The Toll of Broken TrustVenafi's Jeff Hudson Unveils Surprising Research Results
What's the cost to an organization when it suffers a security breach and breaks trust with its own customers? Jeff Hudson, CEO of Venafi, presents results of a new survey on the cost of failed trust.
See Also: A Toolkit for CISOs
Venafi has just partnered with Ponemon Group to release a new survey, "The Cost of Failed Trust". Among the key findings: On average, global enterprises risk losing an average of $35 million every two years as a result of attacks on cryptographic keys and digital certificates. And so many of these incidents result from serious exploits of what could be described as common, easy-to-fix vulnerabilities.
"People generally are not taking care of trust," Hudson says, summarizing the survey results. "And when you're not paying attention to something, that's when the bad guys are going to get you."
In an interview about these latest research results, Hudson discusses:
- The mission behind this new study;
- The survey's most surprising results;
- Ways organizations can improve how they protect trust.
A key executive in four successful, high-technology start-ups that have gone public, Hudson brings over 25 years of experience in information technology and security management. Hudson has spent a significant portion of his career developing and delivering leading edge technology solutions for financial services and other Global 2000 companies.
Prior to joining Venafi, Hudson was the CEO of Vhayu Technologies Corp. Vhayu was the market leader for the analysis and capture of market data, and was acquired by ThomsonReuters. Prior to joining Vhayu, Hudson held numerous executive leadership posts, including CEO and cofounder of MS2, Senior Vice President of Corporate Development at Informix Software, CEO of Visioneer, and numerous senior executive posts at NetFRAME Systems and WYSE Technology. He started his career with IBM.
Hudson earned a B.A. in communications at the University of California, Davis.
Why Study Trust?
TOM FIELD: We're talking about failed trust because Venafi and Ponemon Institute have conducted a recent study on this topic. Upfront, why study the cost of failed trust? What was the mission of your survey?
JEFF HUDSON: It probably makes sense to give a little context. We've been working on this problem for about nine years. One of the things that we have found throughout that period of time is that people - mostly in the C-suite, C-level executives - have a good idea of how trust works in the physical world. They know how people get into their buildings. They know why inventory is locked up. They know why things are safe because they understand locks, keys, fences, cameras and guards. But then you ask them: how much of that world has actually moved into the digital realm? How much of the real world now is digital, not just bricks and mortars? And they say, "A lot of it." So you ask them questions. Why do you trust what goes on in the digital world? And they don't know. They can't articulate it, but what they do is they say, "There's this guy in the organization, either the CIO or the CISO, that worries about that."
The problem is the trust is not just about information technology. Trust is about the entire organization. In fact, the corporation's reputation, brand identity and the basic reason for being is somebody trusted them to give them a product, trusted them to deliver a service and trusted them to keep them safe. Whatever it is, it's trust. It's the basic notion.
We found that people don't get it, and because people don't get it we're always on an education mission. What we decided is that one of the ways that we could get people to pay attention was to speak the language of dollars and cents. Ponemon is world-respected in coming up with ROI and coming up with cost steps in the term, "What happens when things break?" We got together with them to do this study and the results were astounding.
Key FindingsFIELD: Let's talk about the results. What were some of the key findings?
HUDSON: [Let's give] a little context here. Since people are generally not taking care of trust, they're not managing trust - and this was one of the findings and I'll come back to that - which means they're not really watching it. They're not paying attention to it, and if you're not paying attention to something, that's when the bad guys are going to get you. Your house is more likely to be robbed when you're not at home because you're not watching it. Your pocket is going to get picked when you're not paying attention. The bad guys know this. They don't want to get caught. So they know when somebody is not paying attention to something, especially something as fundamental as trust. They're going to attack it.
A lot of what we have discovered over the last couple of years is the bad guys really are now paying attention to this. They understand it's a vulnerability because people aren't watching and aren't managing trust, and so they're attacking it. That was one of the key findings of the study. In fact, the major finding or the summation of the study was that for every one of the global 2000 - and these are 2,300 respondents and these are people that are in information technology and information security, these are the experts - what they said was that for every one of their organizations, there's an exposure to failed trust of $389 million. Each one of them is exposed to $389 million of cost over the next two years due to failed trust.
Now, if you take a look at the probabilities that are ascribed to that, the number comes down to about $40 million over a two-year period. That's a big number and that's something that executives need to pay attention to, because if you can say I can show you a way to avoid a $40 million problem over the next two years, or a $40 million cost or a $40 million loss, they pay attention. That's back to why we did this study.
One of the amazing things was $398 million is a huge exposure, but it came from the data that came from the 2,300 respondents. Four different kinds of failures of trust, six different cost categories - that's what it came up to and there was a really good methodology used to categorize these costs. That one surprised us the most.
The second one that was really surprising - I have to say it wasn't that surprising to us because we see it all the time, but I think it's most surprising to everybody we talk to about the study - is that 51 percent of the respondents said they do not know how many trust instruments they have in their environment. So [with] certificates and keys, they did not know how many of these things are out there and these are the things that give people access and allow people to get to data and get to systems, and they don't know how many are out there. There's a halo effect on that, because if you ask somebody, "Are you no good at this?" a lot of times they will inflate their response. Probably more like 75 percent of the people do not know how many trust instruments are in their environment, and that's very consistent with what we find when we worked with the Global 2000.
Surprising ResultsFIELD: That's an interesting point you just made because you said that result didn't surprise you. Tell us a little bit about what did surprise you when you poured over the results?
HUDSON: The dollar magnitude of the cost of trust was a really big issue. Another one that popped to the top that we weren't expecting - along with the sheer magnitude of the dollar exposure - was the fact that SSH keys which grant trust and access to a large number of systems in enterprises are not being controlled at all, and the 2,300 respondents identified that as the number-one problem and the number-one trust problem that they have in organizations. It's surprising to me because for the most part that has been little known or, as far as we're concerned, it's little known to people. We spend a lot of time educating them on what SSH does and how it actually grants access to their environment, so that was surprising.
Global DifferencesFIELD: This is a global study. What were some of the regional differences you uncovered on how organizations are protecting trust?
HUDSON: Global 2000 is an interesting set of organizations because in a lot of ways they transcend geo-political boundaries. Almost every one of our customers and the Global 2000 operates across many, many different countries. They have different cultures. They have different laws. They have different social constructs, different ways they think about security and different ways they think about privacy. But, what we did see is that in Germany, for example, there was a much higher awareness and there was much more attention paid to this notion of trust. You can make some assumptions about why that would be true; France less so. UK had a high awareness, but they hadn't done as much about it. The UK and U.S. were roughly the same. Australia was not as concerned about it. And you can make up stories as to why that's true for all these different places, so there's regional variation.
The one that probably stuck out the most was Germany is the most advanced in thinking about trust and how do you control and manage trust so that you don't have the exposures. The study points to the cost exposures. But everybody is really deficient in doing a good job of managing trust, regardless of where they are.
How to Regain TrustFIELD: We've talked about how organizations can lose trust. How do you advise organizations to regain control of trust?
HUDSON: There are three major things that people have to consider. First of all, the number of trust instruments in these environments today, in the digital realms for all these corporations, far exceeds what most people in these corporations think is present. And that goes back to the earlier point. Fifty-one percent said they don't know how many there are, and I will tell you from our experience that we have seen very large corporations have an idea of how many of these instruments are in their environments, and we will find up to ten times that number when we do a discovery. They don't even know what's going on, so how can you manage it if you don't know? The first thing people have to do is be situationally aware. Understand the environment and know where the trust instruments are and the characteristics of them. There are a whole lot of things they need to know about these things. Understand everything, and it's got to be done on a continuous basis because this environment changes so quickly.
Number two is connecting people, because people are ultimately responsible for these instruments. If you don't even know where they are, how can you connect the people to them? Then, the people are constantly changing, so have a continuous process that connects and keeps the people that own and need to be responsible for these trust technologies connected to them.
The third part is to automate this, and automate it in a way that allows for the implementation of policies so you can establish policies saying, "For this class of trust, we're going to use this kind of certificate." We're talking mostly machine-to-machine here and this is something that needs to be automated. In one large corporation, they thought they had about 30,000 certificates. It turns out they had 400,000 certificates. They don't have enough people to manage it and all these certificates actually provided some kind of point of access, so you've got to automate it.
Those are the three things: Know what goes on, connect the people, which then leads to putting policies in place.
Getting StartedFIELD: Let's bring it back to a starting point. Where should organizations begin to assess their own trust vulnerabilities?
HUDSON: That sort of ties into the previous point, but it's mandatory that organizations figure out where they are today. It's a journey. This isn't something that happens overnight and it's not localized on one class of technology. It's not localized on one kind of network. These trust instruments are pervasive. They work across technologies, across vendors and across medium. They're everywhere. That's one of the reasons the bad guys are now attacking this. They're attacking it a lot because you can't stop using trust instruments. They're out there and they're vulnerable because people don't know where they are.
The first thing to do is to understand the current situation. On any journey, what you want to do is know what your starting point is and then map out your end-state or where you want to get to at some point in time. Then craft the path to get from here to there. But the very first thing to do is know where you are.
I liken it to Google Maps. You press that little arrow that says this is your current location. Almost everyone of the Global 2000, when they press that arrow, it comes back and says, "Can't find your current location." They do not know where they are with regards to this stuff, and that's just not acceptable. I think the C-Suite has to wake up to this. One of the things the study did show is that the guys that are responsible for it and know about this, what they're saying is the guys that can understand this stuff are like the guys in the coal mines, down deep, saying "There's water seeping in and the canaries are dying. There's obviously gas here." But the guys on the top are saying, "Don't worry about it. Coal is still coming up. Keep digging." But there's trouble brewing. The trouble is there and so now what people have to do is wake up and understand where they are and what their situation is.
Business Benefits of TrustFIELD: We started this conversation talking about the cost of failed trust. What do you communicate to organizations about how they can measure the return on investment by protecting trust?
HUDSON: If, for example, one of the Global 2000 avoids one of these failures of trust in the study, especially if it avoids one of the ones that a lot of dollars are prescribed to, you can just look at it and say right there it paid back. But, in general, what you can do is look to a couple of examples.
A major airline did not fly out of their major hub for eight hours because they couldn't load bags on planes and the reason for that was a certificate failed. They didn't know about it. They didn't know it was going to fail. It failed and the entire baggage-handling system stopped working. What did that cost? That was a failure of trust. What cost would they have avoided had that not occurred?
A very major web service, one of the biggest in the world, was down about a month ago for four hours because of a failed certificate. A trust instrument failed. People couldn't get their information out. They couldn't put the information in and so that cost them money just because people couldn't access it. The other thing is that people then afterwards said, "Wait a second, this isn't reliable, so I'm not going to use this service as a place to put my data because I'm not going to be sure it's always available." Again, failed trust [is a] huge cost.
Then, if you look at some of the compromises that have occurred where the bad guys have actually stolen things like certificates and then [did] man-in-the-middle attacks, it's not just cost in terms of dollars and cents. Sometimes it's cost in terms of human lives, and to not know about where the trust instruments are and not manage them, [these] failures of trust [have] enormous costs. I just identified two really easy-to-quantify hard costs. But today - back to my original point - the guys in the C-level suite don't understand how trust works in the digital world, and it costs them a ton of money.