chief information security officer

Auto Added by WPeMatico

Decrypted: Apple and Facebook’s privacy feud, Twitter hires Mudge, mysterious zero-days

Trump’s election denialism saw him retaliate in a way that isn’t just putting the remainder of his presidency in jeopardy, it’s already putting the next administration in harm’s way.

In a stunning display of retaliation, Trump fired CISA director Chris Krebs last week after declaring that there was “no evidence that any voting system deleted or lost votes, changed votes or was in any way compromised,” a direct contradiction to the conspiracy-fueled fever dreams of the president who repeatedly claimed, without evidence, that the election had been hijacked by the Democrats. CISA is left distracted by disarray, with multiple senior leaders leaving their posts — some walked, some were pushed — only for the next likely chief to stumble before he even starts because of concerns with his security clearance.

Until yesterday, Biden’s presidential transition team was stuck in cybersecurity purgatory because the incumbent administration refused to trigger the law that grants the incoming team access to government resources, including cybersecurity protections. That’s left the incoming president exposed to ongoing cyber threats, all while being shut out from classified briefings that describe those threats in detail.

As Biden builds his team, Silicon Valley is also gearing up for a change in government — and temperament. But don’t expect too much of the backlash to change. Much of the antitrust allegations, privacy violations and net neutrality remain hot button issues, and the tech titans resorting to cheap “charm offenses” are likely to face the music under the Biden administration — whether they like it or not.

Here’s more from the week.


THE BIG PICTURE

Apple and Facebook spar over privacy — again

Apple and Facebook are back in the ring, fighting over which company is a bigger existential threat to privacy. In a letter to a privacy rights group, Apple said its new anti-tracking feature will launch next year, which will give users the choice of blocking in-app tracking, a move that’s largely expected to cause havoc to the online advertising industry and data brokers.

Given an explicit option between being tracked and not, as the feature will do, most are expected to decline.

Apple’s letter specifically called out Facebook for showing a “disregard for user privacy.” Facebook, which made more than 98% of its global revenue last year from advertising, took its own potshot back at Apple, claiming the iPhone maker was “using their dominant market position to self-preference their own data collection, while making it nearly impossible for their competitors to use the same data.”

Powered by WPeMatico

It’s time to better identify the cost of cybersecurity risks in M&A deals

Rob Gurzeev
Contributor

Rob Gurzeev is CEO and co-founder of CyCognito, a company focused on giving CISOs the advantage over attackers.

Over the past decade, a number of high-profile cybersecurity issues have arisen during mega-M&A deals, heightening concerns among corporate executives.

In 2017, Yahoo disclosed three data breaches during its negotiation to sell its internet business to Verizon [Disclosure: Verizon Media is TechCrunch’s parent company]. As a result of the disclosures, Verizon subsequently reduced its purchase price by $350 million, approximately 7% of the purchase price, with the sellers assuming 50% of any future liability arising from the data breaches.

While the consequences of cyber threats were soundly felt by Yahoo’s shareholders and widely covered in the news, it was an extraordinary event that raised eyebrows among M&A practitioners but did not fundamentally transform standard M&A practices. However, given the high potential cost from cyber threats and the high frequency of incidents, acquirers need to find more comprehensive and expedient methods to address these risks.

Today, as conversations accelerate around cybersecurity matters during an M&A process, corporate executives and M&A professionals will point to improved processes and outsourced services for identifying and preventing security issues. Despite the heightened awareness among financial executives and a greater range of outsourced solutions for addressing cybersecurity threats, acquirers continue to report increasing numbers of cybersecurity incidents at acquired targets, often after the target has already been acquired. Despite this, acquirers continue to focus due diligence activities on finance, legal, sales and operations and typically see cybersecurity as an ancillary area.

While past or potential cyber threats are no longer ignored in the due diligence process, the fact that data breaches are still increasing and can cause negative financial impact that will be felt long after the deal has closed highlights a greater need for acquirers to continue to improve their approach and address cyber threats.

The current lack of focus on cybersecurity issues can be partially attributed to the dynamics of the M&A market. Most middle-market companies (which constitute the nominal majority of M&A transactions) will typically be sold in an auction process where an investment bank is engaged by the seller to maximize value by fostering competitive dynamics between interested bidders. In order to increase competitiveness, bankers will typically drive a deal process forward as quickly as possible. Under tight time constraints, buyers are forced to prioritize their due diligence activities or risk falling behind in a deal process.

A typical deal process for a private company will move as follows:

  • Selling company’s investment bankers contact potential buyers, providing a confidential information memorandum (CIM), which contains summary information on a company’s history, operations and historical and projected financial performance. Potential buyers are typically given three to six weeks to review materials before deciding to move forward. Unless there is a previously known cybersecurity issue, a CIM will typically not address potential or current cybersecurity issues.
  • After the initial review period, indications of interest (IOI) are due from all interested bidders, who will be asked to indicate valuation and deal structure (cash, stock, etc.).
  • After IOIs have been submitted, the investment banker will work with the sellers to select top bidders. Key criteria that are evaluated include valuation, as well as other considerations such as timing, certainty of closing and credibility of buyer to complete the transaction.
  • Bidders selected to move forward are typically given four to six weeks after the IOI date to drill deeper into key diligence issues, review information in the seller’s data room, conduct a management presentation or Q&A with the target’s management and perform site visits. This is the first stage when cybersecurity issues could be most efficiently addressed.
  • Letter of Intent is due, when bidders reaffirm valuation and propose exclusivity periods wherein one bidder is selected on an exclusive basis to complete their due diligence and close the deal.
  • Once an LOI is signed, bidders typically have 30-60 days to complete the negotiation of definitive agreements that will outline in detail all terms of an acquisition. At this stage, acquirers have another opportunity to address cybersecurity issues, often using third-party resources, with the benefit of investing significant expenses with the greater certainty provided by the exclusivity period. The degree to which third party resources are directed toward cybersecurity relative to other priorities varies greatly, but generally speaking, cybersecurity is not a high-priority item.
  • Closing occurs concurrent with signing definitive agreements, or in other cases, closing occurs after signing often due to regulatory approvals. In either case, once a deal is signed and all key terms are determined buyers can no longer unilaterally back out of a deal.

In such a process, acquirers must balance internal resources to thoroughly evaluate a target with moving quickly enough to remain competitive. At the same time, the primary decision makers in an M&A transaction will tend to come from finance, legal, strategy or operating backgrounds and rarely will have meaningful IT or cybersecurity experience. With limited time and little background in cybersecurity, M&A teams tend to focus on more urgent transactional areas of the deal process, including negotiating key business terms, business and market trend analysis, accounting, debt financing and internal approvals. With only 2-3 months to evaluate a transaction before signing, cybersecurity typically only receives a limited amount of focus.

When cybersecurity issues are evaluated, they are heavily reliant on disclosures from the seller regarding past issues and internal controls that are in place. Of course, sellers cannot disclose what they do not know, and most organizations are ignorant of attackers who may already be in their networks or significant vulnerabilities that are unknown to them. Unfortunately, this assessment is a one-way conversation that is reliant on truthful and comprehensive disclosures from sellers, lending new meaning to the phrase caveat emptor. For this reason, it’s no coincidence that a recent poll of IT professionals by Forescout showed that 65% of respondents expressed buyer’s remorse due to cybersecurity issues. Only 36% of those polled felt that they had adequate time to evaluate cybersecurity threats.

While most M&A processes do not typically prioritize cybersecurity, M&A processes will often focus squarely on cybersecurity issues when known issues occur during or prior to an M&A process. In the case of Verizon’s acquisition of Yahoo, the disclosure of three major data breaches led to a significant reduction of purchase price, as well as changes in key terms, including stipulations that the seller would bear half the costs of any future liabilities arising from these data breaches. In April 2019, Verizon and the portion of Yahoo that was not acquired would end up splitting a $117 million settlement for the data breach. In a more recent example, Spirit AeroSystems’ acquisition of Asco has been pending since 2018 with a delayed closing largely due to a ransomware attack on Asco. In June 2019, Asco experienced a ransomware attack that forced temporary factory closures, ultimately causing a 25% purchase price reduction of $150 million from the original $604 million.

In both the case of Spirit and Verizon’s acquisitions, cybersecurity issues were largely addressed through valuation and deal structure, which limits financial losses, but does little to prevent future issues for a buyer, including loss of confidence among customers and investors. Similar to Spirit and Verizon’s acquisitions, acquirers will typically utilize structural elements of a deal to limit the economic losses. Various mechanisms and structures — including representations, warranties, indemnifications and asset purchases — can be utilized to effectively transfer the direct economic liabilities of an identifiable cybersecurity issue. However, they cannot compensate for the greater loss that would occur from reputational risk or loss of important trade secrets.

What the Spirit and Verizon examples demonstrate is that there is quantifiable value associated with cybersecurity risk. Acquirers who do not actively assess their M&A targets are potentially introducing a risk into their transaction without a mitigation. Given a limited timeline and the inherently opaque nature of a target’s cybersecurity issues, acquirers would benefit greatly from outsourced solutions that would require no reliance upon, or input from a target.

The scope of such an assessment ideally uncovers previously unknown deficiencies in the target’s security and exposure of business systems and key assets, including data and company secrets or intellectual property. Without such knowledge, acquirers go into deals partially blinded. Of course, industry best practice is to reduce risk. Adding this measure of cybersecurity assessment is an excellent practice today and likely a mandatory requirement in the future.

Powered by WPeMatico

6 CISOs share their game plans for a post-pandemic world

Oren Yunger
Contributor

Oren Yunger is an investor at GGV Capital, focused on enterprise IT infrastructure, development tools and cybersecurity. He was previously chief information security officer at a SaaS company and a public financial institution.

Like all business leaders, chief information security officers (CISOs) have shifted their roles quickly and dramatically during the COVID-19 pandemic, but many have had to fight fires they never expected.

Most importantly, they’ve had to ensure corporate networks remain secure even with 100% of employees suddenly working from home. Controllers are moving millions between corporate accounts from their living rooms, HR managers are sharing employees’ personal information from their kitchen tables and tens of millions of workers are accessing company data using personal laptops and phones.

This unprecedented situation reveals once and for all that security is not only about preventing breaches, but also about ensuring fundamental business continuity.

While it might take time, everyone agrees the pandemic will end. But how will the cybersecurity sector look in a post-COVID-19 world? What type of software will CISOs want to buy in the near future, and two years down the road?

To find out, I asked six of the world’s leading CISOs to share their experiences during the pandemic and their plans for the future, providing insights on how cybersecurity companies should develop and market their solutions to emerge stronger:

The security sector will experience challenges, but also opportunities

The good news is, many CISOs believe that cybersecurity will weather the economic storm better than other enterprise software sectors. That’s because security has become even more top of mind during the pandemic; with the vast majority of corporate employees now working remotely, a secure network has never been more paramount, said Rinki Sethi, CISO at Rubrik. “Many security teams are now focused on ensuring they have controls in place for a completely remote workforce, so endpoint and network security, as well as identity and access management, are more important than ever,” said Sethi. “Additionally, business continuity and disaster recovery planning are critical right now — the ability to respond to a security incident and have a robust plan to recover from it is top priority for most security teams, and will continue to be for a long time.”

That’s not to say all security companies will necessarily thrive during this current economic crisis. Adrian Ludwig, CISO at Atlassian, notes that an overall decline in IT budgets will impact security spending. But the silver lining is that some companies will be acquired. “I expect we will see consolidation in the cybersecurity markets, and that most new investments by IT departments will be in basic infrastructure to facilitate work-from-home,” said Ludwig. “Less well-capitalized cybersecurity companies may want to begin thinking about potential exit opportunities sooner rather than later.”

Powered by WPeMatico

United Airlines CISO Emily Heath joins TC Sessions: Enterprise this September

In an era of massive data breaches, most recently the Capital One fiasco, the risk of a cyberattack and the costly consequences are the top existential threat to corporations big and small. At TechCrunch’s first-ever enterprise-focused event (p.s. early-bird sales end August 9), that topic will be front and center throughout the day.

That’s why we’re delighted to announce United’s chief information security officer Emily Heath will join TC Sessions: Enterprise in San Francisco on September 5, where we will discuss and learn how one of the world’s largest airlines keeps its networks safe.

Joining her to talk enterprise security will be a16z partner Martin Casado and DUO / Cisco’s head of advisory CISOs Wendy Nather, among others still to be announced.

At United, Heath oversees the airline’s cybersecurity program and its IT regulatory, governance and risk management.

The U.S.-based airline has more than 90,000 employees serving 4,500 flights a day to 338 airports, including New York, San Francisco, Los Angeles and Washington, D.C.

A native of Manchester, U.K., Heath served as a former police detective in the U.K. Financial Crimes Unit where she led investigations into international investment fraud, money laundering and large scale cases of identity theft — and ran joint investigations with the FBI, SEC and London’s Serious Fraud Office.

Heath and her teams have been the recipients of CSO Magazine’s CSO50 Awards for their work in cybersecurity and risk.

At TC Sessions: Enterprise, Heath will join a panel of cybersecurity experts to discuss security on enterprise networks large and small — from preventing data from leaking to keeping bad actors out of their network — where we’ll learn how a modern CSO moves fast without breaking things.

Join hundreds of today’s leading enterprise experts for this single-day event when you purchase a ticket to the show. The $249 early-bird sale ends Friday, August 9. Make sure to grab your tickets today and save $100 before prices go up.

Powered by WPeMatico