The five-minute CIO: Grant Waterfall, PwC

21 Oct 2016

Grant Waterfall, leader at PwC. Image: Maxwells

“Although many governments look at cybersecurity as a national issue; all of our global clients look at it as one without borders,” said Grant Waterfall, global cyber leader of PwC.

Waterfall was in Dublin this week (19 October) to conduct a briefing at PwC’s Cyber Centre, which is designed to give business leaders an understanding of cyberattacks and how to defend against them.

“It is a dedicated centre for our professional ethical hackers,” explained PwC cybersecurity lead partner Pat Moran.

‘The reality is that most businesses will continue to pay in ransomware attacks because the value of what is being encrypted is so huge to them and potentially impacts the business’

“These are people that we have trained up to use sophisticated tools and techniques to be able to attack in an ethical way our clients’ networks, to determine the strength of the firewall or the intrusion detection that they have. It gives assurance back to clients that they have best-in-class controls.”

Five-minute CIO: Grant Waterfall, PwC

From left: Pat Moran, PwC Ireland cyber leader, and Grant Waterfall, PwC global cyber leader. Image: Maxwells

Based in New York, Waterfall primarily serves Fortune 500 clients in the areas of cybersecurity, cross-border privacy and IT risk.

Over the past 7 years, he has been responsible for building and leading the UK cybersecurity and IT risk assurance practice, and developing PwC’s digital practice. Grant has a long history in large-scale systems implementation projects, large programme assurance, systems assurance, outsourcing and offshoring projects, cybersecurity, privacy, and IT risk management. He has been part of the UK’s government/private sector cybersecurity working group, aimed at shaping the UK response to cybersecurity threats.

What does your role involve as cyber leader at PwC?

It’s more of a leadership role and there is a responsibility there to coordinate our investment around the world, as we drive growth in the cybersecurity business. There’s been a coordinated effort over the last three years to do that. Part of what I am doing here with the Irish practice and with Pat and his team is part of that coordinated approach, and the launch of the Cyber Centre here in Dublin is all tied into that.

The role therefore, is about looking across the globe in terms of market share analysis, [seeing] how we invest, and then coordinating our investments so we don’t do stuff more than once.

[It also involves] coordinating with our global clients to make sure we take the best of what we have around the world to multinationals.

Although many governments look at cybersecurity as a national issue, all of our global clients look at it as one without borders, and they want a very coordinated approach to delivery.

As a global leader, how would you sum up the cybersecurity landscape today? Is data more porous today than it has ever been?

The perimeter isn’t really there anymore. Beyond mobile devices you have all sorts of connected devices, including IoT [internet of things] type devices. A number of my clients in healthcare, for example, are investing in a bunch of connected healthcare devices like [a] digital pacemaker, or a stent that has blood flow sensors on it.

None of this stuff sits in a perimeter, it is all kind of outside. And also, if you look at the fact that a lot of companies are moving their systems and data storage to the cloud, [this is] once again, not in any perimeter.

The way security is changing from that perspective is what I would call much more data-centric. We need to apply a more data-centric approach to how we secure companies and think about where that data is, whether inside or outside any network.

There are a number of techniques getting hotter and hotter. Clearly, encryption techniques have become much more prevalent in terms of what companies are investing in right now. Whether you are encrypting stuff in a cloud platform [or not], some of the providers are even providing self-managed key solutions so that companies can have full end-to-end encryption and know that they own the data.

More investment is going into identity and access management, which is enabling companies to secure who can access what and when.

There are also things like these next-generation firewalls, which enable a micro-segmentation of networks in organisations that can nail down data in specific places. Those are very much being used in the IoT world to segment different parts of devices.

We are also working with a company called Ionic Security, which is all about putting in place encryption mechanisms that effectively follow the data around, wherever it goes. The data could be a document that ended up on social media and actually, the encryption follow[s] the data and access controls stay with it.

It is also being really clear on the threat landscape, which is constantly changing.

Those are the key things that are really important.

Another big problem is nations allegedly engaged in cyberwarfare. Do you believe there is a cyberwar raging with nations actively involved?

The most prominent thing is what has gone on with the hack of the Democratic National Party database. On a daily basis, Wikileaks is releasing masses of stuff and actually the US has come out clearly and accused Russia of [insolvency] and of trying to disrupt the US democratic process.

I think when you look at it that way, we certainly see nation states starting to do some interesting things.

I do think we are missing the underlying, legal framework to deal with warfare at that level. It is very easy at a political level to go back to various conventions, [as] there is nothing that exists at this stage to set the borders, in terms of what is actually war and what isn’t.

What are your thoughts on ransomware, which is on the rise mainly because businesses are simply paying up?

It is a very real issue and it is probably one of the biggest threats we are seeing right now. We are seeing a lot of the banks having bitcoin accounts with balances in them to pay when they need to.

The reality is that most businesses will continue to pay because the value of what is being encrypted is so huge to them and potentially impacts the business.

Interestingly, I was with an FBI agent who works with businesses all the time and they really do encourage businesses not to pay, but they recognise that the trend is likely to continue for companies to pay.

Is it to do with bad security? The reality is that most ransomware gets in through some sort of phishing attack.

The defences for ransomware are exactly the same as any other phishing defences, which is basic user awareness: don’t click on that link. There are technologies available that quarantine attachments and don’t execute them. There is application whitelisting, which does not run programmes that aren’t authorised in businesses. There are things that companies can do to deal with [a] phishing problem, which they should be doing.

And, of course, the other side to ransomware is having proper backups and having tested those backups.

Those are the things that companies need to think about from a ransomware perspective.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years