2 min read November 2021 — Conquest Cyber builds adaptive cybersecurity risk management programs to enable digital transformation and cyber resilience in highly regulated industries. In an interview with Invest: Chair and President Jeffrey Engle discussed the shifts in cybersecurity, shifts in demand, attack sources, cybersecurity culture, the role of legislation and education, cybersecurity in the Nashville and Miami markets and the outlook for the industry.
How did the pandemic transform cybersecurity threats, specifically for businesses?
During the pandemic two major things were happening, the first was the digital transformation that enabled businesses to function without disruption and the second was remote work. Both created a lot of unique challenges and opportunities. One of the main challenges for those businesses that were able to work from home related to the large investments to enable end-users. However, this presented the opportunity to make things more secure, especially since there were larger risks by having more locations.
Cybersecurity threats became more aggressive during the pandemic, although they weren’t necessarily related to the pandemic, the threats were certainly induced by the context. There was a lot of publicity so many businesses started asking what was happening in their network and who had access to it. At the same time, the way we work has shifted and will continue to evolve, potentially all companies are either experiencing or will experience this change.
How has demand for your services shifted in the past 18 months?
Even before the pandemic hit, cybersecurity was already a hot market. We are focused on cyber resilience for critical infrastructure sectors; we mitigate the vulnerabilities of underlying technologies and enable security measures that are user friendly. To enable a safe environment, we do third-party risk management, security monitoring, risk analysis, compliance, testing and evaluation for industries like healthcare, financial services, defense, industrial base, telecom and emergency services. The demand has certainly increased. The sector is growing around 10% each year and as a company, we’ve had a yearly 300% growth.
What are the main sources of cybersecurity attacks?
Whether it is driven by known or potential adversaries, we are in a proxy war in the cyber domain. I identify three tiers of attackers: the first are sophisticated, either hackers who are allowed by their government entities or directed by them and possess advanced capabilities – commonly known as advanced persistent threats. The second group are criminal gangs making money from their skills, with the most publicized being ransom events. Frequently those two tiers happen to overlap. Both are sophisticated and strategic and their activity has become more publicized in the news. The third tier is composed of everyday people who break into people’s bank accounts or are trying to disrupt versus destroy. They frequently possess advanced skills but different motivations. There are a myriad of different types of tactics that these different types of groups use but what really differentiates them is the capability to operate without aggressive intervention and their intent to do harm.
How are businesses promoting a cybersecurity culture?
There is a disconnect between security technologists and business leaders. It is important to build a bridge between the two, which means more cybersecurity education for CEOs and board members and more business knowledge for security people so they can start speaking the same language and build trusting relationships. Minding the gap can help speed up resiliency; right now, the average time to implement a security measure inside an organization is north of 18 months and the time in a company for a security leader is frequently less. This misalignment is challenging and it is probably the biggest barrier to securing a digital transformation within our critical infrastructure sectors.
What are some common mistakes that are easily avoidable and can prevent cybersecurity attacks?
The single biggest mistake is treating security like it is an outcome. Cyber resilience must be a continuous focus as your critical assets, the threats that exist and your business’ vulnerabilities are constantly changing. If you are not living a cyber-resilient culture, the reality that you are vulnerable to possible threats is a given. It doesn’t matter how good they are, they only have to get it right once, which is why you have to be protected all the time.
What legislation or regulations might impact cybersecurity operations?
The Colonial Pipeline attack drew attention at the national level and the Department of Homeland Security is having critical discussions due to its impact. We’re keeping a close eye on the DoD Cybersecurity Maturity Model Certification Requirement, which is going to get contractors audited and have specific requirements around government data. In a more general area, we’re going to move toward greater privacy regulations. While before privacy was the domain of legal and cybersecurity of tech, they are going to become increasingly integrated.
How are education institutions reacting to the demand for professionals in the cybersecurity area?
Higher education, as a business, increases its value by generating a supply of professionals in demand. We’ve seen a positive response to this, and many programs integrate education with hands-on experience opportunities. Education can have a pivotal role in closing the gap between leadership and technology specialists. This can be achieved with business programs adding cyber resilience to their curriculum and vice versa, creating a common language between them.
Why is it important for cybersecurity to operate in the Miami and Nashville markets?
We have customers all over the country, but these two sectors are our roots, and we are committed to supporting the businesses that are aggregated here. Many of the businesses moving to Miami and South Florida are associated with critical infrastructure. It is a gateway to the United States and there are all types of businesses being created, which makes it incredibly diverse and a critical market for us. Government and the industries that support it have historically been our main focus but healthcare is increasingly becoming more important. The pandemic has placed healthcare in a particularly vulnerable place, which is why Nashville, being a healthcare hub, has become the main market in our line of business.
What is your outlook for the cybersecurity sector for the next three to five years?
I hope the industry will generate more solutions to the problem instead of individual products for technical challenges. We need better integration and bridging the gap between leaders and operators will continue to be a focal point. Cybersecurity insurance will continue to evolve. For many companies, it was just about getting insurance and transferring the risk. If anything happened the insurance company would cover it. However, over the past 18 months, insurance dynamics have changed, the cost is higher and they are requiring secured assets, which is going to be a positive thing and a major driver for growth in the cybersecurity industry.
For more information, visit: