The U.S. and Europe have prided themselves on sharing a cultural, economic, diplomatic and military bond, though a closer look reveals the relationship is defined by its differences as much as their similarities, which is also evident when it comes to cyber security.
It’s clear that while there are some strong similarities between the European and North American cyber security markets, there are also interesting and significant differences. These differences, when bridged and learned from, can strengthen our common cyber security posture.
So, what are the top 5 main observations?
1.) The rise of the board-level and business-minded CISO
Cyber has been a board level concern for U.S. organisations for many years – almost 50% of Fortune 500 CISOs have a Master of Business Administration degree (MBA), evidencing the need to focus on the business outcomes of security alongside the technical aspects. Security programs and potential risks are being discussed by a large majority of U.S. public boards on a regular basis. By contrast, it is estimated that less than one third of UK boards are involved in making security decisions today.
According to a recent study from Vodafone – U.S. organisations exhibit a higher level of cyber readiness than their European counterparts, whose cyber readiness is only described as ‘reactive’. It is estimated that European organisations will have spent $25bn on security in 2018 compared to U.S. organisations investing more than twice that at $50bn, with comparable GDP, and the EU having a far greater population.
Companies can also share learnings and best practices among each other, benefitting from a trusted network of fellow CISOs, across both sides of the “pond”, which would be beneficial to the EU market and could increase mutual learning and sharing of best practices.
2.) Litigation vs Legislation
Litigation and a related focus on the financial damage incurred through cyber breaches have driven the U.S. organisations to increase their maturity and insurance coverage. The U.S. has the world’s largest cyber security insurance market worth $2bn today, and growing at almost 40%, while in Europe it lags at only between 10-15% of that total. Allianz projects that the global cyber insurance market could reach $20bn by 2025.
In Europe, a growing security awareness has been supercharged by growing regulatory powers and the introduction of GDPR in May of this year. GDPR puts individual digital rights and privacy at the heart of the most significant pieces of cyber legislation so far. We are starting to see signs of these powers being used more aggressively as the threat of direct fines has become more significant. By comparison, in the U.S., the voluntary NIST Cybersecurity Framework, which provides guidance for how U.S. private sector organisations can assess and improve their ability to prevent, detect, and respond to cyber attacks aims much more at the deployment of cyber capability and maturity, rather than mandatory compliance requirements. While the NIST Framework is garnering worldwide appreciation for its standards and best practice, its implementation is hampered by a matrix of federal and state laws, and disparate regulations and policies.
A common and strong cyber approach can galvanise digital security efforts and help organisations understand their obligations. In the meantime, organisations need to understand their obligations on both sides of the Atlantic, and ensure they are able to approach this changing regulatory landscape.
3.) Innovation ecosystem
While Europe has a rich history of invention and engineering, it has only recently started to wake up to the power of a vibrant and well-funded tech sector. Even a quick glance at the relative size and volume of new cyber businesses and their funding tells a stark picture. In 2017, around 700 cyber companies in the North America received a total of $6.5bn in investment and growth capital, vs less than $1bn across 400 fundraising rounds in Europe and Israel combined.
What these financial statistics do not convey is the vibrancy of ideas, exchange of personnel and growth opportunities that the more mature U.S. venture capital and private equity-backed players have fuelled. There are highly innovative companies in Europe, notably in London, Berlin, Paris, and the Nordics, and across the sea in Israel, but most of these remain subscale, or have been swallowed by the U.S. players early on.
The under-exploited European cyber tech industry needs re-invigorating and can have a profound impact on our ability to combat cyber threats globally. Fostering new cyber tech and getting it to market is critical.
4.) Cloud eager adopters
If we are to believe the hype, software as a service (SaaS) and cloud adoption are becoming all pervasive. In the U.S., eager adopters are rushing to take advantage of the scale and flexibility that cloud, in its many guises, offers. However, we should be reminded that cloud still accounts for only 20% of overall IT spend. European organisations have typically been more cautious in their cloud investments – being restrained by data sovereignty, privacy concerns and a more holistic return on investment (ROI) calculation.
This cautious approach is starting to turn, as the availability of cloud datacentres and infrastructure in Europe is steadily increasing. Hybrid cloud deployments and the inevitable rise of SaaS will mean the underlying fabric of our technology provision will continue to change and adapt.
Security has been slow in responding to these shifts, both in cloud deployment of traditional security controls, as well as in the monitoring and measurement of cloud assets and behaviour. This is set to become the dual challenge for the next few years. On top of that, it is mobile and IoT that pose additional and perhaps more significant obstacles to security, as they bring higher velocity of adoption and radically different challenges.
As companies rush to the cloud, it is vital they do not lose sight of the traditional majority – the delivery of fundamental security controls across users and data, wherever they reside. That is what we are calling the cyber transformation challenge.
5.) A service culture – how much should you tip?
As anyone who has travelled abroad knows, the tipping etiquette varies from country to country. It is generally accepted that North America is a service-based culture, while Europe is less so. This also rings true for the delivery of IT services.
North America has led the Managed Security Services (MSS) market for many years, evolving into a relatively commoditised and competitive market. European services adoption has developed much more along the consulting and professional services axis. Running cyber operations is not for the faint-hearted; it is complex, demands a focus on internal processes, and requires an almost psychic ability to predict the next attack or vulnerability.
We are seeing a rapid evolution of the services model to reflect these unique challenges, calling for world-class cyber analysts using advanced tools to detect and respond to a range of threats. Most CISOs today are looking for a hybrid approach that leverages their particular organisational knowledge with external investment, best practice and importantly experience. Particularly in cyber, businesses are looking for enhanced capability, accelerated implementation of new digital processes, and access to scarce security talent.
The monumental MSS model is being rapidly broken up into smaller chunks of actionable services, which integrate into a hybrid cyber operations framework. It is the a-la-carte menu, rather than a set meal, and European organisations are increasingly willing to pay the service charge – but only where they see the value.
Perhaps it is the similarities that we can build upon, knowing that the infrastructure that supports the growing digital economy is shared across the Atlantic. We rely on the same systems, software, and hardware, much of it supplied from outside the EU, and deployed across multinational organisations and global supply chains. These networks face the same vulnerabilities, the same array of technical exploits and malicious code, the same transnational cybercriminals, and the same nation-state actors. The solutions to these threats require the help of the best and brightest, regardless of which side of Atlantic they are located on.
The U.S. and EU markets are different, but regardless of where an organisation is located, it must build a sustainable, risk-centric foundation for implementing proactive and measurable security programs. By learning from each other, we can all win.