're going to focus not only on keeping the bad guys out, but how we can respond. Containment. Better. Containment and response in a more productive manner. Does that, how does that fit into your sort of strategy? I'll say it from a recovery. When you talk about respond, it's recovery. And one, I think you have to look at the company. We have to help companies and they have to look at across the total enterprise. Cause when he spoke, I call it a domino effect. When you get hacked or when you get some risk impacts your business, it creates another risk. It's a domino effect. And a lot of companies don't look at it that way. They look at why we get hacked. What does that mean? We have to, they have to sit down and really understand what it means to the business. And what could it, what could happen after? What could it create? And there's a lot of unknowns there. We're gaining a lot more knowledge here, but you have really had to sit down and look at it. So the executive committee team at the board level, they have to be committed to this and sponsored to it. From a resilience recovery standpoint, they haven't looked at it as, as, as strong as they should have in the past. But I think this past year, because executives are being held accountable, they're losing their jobs, going to jail. And so now they're, they're coming out asking for a guidance. They're asking for help. And so the recovery piece, we're looking at new ways of trying to protect, find ways to protect your data. And that, when that data is protected, can we figure out when, you know, is something changed? Like when a hacker gets in, they make a change. They, they go in it through your configuration information. Well, no one looked at that typically. So we're trying to find ways to monitor and track, detect these things when they happen, so that we can then figure out how far back you can go back in the data. Cause the data wasn't corrupted today, yesterday, five months ago. It's not an easy solution. But if you, they've got to be committed, they've got to sit down, we've got to work together to help them figure out the best approach. And there's not one answer. Larry, notice you haven't thrown out the fear metric. You see this a lot, which is, the average cost of a data breach is 2.56783 million per second. Or, you know, whatever it is. Now, is that because you don't believe in that? And you, every situation is different. It depends on your market value, what type of data, et cetera, et cetera. Or is it because it's just too hard to actually quantify? I wonder if you could comment. Well, we actually do, some of our research, we attempt to quantify, we use activity-based costing. I don't, I only tell my friends this, but actually I'm the CPA and a PhD in accounting. So I know accounting pretty well. And we use an accounting method to try to figure out what the total cost is. It's not a perfect measure, but it basically is fairly objective and it's the best that exists. Not to sound the ego-tistical, but I think we're the best in that narrow space of predicting cost. But it is, it is difficult because it does depend on a lot of variables. And a lot of organizations don't necessarily understand all of the different ways that a bad event, a negative, a significant breach could affect the bottom line. But we talk to kinds and organizations about it. We do board retreats, I was telling Pat, it seems pretty popular that the board wants to get a newfound religion in privacy and security after they experience a disaster. And we work with them to try to educate them on these risk issues that Pat was referring to before. But it's an interesting time to be in this business. Lots of change. Well, in the context of data breaches, I mean, you've pointed this out a lot, Peter, is people don't really have an understanding of the value of their data. There's no, except that accounting, there's no gap for data. Right. In those circumstances, there's a huge information asymmetry. The bad guys know how valuable your data is. You don't. It's a new currency. If you think about currency, data is a currency for people, for companies. And when you lose it, it's one of your most, you say after your people, your currencies are both critical assets. We say the difference between business and digital business is data. Otherwise, it's the same thing. Digital business organizes, treats its data as an asset. But it is a problem that the bad guys are willing to invest more money, more time, more innovation into attacking because they seem to have a better understanding of what the real value of data is than the good guys. And that's a problem. It's a huge problem. You know, we see all of our trade secrets, for example, economic espionage is on the rise. The nation states, they're enjoying this. It's so easy for them to collect incredibly valuable information that we don't even know that it's out in the hands of a country. It's not even a competitor, it's worse than that. But things are, fortunately, there's a lot of fun. There's a lot of fear, uncertainty, and doubt. But there are really great things going on in terms of inventing new security controls. That's where I turn to IBM, maybe, when I get to deal with these issues. So if I can ask one last question. Larry, what do we need to do to get people to acknowledge and properly place the value of their data? Anything we can do in the next six months? Yeah, I think really the bottom line is you need to get your senior executives to see this as a strategic, not just a tactical issue. And they could start immediately. I think doing this study for an organization, nothing we can do, but others can do this very well, to try to show the economic impact to an organization, especially one that's undergoing a digital transformation. And that's, as you mentioned, that's where the value of an information asset is just so incredibly high. And then you look at a company like that, a social media company like a Facebook. And if you basically said, you can't alone know, you should know. So there are examples that you can turn to to show the value of the data asset. It's not protected very well, but the consequences, downside consequences. Well, we got to wrap it up. We talked about sort of Facebook, peripherally, but the weaponization of social media is becoming a huge, huge problem that's certainly affected by most accounts in the last election 2020 is going to be all about. Facebook's more influential than the UN. And even though we're here talking about business, everybody in business is on social media, increasingly, and that's another way in. It is. Give you the last word. Well, you know, Larry said the data is critical, and I think it starts at the executive level. They have to understand the value. And we do this, I just presented about, we just, we talk about an assessment because how do you get their attention? You don't want their attention once you get in the headlines. You want to help demonstrate to them there's a value here. So using the study that Larry did with us, using some assessments that tries to say, here's where you're mature and here's where you're not. You're a business and IT. To help people demonstrate the importance of this and demonstrate the risk and vulnerabilities in it. I think that's where people have to, they have to raise, elevate that discussion and make people understand the real business impact. All right, working through day two here, IBM Think 2017, you're watching theCUBE. Dave Vellante for Peter Burris. Check out siliconangle.com for all the news. Thecube.net is where you find these videos and wikibon.com for the research. Pat and Larry, thanks very much for coming on. Thank you. All right, keep it right there. We're back with our next guest right after this short break.