Å·ÃÀÈÕb´óƬ

Skip to Main Navigation
Podcast July 14, 2021

Tell Me How: Forging Cybersecurity Responses to the Menace of Cyberattacks

View all episodes on our Tell Me How: The Infrastructure Podcast Series homepage

This episode builds on Tell Me How Episode 4: Sharpening Policies for Better Cybersecurity Outcomes, which presented the economic analysis of cybersecurity markets and the policy framework governing stakeholder actions. This episode considers the role of firms and organizations; it points to actions that government and businesses can take to ensure that their vital interests are secure from cyberattacks. It presents different types of risks that companies face and the tools to mitigate them, paying special attention to the interaction of business and technical needs. It also addresses the timing of investments in cybersecurity in an increasingly digitalized world.

This podcast series is produced by Fernando Di Laudo and Jonathan Davidar. 
 

Listen to this episode on your favorite platforms: , , , , and 
 

Transcript

Roumeen Islam: Power outages in India, the Colonial Pipeline shut down in the United States. The breach at the cruise line Carnival Corporation and the network breach at the City of Johannesburg are just a few of the numerous and increasingly sophisticated cyberattacks of recent times. Every day there's a new list of attacks.

Businesses, governments and consumers are increasingly aware of the huge damage that can result from cyberattacks. And digital information is multiplying by the second. Yet by one report, 60% of breaches in 2019 exploited vulnerabilities for which a security patch was available, but not applied; 50% of personal computers that were infected once were infected again the same year and there were almost 138 million new malware samples in 2020. It's clear that we need to strengthen cybersecurity. Let us find out how.

Good morning and welcome. I am Roumeen Islam, the host of "Tell Me How," and today I have, as our guest, , expert on cybersecurity and currently co-director of the Stanford Advanced Cybersecurity Certification Program. He has recently written a book, "Big Breaches," which discusses practical lessons on how to deal with cybersecurity issues. We hope to learn some of these lessons. Welcome Neil!

Neil Daswani: Thanks for having me Roumeen, and pleasure to be here.

Roumeen Islam: Oh, we're very excited to have you with us today to discuss a topic that's increasingly on people's minds. How to keep all this information that we've got stored in the digital space, safe from cyberattacks. Perhaps you could start by giving us an idea of the magnitude of the problem, because I understand you've been looking at some very large cases.

Neil Daswani: Yes. So, first of all, cybersecurity is a big problem. Some estimates peg the cost of cybercrime to the world at over 10 trillion by 2025, up from 3 trillion in 2015, as per statistics from cybersecurity ventures. Even if that statistic might be exaggerated, it wouldn't surprise me that the actual cost of cybercrime is easily going to be in the trillions. McAfee has estimated cybercrime to be about 1 trillion for 2020, or 1% of global GDP. Aside from cybercrime, It's also very hard to estimate the cost of nation state attacks, as opposed to say organized cybercriminals attacks.

Roumeen Islam: So, I guess the cost of cybercrime is quite high, but how much is actually spent on cybersecurity ¡ª are the amounts commensurate to the problem?

Neil Daswani: Over $120 billion is spent on cybersecurity solutions per year. In fact, in 2019 Gardner estimated that it was $124 billion that was spent yearly by companies and organizations. There's been about $45 billion that's been invested in cybersecurity companies both through private equity, as well as through public IPO investments in the 14-year period from 2005 to 2019. So, there is a lot that is getting spent on cybersecurity, but given the kinds of attacks that we've been seeing, for instance, in the aftermath of the Solar Winds hack, the amounts that are being spent are probably not commensurate to the problem. I think most organizations do need to be investing more in cybersecurity than they currently are.

Roumeen Islam: But the numbers that you just mentioned... So, you mentioned cybersecurity solutions and then you mentioned IPOs and investments when you fund. So aren't those somewhat different measures of what's being invested? One, I guess, might be how much companies are actually spending on cybersecurity solutions, and the other is how much innovation and how much investment there is in new companies.

Neil Daswani: Yes, that's exactly right. So, the $45 billion that I quoted, over the period from 2005 to 2019, is a measure of cybersecurity innovation going into both startup companies, as well as public IPOs, when those innovations are ripe enough to be offered kind of on the public market. The amount that is getting spent, worldwide on cybersecurity solutions, well-baked solutions, that is the $120 billion number. And I expect that both of those numbers will be going up. The question is how much will they go up and will it be commensurate to the size of the problem?

Roumeen Islam: Are there any particular sectors that have suffered a higher number of attacks? What would be your guess? I mean, I assume that what affects whether you're attacked or not is the size of the potential payoff, and the number of transactions some sectors make probably makes them more likely to suffer attacks.

Neil Daswani: Yeah, that's exactly right. So, there are some areas like banking and the high-tech sectors that do get targeted with more attacks. And that's simply because, organized cyber criminals want to go after the money. The money is in the banks, the money's in the big high-tech company. So that's where they go first.  That said, because those sectors invest more, the number of successful attacks against those sectors is smaller as compared to say sectors such as healthcare and hospitals, when a piece of a ransomware, malicious software that is meant to take data and organizations hostage, when that kind of thing spreads through healthcare and hospitals, the chance of those attacks being successful is higher than against high-tech companies and banks, which typically invest more in their cybersecurity defenses, than say hospitals and healthcare organizations.

Roumeen Islam: Okay. So that's obviously very interesting because that's what one might expect, you know, the success of the attack versus the size of the payoff. Once you get in, both are both are important. Now, how does the number of attacks look when divided into small versus large firms? Are small firms likely to be less vulnerable because the payoff is smaller?

Neil Daswani: So I don't have a specific breakdown on large versus small firms, but small firms are not less vulnerable. Small firms usually end up being more vulnerable because they simply don't have the resources to invest as much in their own security. And I think the question is...

Roumeen Islam: Sorry, may I interrupt? I didn't mean were they more vulnerable. I meant hacking into a small firm could lead to a big gain. I understand the small firms may not have as much to invest, but there are other reasons why they could be vulnerable. Right?

Neil Daswani: Absolutely. A lot of small firms have big firms as customers, and often the attackers want to get at the big firms. And so for instance, if we look at the recent Solar Winds attack from this past December, Solar Winds was a software provider that was getting used by government agencies and nine U.S. government agencies were compromised because the attacker got into the small firm first. in addition to government agencies, there were approximately 100 private companies that were compromised, larger private companies that were compromised because the attackers went after the small firm first.

Roumeen Islam: Okay. So, Neil, where do you get information on data breaches? Because you needed a lot of information to write a book. So where did you get all this information?

Neil Daswani: Yeah, so there's a lot of great information sources. PrivacyRights.org maintains a database of reported breaches. The Identity Theft Resource Center also maintains a database of reported breaches that have taken place.

Roumeen Islam: Sorry, Neil. This is in the U.S. though, right?

Neil Daswani: This is in the U.S., that is correct. At the same time, both of those sources, PrivacyRights.org, the Identity Theft Resource Center, when there are big breaches that impact high-tech companies like Facebook, for instance, that does impact the entire world and these resources do focus on breaches that, that also cover the world. Now it would be great to see the worldwide community keep track of breaches in many other countries as well. And I think there's challenges as to in certain countries, they may not want to be as transparent about the breaches that take place there, but the more that we catalog these breaches, the more that we can understand the root causes and the more that we can invest in the right countermeasures to protect against future such breaches as more and more breaches occur. In the United States each state pretty much has its own definition of what constitutes a data breach. Most of the definitions are along the lines of when a consumer's name and some sensitive identifier or identifiers about them like their Social Security number or their driver's license number or bank account numbers get stolen or exposed, then that constitutes a data breach. Unfortunately, because each state has its own laws when a data breach occurs, the attorney is at organizations that get breached, they have to consult all the different state laws. There's currently no federal level consistent definition of breach and let me also mention that the current legal definition of data breach does not cover all kinds of security, compromises, and incidents that do not impact consumer information. So, if a company say, gets broken into and their trade tickets get stolen, that does not necessarily constitute a legally reportable breach. But in the aftermath of the Solar Winds hack, the hope is that at some point there will be more broad breach notification laws and breach definitions that go well beyond the scope of consumer personal information and that would be an advancement.

Roumeen Islam: I see. So, you just made two very important points: that the definition of a data breach right now is narrow. That is disclosable, that what you have to disclose is, is narrow. And the second thing that you said about each state having a different approach to data breaches makes me think of how complex it must be at the world level, which country has a different approach? So, these are very important issues that make the whole problem much harder to deal with.

Neil Daswani: Yes, that's exactly right. Even in Europe where the GDPR ¡ª the General Data Protection Act is passed, there is, quite a bit of focus on consumer information in that law as well. And I do think that the laws around what constitutes a data breach in laws around the world do also need to be broadened.

Roumeen Islam: Okay. So let's go on a bit to thinking about cybersecurity from the perspective of a particular firm. Suppose you were asked to set up a strategy for cybersecurity in an organization, how would you go about it?

Neil Daswani: What I would do is I would first want to understand what that organization wants to protect against in particular. There may be a certain set of security threats that are existential to that organization, where if their intellectual property or some other information might be compromised, it could just end up being the end of that organization and I think it's important for boards of directors to first understand what are the existential threats to the organization and design the company's security program around those existential threats. And that most businesses will have to comply with a whole bunch of security compliance standards, whether it be PCI to take credit cards or HIPAA to operate in the healthcare market or whatever it happens to be. But I would encourage organizations to focus on the existential threats first, and secure their most important data assets that are most important business processes and, as much as possible work to achieve compliance with security standards as a side effect of their security programs. I think we live in a world today where a lot of organizations primarily work to comply with a whole bunch of these security compliance standards. But the problem is that the overwhelming majority of organizations that have been breached were compliant. The compliance involves checking hundreds of checkboxes, satisfying minimal criteria for all of them and has not necessarily helped in preventing all of these breaches. The managerial and technical root causes of breaches across all the breaches that have taken place is a much, much, much smaller set of things to focus on ¡ª less than 10. As compared to the hundreds of checkboxes that you need to satisfy in these compliance standards that are often designed by committee.

Roumeen Islam: Neil, you spoke about the technical root causes. And could you please go into these? What are the main root causes that you mentioned in your book?

Neil Daswani: From having looked at over 9,000 reported breaches, there are really just six technical root causes of breach. Phishing and account takeover is #1. Malware is #2, software vulnerabilities is #3, third-party compromise and abuse is #4, then there's inadvertent employee mistakes that are separate from phishing because that's just such a prevalent one. It makes sense to dedicate a category to it. Finally, unencrypted data is the sixth technical root cause of a breach.

Roumeen Islam: So, some of these are obviously self-evident. You know, if you don't have un-encrypted data, it's going to be preached, and employee, mistakes, yes. But could we go a bit into some of the other ones which may not be immediately apparent?

Could you go into what you mean by phishing, malware, software vulnerabilities and third-party compromise? Actually, I think, let me rephrase that ¡ª software vulnerabilities. I assume you're referring to bugs in the software. Is that right?

Neil Daswani: Correct. There's actually two kinds of songs or vulnerability. One are bugs and what are called implementation vulnerabilities. The other are software design vulnerabilities, where it may not just be a single bug, but there may be a more systematic design problem with the security of the software. For instance, it could allow for unauthenticated people to log into a system and that's more of a design issue as opposed to just a small bug in the line of code.

Roumeen Islam: Okay. And so, so what's phishing?

Neil Daswani: So, phishing is an attack where the cyber criminals or nation states send out emails, claiming to be somebody else. And they're geared at socially engineering somebody to click on a link or go to a webpage and surrender their credentials because the website that they're being directed to looks say exactly like the bank, except it's really not the bank's website.

So that's phishing. And over the years, phishing attacks have gotten a lot more targeted than they used to be. Sometimes you'll hear the term spear-phishing to refer to a more targeted phishing attack than say, just getting an email, claiming it's from the bank

Roumeen Islam: And could you speak about what kind of defense you may have against this sort of attack?

Neil Daswani: Sure. The gold standard defense against phishing is to use multi-factor authentication. There are many kinds of multi-factor authentication. One of the best ones is to use a hardware security key, like a UBKey, similar to, when you drive a car, you stick a key in turn it on. The way that hardware security keys and UBKeys work is such that in order to log into a system, in addition to providing your username and password, you also have to put in a piece of hardware, say into the USB port of your laptop or whatnot.

And on that piece of hardware is a secret cryptographic key that's associated with you. And there's basically when you look at, for instance, Google deploying hardware security keys to the bulk of their employees back in 2017, even though Google is regularly under nation-state attack, regularly targeted by nation states.

There has not been one Google employee that has successfully been phished because of their usage of hardware security keys to defeat phishing.

Roumeen Islam: So, no matter how much software we have, we still need some hardware out there to protect us.

Neil Daswani: One of the problems with software is that it is typically very malleable and easily changeable, and unless there is some tamper-resistant hardware to defend, things like cryptographic keys, it's just very hard to achieve security only using software.

Roumeen Islam: Okay. But what about malware? What types of approaches are effective here?

Neil Daswani: Sure. So, malware is, just a short word for malicious software. It's basically software written by attackers of one kind or the other and malware defenses have evolved over the decades. Most of the early defenses in malware used to use what are called signatures. The defenders used to identify sequences of bytes that would appear in the attacker software and build an inventory and catalog it, and just basically look for those signatures and new software that say coming down to a computer. But as you could imagine that approach has proved to be very fragile and inadequate. Today the best anti-malware defenses leverage artificial intelligence, where the artificial intelligence can recognize previously unseen malware. So, when attackers craft new malware and new variants of malware, artificially intelligent anti-malware defenses are able to detect previously unknown malware and malware that's being observed for the very first time. They're much more likely to catch that kind of malware. So, I would encourage organizations to use anti-malware defenses that leverage artificial intelligence,

Roumeen Islam: And there must be, you know, a lot of companies coming up that do this sort of thing.

Neil Daswani: Yeah, that's right. There are, there are many companies that purport to have such defense. I think that there's companies like Blue Hexagon, where they are run by people that are scientists and engineers by background, and they, for instance, are able to detect previously unknown malware at detection rates of above 99%. Whereas there's many other offerings on the market that don't have close to that kind of detection rate on previously unseen malware.

So, I would encourage organizations to look at the scientific effectiveness of these types of anti-malware defenses that leverage artificial intelligence and leverage tests that have been done by independent third-party labs as to the effectiveness of these kinds of defenses. You know, I think in the, in the cybersecurity industry, it is very important to, to look at the scientific effectiveness, just as look, we look at type effectiveness for drugs and vaccines.

We've got to start doing more of that. In the cybersecurity field so that we can really call out the types of defenses and suppliers that have the scientifically effective countermeasures, as opposed to other vendors that might be selling snake oil.

Roumeen Islam: That's a very interesting point you make, and also that if the attackers are using AI-based mechanisms, then to protect against the attackers, you need to be sure that you're using similarly sophisticated methods.

Right? Is that right? Yes. Do any of your recommendations change depending on the type of firm or service you are dealing?

Neil Daswani: So, I think depending upon the kind of organization is they should focus on their existential threats. For instance, there might be some companies that develop intellectual property for a living, and while they may not have a lot of operational systems, the security of their intellectual property is the core asset of the company. And if, if that gets stolen, well, it could be game over for the company or, you know, that company's valuation could be a heck of a lot less if, the intellectual property gets stolen. Now, there there's other companies where they may have, you know, many tens or hundreds of billions of consumers, in which case, if they use the data about those consumers to monetize their service well, then protecting that information will be critical to maintaining the trust of the consumers that use that service say in the case of a social media company. So I think depending upon what kind of company it is, you know, my recommendations for protecting them would differ widely, keeping in mind also that the root causes of a breach are pretty stable and similar over the past 10 years or so.

Roumeen Islam: So, if the root causes of breach are stable and similar, but they're just different types of data that need to be protected, right? Like personal data versus trade secrets. Our intellectual property. Then how does the intersection of those two things change what you would say to a firm? I don't think I still got that.

Neil Daswani: Sure. Yeah. Well, I'm glad you asked. It's a very astute question. The intersection changes which countermeasures may make the most sense to deploy for that organization. So, for instance, while root causes of breaches might include malware or might include, un-encrypted data or whatnot, what kind of countermeasure you deploy to say protect intellectual property? Data versus say, consumer data in the case of social media may differ widely. So to just give a concrete example, in the case of a company that needs to protect its intellectual property at its core, you know, encrypting the intellectual property may not be sufficient simply because of the fact that if you have just one insider in that company that gets paid off and has legitimate access to the systems. It may be a lot more important to protect against insider threat for that kind of a company, as compared to say a social media company where you need to deploy defenses that don't result in infecting all your consumers as an important vector of attack. And so those two countermeasures would be very different.

Roumeen Islam: They're very different. And that's why you need different types of managerial attention. 

Neil Daswani: That is exactly right.

Roumeen Islam: But if every company has several products to manage each type of threat, how do you manage all the products on the other oversight of this?

Neil Daswani: That is one of the reasons why most organizations should hire a chief information security officer, because that executive will look at what are the existential threats at the board level. That executive will look at all the different countermeasures that are available on the market and help recommend what are the right suppliers to bring in. What are the right countermeasures and defenses to bring in for that business? It's not a cookie cutter.

Roumeen Islam: Okay. So, this is why just a meeting, just being compliant with all the requirements is not enough because it's not a cookie cutter type of approach. You actually need to think about what your organization does and where the threats are coming from. But also, wouldn't you say that it's very important that there's broad understanding in the organization at the level of the board? Where do you think there needs to be understanding? It's not just the chief information security officer, right?

Neil Daswani: Yes, that's right. I think there does need to be board-level understanding and you did highlight, there's many different compliance standards. So for instance, if you look at the PCI security compliance standard, well, that standard will help make sure that if your organization takes credit card numbers for a living, that those credit card numbers are protected. But beyond that PCI, in and of itself, is not primarily focused on protecting your trade secrets or your intellectual property, or even other personal data about the consumers besides that of credit cards. So there, should be, and there does need to be a board-level exercise that has to take place around what are the most significant threats to this organization, and then work together with the chief information security officers to put a security program and evolve a security program in place that is focused on what's most important to the company. It's unlikely that's just going to directly intersect with what the compliance standards are going to cover.

Roumeen Islam: But what is the most important advice that you would give to security and technology leaders today?

Neil Daswani: The most Important advice that I would give to security and technology leaders, especially when engaging with their CEOs and their boards, is that it is just as important to be a good general manager, understand the fundamentals of the business and the organization that you're looking to protect. You should show up as first, an executive of the company, with all the background that all the other executives have and then think about that as context in how you go about protecting the organization and its data assets and its consumers and its customers and its employees. That would be my first primary level of advice. You don't want to be perceived as a person or an executive that's just only focused on security; you should be a good general manager of the business with a spike of domain expertise in the area of security to help that organization achieve its security goals.

Roumeen Islam: Okay. But then we're looking for, you know, a different breed of leaders coming up right? In the next rounds of leaders coming up.

Neil Daswani: That is right. I think, I think there's a lot of cybersecurity professionals out there that understand cybersecurity very well and maybe have say technical depth in certain areas of cybersecurity. But I think that in order to protect an organization, the first thing that you need to do is make sure that you're always speaking English and that you're always speaking the language of the business, first and foremost, and then use that as part of your path to help protect the business in a very natural way, interacting with the executive team.

Roumeen Islam: Now, we talked about the risks that the single company or organization faces, but what about third-party suppliers? How would you handle this relationship? Suppose you are a firm and that within the firm, you're very tight to know its cybersecurity measures? How do you handle your suppliers?

Neil Daswani: The question of how to deal with supply chain security and all suppliers that an organization might have is more critical than it ever was before, in the aftermath of the Solar Winds hack, where they had many customers that were government agencies and large private companies, we have to always keep in mind that attackers may try to get into larger, more well-protected organizations by breaking into the smaller organizations first. And so, I think for any organization that has you know, dozens or more of suppliers, it is important to have a proper supply chain security management in place, where you may need to check the kind of audit results of all those third-party suppliers. But as we've talked about, just looking at their compliance is usually not sufficient. You've got to look at well, what are those suppliers doing for you? Are they, are you buying pencils from the company or does that organization have its networks tied in with yours and depending upon how deep that relationship is and what they're doing for your company that should guide your security requirements of the suppliers. And I think it has to go well beyond just checking that they're compliant with some security standard or the other.

Roumeen Islam: Okay. And that sounds very reasonable. Now one thing I was thinking of as we were going through this is that, you know, in many developing countries, governments are capacity constrained and they don't have a lot of resources to divert to cybersecurity and attacks are becoming increasingly global in nature.

So what's the best solution should countries that have lower ability to secure themselves from cyberattacks? Think twice about going digital, I mean, this is a difficult question to answer, right? Because if they think twice about going digital, then they're falling behind on technology adoption. So, what is the answer?

Neil Daswani: Absolutely, but I think that developing countries that are going through a digital transformation are in a great position to incorporate cybersecurity as part of their digital transformation and chances are that by investing in security as part of a digital transformation. You have a much better chance of actually becoming secure and you also don't have to deal with say tons of legacy systems that more developed countries already have. Where if you look at power grids, if you look at, dams, if you look at water treatment facilities, if you look at oil pipelines in countries that are already advanced and developed, they have the problem that a lot of the software that's used to run those systems operationally are very out of date; some are so out of date, they can't even be patched with software updates. And so when you have a developing country that is adopting digital and going through a digital transformation, that there's just a great opportunity to design security into that digital transformation, and chances are they will end up being much more secure than an approach where you have tons of old legacy systems and you've got to put a defense on top of defense on top of defense to try to deal with the fact that some of those initial systems, legacy systems, are not as patched and easily defendable. So, I think bottom line for developing countries, it's a great opportunity to design security in and it'll typically cost less than if you had a whole bunch of infrastructure already.

Roumeen Islam: Of course, it'll cost less than if you had to repair your old systems like you're saying, however, it will cost more if you have to put in the advanced security systems then if you didn't have to right? So I'm just thinking of their capacity constraints, but I guess there's no other way, as you just said, we wouldn't want critical infrastructure to be attacked.

Neil Daswani: Well, I think the other way to think about it is that if you don't design security in as you're going through the digital transformation,then the question is you, might be saving dollars in the short term, or you might be saving some of the currency in the short term, but over the medium and long term, whenever there is attacks, when other incidents, whenever there's compromises, the cost then to deal with those incidents and compromises and then deal with the fact that the security is going to have to be layered on and layered into the systems after the fact is probably going to be much more expensive. And by the way, uthere there's many, many larger organizations that have figured this out. So, you know, when Facebook was still a startup and even, when they advanced to becoming a public company, you know, they had a saying, they wanted to move fast and break things. That was their motto, "Move fast and break things."

And they did, they moved very fast and then a whole bunch of things broke and without getting into all the things that broke, Facebook's new motto is "Move fast with stable infrastructure." Their new motto does not incorporate breaking things anymore. But what they found is that when they were moving so fast and when they didn't take security as well as all kinds of other software tools and practices into mind, they would end up having bugs, which would inadvertently reveal people's birthdays on social media sites, and they had incurred in a $5 billion fine from the Federal Trade Commission in 2019. So pretty much their approach became tempered over time. They still want to move fast, but move fast with stable infrastructure and one can imagine that security and safety of that infrastructure is part of its stability.

Roumeen Islam: That's an excellent point that you just made. Thank you. Now, in what areas of cybersecurity do you think there should be more research and investment?

Neil Daswani: I think that there are a lot of areas of cybersecurity that can benefit from further research and investment. In fact, Chapter 14 of my book "Big Breaches" focuses on advice to cybersecurity investors and innovators and how having analyzed where a whole bunch of money has gone today and what have been the root causes of breaches.

Some of the areas which I believe need more investment is as follows. I think that leveraging more artificial intelligence is super important. There's so many open positions in the field that we simply can't train people fast enough. And so what we need to do is leverage artificial intelligence to automate a way that most entry-level jobs and have people that are entering the field do the more advanced jobs that computers can't do. I think that's one area for further development. I think that there's also so many organizations that are adopting AI, that we need to worry about the security of the AI. When attackers can leverage vulnerabilities in artificial intelligence that's responsible for the detection of cyberattacks, that's bad news. So I think that artificial intelligence applications of security and securing the AI is one important area, but there's many others. I think that Internet of Things security needs more investment. I think that innovation in cyber insurance needs to take place such that organizations can offset or transfer some of the risks given the number of breaches that are taking place, but we need better models on how to assess risk. Within the Internet of Things, as I mentioned, there's so many more billions of devices that are going to come online in the coming years that, if we, if we think we may have been under investing in cybersecurity to date for all the mobile phones and laptops and servers, We are, I think woefully behind with protecting all the internet of things, devices. So, you know, these various areas, if you look at Internet of Things, devices, if you look at the security of them, if you look at cyber insurance or the less than $1.5 billion of investment in either of those areas, and  there's been some significant companies that have been attacked even just this year.

So, there's many, many future areas for innovation and advancement in the area of cybersecurity.

Roumeen Islam: Thank you, Neil. That was a very, very interesting discussion.

Neil Daswani: Thank you, Roumeen, for having me.

Roumeen Islam: Well, listeners, what are some of the things we learned today? Firstly, addressing cybersecurity weaknesses requires understanding how well technical solutions are suited to the business needs the management style and the business models of the firm. Secondly, firms need to focus on the weaknesses that threatened the existence of the firm itself and preventing beaches requires more than compliance with policy or regulatory standards. Thirdly, cyberattackers are increasingly sophisticated security measures using scientifically tested AI tools will be needed to combat attacks. Finally, developing countries that are digitalizing their economies need to put cybersecurity measures at the front and center of these efforts. Any investment in cybersecurity at the start of the process, we'll have substantial payoffs and ensuring the long-term sustainability of their business and of their critical infrastructure and it may also be financially less costly. Thank you, and bye for now.

If you have questions or comments, we¡¯d love to hear from you. You can reach us at tellmehow@worldbank.org. Don¡¯t forget to subscribe and thanks for listening!

This episode was recorded in July 2021. 

View all episodes on our Tell Me How: The Infrastructure Podcast Series homepage