>> Announcer: Live from Las Vegas. It's theCube. Covering IBM Think 2018. Brought to you by IBM. >> We're back, IBM Think 2018. This is theCube, the leader in live tech coverage. My name is Dave Vellante and I'm here with my co-host, Peter Burris. We're talking all things cloud, AI, blockchain, quantum, information management, information architectures. And we're here going to talk about resiliency. Business resiliency. Pat Corcoran is the IBM business resiliency global strategy executive. Doctor Larry Ponemon Is here, he's the head of the Ponemon Institute. Gentlemen, welcome to theCube. >> Thank you. >> Thank you very much. >> Alright Pat, set it up for us. What's going on here, at Think generally and then specifically, talk about business resiliency and what it means. >> Well for I think at Think this year, resiliency, we're teamed up with security. Because a lot of synergy when you look at resiliency where you want to be adaptable, flexible, companies want to be able to adjust to situations quickly. The environment's changed, where in the past when you looked at recovery and resiliency, people thought about natural disasters but now, this past year, it's been on longer, but the past year we've all seen a lot of major cyber-events. So now resiliency has taken on a different view. Different approach. Because it's not just the risk of a hardware problem, or a site going down. Now we got to address risk from a cyber and it's a totally different risk. So at this conference, we've teamed up with security at IBM to try to present an integrated package, integrated approach, and we're also working with Larry, sharing some results from a study from last year, about the cost of data breach, and the importance of business continuity, to cyberattacks. Because most people today, they're not ready. They might look at protect, they might look at detect, but they're not, they don't know how to recover from a cyber and that's what we're addressing here today. >> So Larry, we're going to get into the study but what's the Ponemon Institute? Why did you start it almost 20 years ago? Give us the background there. >> So the Ponemon Institute is a research company and we're linearly focused on cybersecurity, data protection, privacy, and other related topics. The reason why we started the institute, my background is varied intelligence and security over a very long period of time. I hate to admit it, but over 45 years of experience. And the bottom line is we saw a real need for information. The decision-makers needed to know, what are the really significant issues in privacy or information security, that could affect their organizations. And we're very lucky, we chose an industry that was interesting and profitable, and every day there's a new issue. So you never run out of research ideas. >> Amazing, I mean the last 12 months has been, it seems like this is a game of escalation >> Larry: Oh, it's crazy. >> You put on the TV and see NBC and all of a sudden there's you know every board of directors from a credit bureau on there, big words, "breach" across the bottom. >> Data breach. That's just a nightmare, right. But every day, there's something in the news. And to your point, Pat. It just seems to be getting more and more costly to businesses. >> It is more costly, and I think now when you look at annual reports, when I go visit a customer I like to read their annual reports, and the CEO or the CFO put down what risk are they concerned about. Almost every annual report now has cyberattacks in there. Because they have to, they have to be aware of it. And it's gotten so bad now. But like you said, the challenge is, a hacker only has to be successful once. Companies have to be successful hundreds, thousands, millions of times. Stopping these people from getting in and that's what we're trying to help them stop. >> Black hats is a growth business. >> Well it's a game for them. It is a game and they're good at it but we have to be better and that's the hard challenge. >> But virtually every company has been breached. It's like, the NBA I don't think any team has ever gone undefeated in the NBA. Despite your hope for the Warriors. (laughing) It just can't be done. So Larry, let's get into the study. You've done this for a number of years. >> Oh yeah. >> Dave: You've seen the patterns. What do we need to know? >> Yeah we know that the cost of a data breach is very significant. You know, you basically talk to CEOS and board members and you say, "What's the cost of a data breach?" And you get that glazey-eyed like, "How do we know?" But we've been trying to benchmark and figure out what that true cost is. And it could be millions, tens of millions of dollars your organization, just recovering from the major data breach. Let alone lose customer trust, and along there are huge long-term consequences. Across the data breach study, sponsored by IBM, we've done this analysis globally, and now we do it in 13 countries, and this current year it's going to be 15 countries, we're adding two new countries. And the issues, even though there are cultural differences and geolocation differences, companies are companies and all companies around the world are dealing with this phenomenon. And as Pat said, bad guys are getting worse, or better if you're on the side of evil, and their ability to get data and use data against organizations creates a huge challenge for organizations. And that's where actually you need IBM. You need the right technology, you need the right tools, the right personnel, to get the job done right. >> So I mean at the simplest level, the cost of a breach seems like it would be a function of the probability of that breach times its impact. And so, what are you seeing in terms of those variables? Are breaches happening more often, is the business impact greater, are they both sort of proportional? What's the relationship? >> The cost is climbing, globally. What we find is that organizations are ill-prepared to deal with these problems. We also know that a lot of organizations don't have the internal talent, the people they need to be able to identify and respond to these problems quickly. Our findings show that organizations that are using leading-edge technologies, and involve their BCMs, their business continuity people, are much more likely to have a successful outcome. But it's a mess right now honestly and there isn't an organization out there that isn't subject to a major data breach. >> Pat, when you talk to clients, to Larry's point, you ask them do you know what the cost of a breach is? The vast majority presumably don't. Do you help them sort of quantify that? Look at the business impact? >> We can. And that's a great point. They don't know. And they haven't looked at it. One of the challenges is, in many cases the security arm, the recovery arm and the continuity arm, more people, they're all fragmented. They're run by different groups within the company. So we want to work with companies to bring them together and so we can do an impact, business impact analysis, and look at what types of risk are you most concerned about. How vulnerable are you to those risks? And what would be the impacts? Tangible and intangible. Towards your brand. You look at some of the names that have been in the papers. You're in the paper and you're there for day after day because you're down for weeks. Your brand is being impacted. So that's an intangible cost, but is a significant cost. So we do help you with an assessment. >> So Larry, Dave mentioned that you've done this for multiple years. Last years' studies show that the improvements on time to identify and time to contain, was about 5% over what had been the previous year. Still not great, but it's getting better. Are we seeing this kind of five percent per year slog? And what do we need to do to start accelerating the rate of improvement? >> Right, so the word slog is appropriate. It's a slow-moving train and you get organizations to make a small improvement and that leads to, in the long term, really good outcomes. But unfortunately, it could go the other way. The bad guys are getting very talented and so they'll see opportunities, windows to exploit organizations and they want to hide their, they don't want the world to know that they've committed a crime. So the time to identify and time to contain may kind of move in the opposite direction. But in general we are seeing small improvement. One way that organizations are improving is they're involving other experts, other teams, so it's no longer just an IT security problem, Or a compliance issue, it's more than that. As Pat mentioned, it's a brand issue and bringing other people to the process is greater and greater visions. >> Allow me to repeat that this is people too. Because this isn't an IT issue, this is a business issue. >> Well, we've done some work on this and thinking, but what's the right regime for cybersecurity? It's not just the SISO problem or an IT problem but what percent, well first of all, first question. What percent of organizations, and I'm not just talking about large organizations, think about your client base, what percent actually look at cyber as a board-level issue. Obviously RBC Today, Verizon, yes it's a board-level for those high-profile companies but across the board, is it 100%? >> Pat: Not even close. >> You just did a recent study I think, that looked at that right? >> Yeah we basically saw board-level involvement, you know do you view something as strategic or simply tactical? It's about 39% on the side of, yeah we do, and then the remainder they do not. And that's an inflated number, because when you ask people on a survey they have a halo effect. You're more likely to say, oh sure we do that. Sure we get our board and CEOs involved. It's again that slog word. It's a slow-moving train but we're seeing more and more boards getting involved. Also it helps that some of the new regulations that are coming down the pipe. There's a new regulation in New York State that requires the boards of directors to sign off if they have had conversations with SISO and they've identified the appropriate risk issues. So it's definitely moving in the right direction but it's slow. >> So I had a conversation with a Chief Privacy Officer client, a couple of months ago. And she told me that they'd calculated what would have happened with the Equifax breach, if it had been subject to the fines that are going to go into effect over in Europe. And she said that Equifax would have been hit with $160 billion, with a B, dollar fine. >> Larry: Wow. >> Is that the type of exposure that we're really talking about here for companies that are not doing a good job of, especially given some of the new regulations on the rise. >> Oh absolutely, you know just today there was this issue with Facebook, you probably were following that issue, where Facebook-- >> Oh really, who's Facebook? >> I don't know, they're a small social media company. But basically they released information profiles, detailed profiles, on individuals, and I think it was like 25 million, something towards that range. If the GDPR was in effect, and it involved European citizens, they would put them out of business. There would be no way they could operate in Europe. It would be hundreds of billions of dollars. So it could be devastating, and compliance is on the move, there's no question that Europe is going to be very tough on US companies that are not complying with their law. >> One of the things that Peter and I learned when we started talking to SISOs and boards of directors about this, was that part of the business resiliency strategy was response. That they sort of knew they were going to get hacked, they've been hacked, instead of telling the board no, we've got it all covered, they say listen, this has happened, it's going to happen again, way more transparent. We're going to focus not only on keeping the bad guys out, but How we can respond better. >> Contain it. >> Containment and response. In a more productive manner. How does that fit into your strategy? >> I'll say it's from a recovery. When you talk about respond it's recovery. And one I think you have to look at the company, you have to help the companies and they have to look across the total enterprise. I call it a domino factory. When you get hacked, or when when some risk impacts your business, it creates another risk. It's a domino effect and a lot of companies don't look at it that way. They look at why we get hacked, what does that mean? They have to sit down and really understand what it means to the business and what could happen after, what could it create? And there's a lot of unknowns there. We're gaining a lot more knowledge here, but you really have to sit down and look at it. So the executive committee team, at the board level, they have to be committed to this responses. From a resilience-recovery standpoint, they haven't looked at it as strong as they should of in the past, but I think this past year because executives are being held accountable, they're losing their jobs or going to jail, and so now they're coming out asking for our guidance. They're asking for help. And so the recovery piece, we're looking at new ways of trying to protect, find ways to protect your data. And when that data's protected, can we figure out is something changed? Like when a hacker gets in they make a change, they go in it through your configuration information, no one looked at that typically. So we're trying to find ways to monitor and track, detect these things when they happen, so that we can then figure out how far back you can go back in the data, because the data, was it corrupted today, yesterday, five months ago? It's not an easy solution but they've got to be committed, they've got to sit down we've got to work together to help them figure out the best approach. And there's not one answer. >> Larry I noticed you haven't thrown out the fear metric. You see this a lot, which is "The average cost "of a data breach is 2.56783 million per second." Or whatever it is. Now is that because you don't believe in that, and every situation is different, it depends on your market value, what type of data, et cetera, et cetera. Or is it because it's just too hard to actually quantify? I wonder if you could comment. >> We actually do, some of our research we attempt to quantify, we use activity-based cost data. I only told my friends this, but actually I'm a CPA and a PhD in Accounting, so I know accounting pretty well, and we used an accounting method to try to figure out what the total cost is. It's not a perfect measure, but it basically is fairly objective, and it's the best that exists. Not to sound egotistical, but I think we're the best in that narrow space of predicting cost. But it is difficult because it does depend on a lot of variables. And a lot of organizations don't necessarily understand all of the different ways that a bad event, a negative, a significant breach could affect the bottom line. But we talk to clients and organizations about it, we do board retreats, I was telling Pat, it seems pretty popular, the board wants to get a new-found religion, in privacy and security, after they experience a disaster and we work with them to try to educate them on these risk issues that Pat was referring to before. But it's an interesting time to be in this business. Lots of change. >> Well, in the context of data breaches, I mean, you've pointed this out a lot Peter, is people don't really have an understanding of the value of their data, there's no accepted accounting, there's no gap for data. >> One of the worst circumstances is there's a huge information asymmetry. The bad guys know how valuable your data is. You don't. >> It's the new currency. If you think about currency, data is a currency for people. For companies. An when you lose it, it's one of your most, after your people, your currency's your most critical asset. >> We say the difference between business and digital business is data. Otherwise they're the same thing. A digital business, organizes, treats its data as an asset. But it is a problem that the bad guys are willing to invest more money, more time, more innovation, into attacking because they seem to have a better understanding of what the real value of data is, than the good guys. And that's a problem. >> It's a huge problem. You know we see all of our trade secrets, for example, economic espionage is on the rise. The nation states, they're enjoying this, it's so easy for them to collect incredibly valuable information that we don't even know that it's out in the hands of countries. Not even competitors, worse than that. But if things, fortunately there's a lot of FUD, there's a lot of fear, uncertainty and doubt, but there are really great things going on, in theory of inventing new security controls. That's why I turn to IBM, they're where I go to deal with these issues. >> So if I can ask one last question. Larry, what do you need to do to get people to acknowledge and properly place the value of their data? Is there anything we can do, like in the next six months? >> Yeah I mean I think really the bottom line is, you need to get your senior executives to see this as a strategic, not just at tactical issue. And they could start immediately. I think doing a study for an organization, there's nothing we can do, but others can do this very well. To try to show the economic impact to an organization, especially one that's undergoing a digital transformation. That's, as you mentioned, that's where the value of an information asset, is just so incredibly high. And then you look at a company like a social media company, like a Facebook, and as you basically said, >> you should know. >> Yeah, you should know. So there are examples that you can turn to to show the value of the data asset. It's not protected very well, what are the consequences, downside consequences. >> Well we've got to wrap it up. We talked about sort of Facebook peripherally, but the weaponization of social media is becoming a huge, huge problem. It's certainly affected by most accounts last election, 2020 is going to be all about, Facebook is more influential than the UN. And even though we're here talking about business, everybody in business is on social media, or at least increasingly. And that's another way in. >> It is. >> Give you the last word. >> You know, as Larry said the data's critical, and I think it starts at the executive level, they have to understand the value. And we do this, I just presented about it, we talk about an assessment because, how do you get their attention? You don't want their attention once you get in the headlines, you want help demonstrating there's a value here. So using a study, and Larry did with us, using some assessments that tries to say, here's where you're mature and here's where you're not. For business and IT. To help people demonstrate the importance of this. And demonstrate the risk and vulnerabilities in it. I think that's what people have to, they have to raise, elevate that discussion and make people understand the real business impact. >> Alright, working through day two here IBM Think 2017, you're watching theCube. Dave Vellante for Peter Burris. Check out siliconangle.com for all the news, thecube.net is where you find these videos and wikibon.com for the research. Pat and Larry, thanks very much for coming on. >> Thank you. >> Alright keep it right there, we'll be right back with our next guest right after this short break. (bright music)