Accenture Security Chief On The Russian Threat, Ransomware And The Classic Mistake That Solution Providers Make

‘Security is not just about protecting the digital business from what is well known. Even more, it‘s about protecting from what is coming next,’ says Paolo Dal Cin of Accenture.

Paolo Dal Cin this week officially took command of Accenture’s giant global cybersecurity business – and he most definitely will have his hands full in coming weeks and months.

With 16,000 employees and $6 billion in revenue under his control, Dal Cin, who previously headed Accenture’s cybersecurity business in Europe, will be overseeing a sprawling and still-growing global operation at a time of heightened concerns over cyber threats.

In an interview with CRN, Dal Cin, 46, who is based in Milan, Italy, expressed concern about possible cyberattacks stemming from the Russian-Ukrainian war, the threats that keep him awake at nights, and his belief that Accenture needs to hire more non-IT people, such as criminologists, in order to combat cyberattackers.

Dal Cin replaces Kelly Bissell as head of Accenture Security, who left in February to become corporate vice president at Microsoft, according to his LinkedIn page.

[RELATED STORY: Accenture’s Most Highly Compensated Executives In 2021]

After Accenture’s big 2020 acquisition of Symantec’s cybersecurity services business, Dal Cin isn’t ruling out more takeovers of other security companies, but he made clear Accenture will be “really selective” about acquisitions moving forward.

In the interview with CRN, Dal Cin also talked about the biggest mistakes solution providers make and his views on consolidation within the cybersecurity sector.

Here are some excerpts from the interview:

What are the big threats you see coming in 2022 for your customers?

From one side, I think that there is a consistent trend about ransomware. This is something that we see everyday in the market. But I think that the trend that is becoming more and more important is the political one. With the crisis between Russia and Ukraine, I think that the attacks are becoming more and more politically driven, more than just financially driven. This is the trend that we see in the market.

[Editor’s note: Last year, Accenture itself was hit by a ransomware attack, with a hacker group using the LockBit ransomware threatening to release the company’s data and sell insider information. Accenture declined comment for this article about last year’s ransomware incident, repeating only that the attack led to “no impact on Accenture’s operations, or on our clients’ systems.”]

Are you concerned that the Russian-Ukrainian war could have a spillover effect, in terms of cyberwarfare spilling into Europe and North America?

Considering that cyberspace has no boundaries, I think that it’s a matter of time probably. I consider the Russian threat as very capable. And I think that our clients should not underestimate their ability to be very dangerous in this kind of operation. Based on our two decades of a unique experience in threat intelligence, I think that these are something that we need to be prepared to counter. We need to stay vigilant, and we cannot just wait. So my advice to our clients is always be ready. And be ready means do the basics — patching, etc. But it’s also about running and testing and incident response planning. It‘s about doing cyber-attack simulation. It’s about doing proactive threat hunting.

What keeps you up at night, in terms of thinking about security?

I think that we need to keep up the pace. Attackers are very fast and I think that they are investing a lot. Some of them are financially funded. And I think that we need to keep up the pace. So in my mind, there are two things (to do). One, innovate. We have continued to invest millions in order to be market relevant every day against the threat actor, supporting the client and becoming more relevant for our client’s agenda from one side.

At the same time, we are a people-based company and so in my mind at the core of my agenda, there is also (the issue of) talent. In a world where there is a huge war for talent, everyone wants to have a more and more cybersecurity professionals. We deeply believe that it is very important for us to attract the best talent, to train them, to progress them to the next stage.

When looking at the new threats out there, what's one of the more vexing threats that you see? Perhaps one that’s relatively unknown to many, one that’s kind of scary because you don't know much about it?

I think that we need to be conscious that the real very painful attacks that may happen are the zero day attacks, the ones related to vulnerabilities that are not yet well known, where there is not an easy solution, or patch to be applied. What businesses need to focus on is prevention and development of cybersecurity solutions that are AI driven. We can bet on deep learning machine learning algorithms with detection and response capabilities in order to identify known and also unknown cyber threats.

Security is not about protecting the digital business from what is well known. Even more, it‘s about protecting from what is coming next.

Is there one area of your security business that you want to focus on in terms of expanding, maybe through acquisitions?

I think that there are many big (technology) things coming, from 5G to the metaverse, where Accenture overall is investing a lot. We really want to protect these kinds of new virtual environments, like the metaverse, from cyber-attack and other potential threats. So for us, no matter what is the new technology that is enabling our client business, we want to (protect it).

Do you see hiring more people?

Yes, for sure. We have now 16,000 security professionals in Accenture, a very huge practice globally speaking, but this is not an end state. We are planning to grow. And we are planning to grow our head count in every market, in North America and South America, Europe and Asia Pacific. What we want to do is not to just hire more, but to hire more diverse talent. Security is becoming more multidisciplinary. We want to involve people that (are) studying social sciences. We like to have more criminologists. We’d like to add people with a different background. When you are doing a threat analysis, it is very important to understand the threat-actor mindset. This is not just about technical skills. It is more also about soft skills. So we want to diversify our talent pool. Looking forward, we want to attract people not just from, you know, engineering or computer science degree, but from a much broader talent pool.

So it's no longer just about hiring people who understand technology and can do codes. It's about people who know about criminal behavior.

You are spot on. This is the issue. And from the other side, we’d like to have also more people really dig into specific industries. Protecting a national critical infrastructure like a utility company is quite different from protecting a banking institution. They have different goals (and needs) in security in order to protect their value chains. So for us, it‘s also important to understand even more the industry (of a client), the specific industry business, in order not to just to protect the technology. We deeply believe that security is no more a (purely) IT issue. It has become clearly a business priority.

Accenture has expanded its cybersecurity business through organic growth and through acquisitions. Do see continued acquisitions?

We’ve done probably more than 15 different acquisitions in the last few years around the globe, in North America, Europe and Asia Pacific. We want to be really selective because we have already great scale, as you know. We want to continue to scan the market to understand if we have any opportunity to acquire a new company in order to fit our agenda.

What’s the No. 1 mistake that you see solution providers make when it comes to cybersecurity?

In my opinion, it is considering security (as) just a matter of technology. I don’t think that security is just, you know, about protecting an IT environment. … It’s really about protecting the business. A common mistake is to talk with clients about just their IT environment, just with the CIO. It‘s becoming a broader topic, in my opinion. Every day that I speak with clients, there is at least a clearer priority (regarding security) from a CEO’s agenda, not just a CIO’s agenda. So if a provider is coming into this very crowded, competitive landscape just to protect the technology, they will be out of place very soon.

Some say security products should be put in an “all-in-one” platform and that there’s a trend towards consolidation in that regard. Do you think this is possible? Is this where the security market is going?

I see the same trend — a security consolidation in the product space. But I don’t think that we will have in the future one single product platform. For sure, the clients are looking to consolidate a little bit more. They don’t want to add anymore, as in the past, too many different security solutions in order to protect just, for example, the network, the cloud, data, the digital identity space, etc. They are looking for fewer platforms, fewer partners to deal with in order to have the best security posture. If you want to react to a cyberattack very quickly, you need to have a chain of command and control that is, you know, shorter and faster. With an environment with too many suppliers, too many third-party (players), too many companies involved in your supply chain, the mission will be even more tough. So simplification and consolidation with the right company, I think is a good trend.