Q&A: Head Of Accenture Security On Redefining IoT Security, The Shadow Brokers Vulnerability And The Cybersecurity Evolution

Secure In The Knowledge

Accenture has been in the security business for about 15 years, selling IT protection solutions to clients alongside its other products and services. However, two months ago, the Dublin, Ireland-based channel giant took all of its security knowhow and brought it together, creating a new security business unit headed by former Deloitte executive and security expert, Kelly Bissell.

Recently, Accenture Security made its first acquisition in the Asia-Pacific region, buying Australia-based solution provider Redcore Inc. in order to boost its capabilities [for] securing Internet of Things technology and expand its business with the Australian federal government.

Following the acquisition, CRN sat down with Bissell to discuss how Accenture Security will use this latest acquisition to redefine how the market looks at IoT, how Bissell plans to make Accenture the best security solution provider in the world, and what effect he thinks the recent Shadow Brokers [hacking] incident will have on the market.

What is Redcore? Why is Accenture interested in it?

Redcore is a very good boutique [solution provider] in the marketplace. It [has] about 125 people, and they have a core around service and access identity management.

But I don't want to buy them just for the people. That is not what I was after. What I was after is a really important capability that they have around their [Government] defense area in Australia, as well as some IoT technology, intellectual property that I want to leverage around the globe.

Can you elaborate on what defense technologies you are acquiring with this deal?

The defense area technology is classified with cleared people, so I can't tell you specifically. But you can research very easily that the government in Australia is working to build a good, secure digital environment for its citizens and we are a big part of that. But I can't go into a whole lot of detail.

How will Accenture's acquisition of Redcore affect the work you do with the Australian government?

It will augment it. We already have a very heavy presence there - what we call [the] IT health and public safety practice - that focuses on governments around the world...

After this acquisition we will have the largest security practice in Australia by a pretty good margin, based on what I know of the marketplace. And not just for size, but that scale gives us more focus on that end-to-end strategy and focus on those different industries.

So, this team snaps in nicely with what we are doing both on the commercial side and on the government side.

What about on the other side? How is Redcore's IoT technology going to improve Accenture's Security division?

The IoT technology is important too because they have [technology] that is going to help us with industrial control systems that we already have in areas like the Netherlands and in the U.S.

I am fitting these puzzle pieces together and that is going to really change the way the market looks at IoT for industrial controls, automotive and medical devices. So, the laser focus for us is in those three areas.

I'm not too concerned about IoT when it comes to consumers. I'm not too concerned with refrigerators, but we are looking at [the industrial, automotive and healthcare] areas first.

You say the new approach will 'change the way the market looks at IoT for Industrial controls.' How is the market looking at IoT now and how is Accenture, armed with Redcore Technology, going to change the way it is being looked at?

It is a bit of a complicated process, but really ultra-important.

In the security world, there are thousands upon thousands of [technology] providers, some that are really small, some big - like us and IBM - and then others like the big four consulting firms. But - and I've been at this for 23 years - most companies kind of stay at [the corporate office] and focus on serving the corporate office.

But as you know, if you are taking about an oil and gas company, most of their risk is not at corporate, it is downstream at the oil rig, the refinery and the trading systems that they use to trade power, oil and gas. Their risk goes all the way to the pump.

What we are building is that end-to-end security that [covers] the entire ecosystem of that industry. And those are the parts that begin snapping together - that is going to change the way we look at security. Clients need to look at security like that, so that is how we are looking at it.

How will this technology be applied from end-to-end? What application does it have in those marketplaces?

If you think about oil and gas, how do we make sure that pumps aren't on when they shouldn't be, how do we make sure that the measurements on the pumps are correct?

And for other companies, [it could apply to problems like]: how do I make sure that a car does not crash when you apply the brakes? Or, how do we make sure that a medical device [that can be] remotely monitored - and therefore [is] under risk for attack – does not open up an insulin pump and flood the patient with insulin?

That is why I am thinking about the three areas of industrial controls, automotive and medical devices.

How does this acquisition build onto Accenture Security's global strategy?

First of all, it is Accenture's mission to be the best security firm in the world, period.

To do that, we need to do very well across the whole market. We can't be great in some areas and [do] poorly in others. And so, in Australia and Asia Pacific, there are three core foundations that you need to do well in: Australia, Singapore and Japan. The important part is building the foundation and that talent in those markets and that is part of our strategy to serve clients no matter where they are in the world.

You could be a client in the US with operations in Australia [for example, and] we want to make sure we are serving that market consistently.

Part of the strategy, is that we want to make sure that each of the three regions - North America, [Europe] and Asia-Pacific – are part of a unified team that is focused on serving the end-to-end security problem for our clients.

This acquisition is a very important puzzle piece.

What is Accenture's current global focus as it continues to build up its security practice?

As you know, the security landscape is evolving extremely fast and we want to make sure that we help those organizations build the end-to-end capabilities to deal with that change.

But we don't want to stop there. We also want to make sure we help them innovate. Because the very things that they need to do to innovate are also some of the things that put them at security risk.

So, we want to help them innovate safely.

What trends are driving that change?

For instance, the regulation in Australia has changed around breach notification – that was about a year ago – so all of a sudden, [companies in Australia] have to link up and figure out how to resolve this issue.

In Australia, it changed the demand a bit. In Europe, that data protection rule has been there for quite a long time. But it has just changed again recently.

So, the [security] rules around the world are changing and companies, especially multi-national companies, are finding it difficult to keep up with that change in demand and the changing threat landscape. More and more, they are looking for companies like Accenture to help them on a global scale and help them solve that end-to-end problem.

So that changing demand, that pace of [the] bad guys, and regulation are a double whammy.

Can you talk about the history of change in the security market?

Security is in its third evolution. In 2002, it started with the compliance world, [the organizational security and privacy compliance act] Sarbanes-Oxley, and the big four at that time were well positioned to help clients with compliance.

They spent four years doing that. And then our clients realized that they didn't have enough security, and so they moved into this second evolution of implementation. And with every client in the world implementing multiple products, some clients bought everything under the sun for security and then woke up four years later and realized: Oh, my gosh, we spent – in the marketplace – $71 billion or more, and it is not getting better.

Now we are in phase three, which is how do you perform the end-to-end [security] solution, not just implementing tools, but helping them make good risk decisions because security is all about managing risk.

What is next then? Looking forward, what is the next phase of evolution for the security market?

There is going to be another phase - evolution number four - which I am already planning for right now – and that is going to be consolidation [of security technology usage].

Retailers, [for example], cannot solve the security problem on their own because they do not have enough people to watch out for security problems.

They need partners to help them do that, and not just in one company, but across the entire market. All the retailers are seeing the same thing, all the banks are seeing the same thing, all of the automotive companies are seeing the same thing across the global market.

And – at Accenture – this is what we are building towards, because this is what has to be done to provide for the clients. We are in evolution No. 3, and within the next two years, [we will] move into that evolution number four. And the strange thing is that almost nobody sees these stages and we are planning for it.

What is preventing other companies from seeing this?

I think if you look at [many] solution providers, they are putting Band-Aids on problems] and they don't see the holistic problem that they have to deal with. Sometimes it is because they are a small boutique and they can only look at one thing and they are reacting [to that].

Sometimes it is because the company only does one thing and so they only see everything through that one lens.

Accenture is different, because of our huge background in operations, helping companies transition into new areas. We see this and I think it's only because of where we are.

When we talk to clients about this sort of thing, they see that we are absolutely right and think, 'I see it happening, why didn't I put it together that way?' It really makes sense to them in a big way.

What were your thoughts when you first heard about the recent release of NSA hacking tools from the Shadow Brokers group?

I spent some time in some of those areas, the fight, the battles going on right now, [that] have been going on for a long time. They have been going on for decades, but it is being revealed more than ever because of, in part, the Internet and social media.

Have you had any clients express concerns about this? What is Accenture doing in reaction to this news?

I was on a four-hour call with some federal clients, yes.

I think that clients realize, especially the clients that look after security, that they have to understand that they need to focus on keeping their own companies secure. And not just [their] company, but end-to-end and even their ecosystem because they have a lot of partners that they work with.

What they have to do is focus on keeping their companies safe by using partners to help them to be agile.

This news that broke in the last couple of days is almost the same thing as Heartbleed [the widespread security bug disclosed in 2014). The companies have to focus on protecting their own company, and when something occurs, they have to act very, very quickly.

More news is going to come out, and every company on the planet is going to be thinking 'what do I do now.' Agility is critical.