Global consultants Ernst and Young LLP recently opened a multimillion-dollar cybersecurity innovation and operations center in downtown Dallas to combat growing global cybersecurity threats to corporate clients. Chad Holmes, EY Americas chief technology, innovation and strategy officer, talks about the challenges of staying one step ahead of the bad guys.

Why a center in Dallas and why now?

The biggest change is that organizations are moving into a digital transformation. Most organizations are turning into IT organizations, and have a huge increased need for cybersecurity. Traditional organizations may not have a public presence or never had a Web presence, or never had anything that I would consider modern-day technology inside their organization because their business didn't really require it.

Now the transformation requires cybersecurity to be baked in early. Logistically, Dallas is the center of the United States and we have a huge client-customer presence here. Also, there's this area's emphasis on science, technology, engineering and math that can provide people to put into this center.

Are we ground zero for cyber attacks? Have the types of companies that have sprouted up here become more likely to be cyber targets?

Malicious actors or organized-crime syndicates are using different techniques to compromise a large organization, such as through emails and phishing campaigns. They're creating unique lures to make employees click on links and open attachments through emails. They're exploiting behavior to get into the organization, spin out different campaigns to get information, compromise data and use it to compromise other people.

We see a lot of threats still coming from outside of the United States. Sometimes targets are industry-specific: financial services, oil and gas, or power and utilities because these are critical infrastructures. Every campaign and every actor has different motivations and typically we can tie those back to different actors. However, it is not a certain common trend across the entire industry of one actor and one behavior.

Chad Holmes, EY Americas Chief Technology, Innovation, and Strategy Officer (EY / EY company photo)

Are top managers sufficiently proactive in dealing with cyber threats?

Critical infrastructure in Dallas drives the behaviors that we're seeing. I've seen CEOs and chief financial officers getting more involved in a security program of organizations because one, they're still spending high rates of money in cybersecurity and then they still have a high risk of being compromised. They're starting to question that spending.

At the same time, our survey shows that they still will only spend large amounts of their budget on their security program after they get compromised. With organizations transforming in the digital era, it's increasing their threat landscape. It is a conversation that the chief digital officer is having with the CFO and I can tell you that in most of the organizations we work with, the CFO is highly concerned about security. Education and awareness are increasing, but we're still seeing traditional behaviors by certain organizations where they're still thinking they're safe until some major incident happens.

How do you measure cybersecurity success?

You really can't; I'll be honest. There's no real true measurement of the success of cybersecurity programs. I think that's where organizations struggle with the funding, of how to show the return. If I give you $100 million, how do you show that my risk reduced by 50 percent? There's no real true measurement out there to show that.

Typical security looks at detection, the mean time detection and mean time to respond. If they can drive that time to detect and that time to respond down, that's how they're showing a success.

Is combating cyber attacks something like fighting the prior generation of war? Can you really get ahead of technology in this area?

My answer is no. I don't see that security will ever be ahead of the curve of technology development. Every time security does make some level of innovation, the malicious actors use that against that. They know our innovation capability, they know new techniques that we're deploying on a proactive countermeasure perspective, and they roll out countermeasures to our countermeasures to prevent us being effective.

Then with the massive amount of digital transformation going on inside organizations, will security ever get to a point where it neutralizes all threats and we have a non-cyber war going on on a daily basis? I would say no.

Tell me more about Dallas and STEM.

If you look at some of the larger states, New York, California and Florida, I would say their STEM programs are all competing against the same talent. My personal opinion is Texas is more advanced than most states, but I do believe they're behind in some of the larger states as it relates to STEM development. I still think there's a huge gap in the higher education system as it relates to cybersecurity. It should be a mandate for all curriculum. Right now, IT is, but security isn't really. You're seeing new programs stand up and focus on cybersecurity, but it's not a mandate for all degrees.

I think things like that have to change before everybody comes out, no matter if they're an auditor, accountant or financial manager. They have some level of security awareness built into them where it prevents some of these threats. I would say that's where we've got to get to.

I would definitely like to see more dedicated STEM programs inside the school systems, focused on some of these more advanced or emerging technology spaces. I believe there's a shortage nationally, and in Dallas also.

What are your thoughts about privacy in the digital age?

The sense of privacy, I don't think will ever go away. Everybody has their personal privacy. More broadly the issue is with social media and with other ways that capture data to enable businesses.

If you look at shoe manufacturers, automakers or whatever, they're capturing data and doing analytics from a big-data perspective. They're driving the monetary value through the data they collect. The sense of privacy more broadly I think doesn't exist, but that's why you're seeing efforts to try to put the balance back in.

My personal opinion on my personal privacy? I don't feel I have any. All my data I believe has been leaked in one shape, way or form. I don't take a proactive, let's protect my personal information, because I think that's a losing battle. But also, I don't proactively share data on social media that is personally relevant to myself. I think more broadly people have a tendency to overshare on platforms because they trust those platforms. In reality, platforms are crowd-sourced data that malicious people could leverage.

In recent years we've heard more about ransomware. How common is it?

Organizations do get hit with it on a constant basis. Ransomware is not a new technique; it has just grown in magnitude. Historically ransomware was used to make the organization pay them for a certain outcome. Today, they're using it more maliciously to bring down organizations, and they don't really care about the payment as much as their outcome, which is to do more destruction.

Ransomware typically encrypts the machine and locks the user out of their data or out of their machine directly. If you look at some of the bigger ransomware campaigns we had this past year, most of it was more in a destructive manner, where they're just trying to shut down large organizations and cause disruption in their business or supply chain.

What keeps you awake at night?

I guess what keeps me awake is the evolution of organizations moving into IT industries. It is opening up the landscapes of critical infrastructure and critical services that we need to function every day. We think of power and water and utilities as critical infrastructure. Our critical nature of what we need to function is more than that. It's access to our money, it's access to airlines. It's access to our vehicles, it's access to whatever data. As more technology is infused into those industries, the threat landscape grows for malicious organizations to go after them and bring them down.

This interview was conducted, edited and condensed by Dallas Morning News editorial writer Jim Mitchell. Email: jmitchell@dallasnews.com.

Chad Holmes is the principal and chief technology, innovation and strategy officer for Ernst and Young's cybersecurity practice in Dallas. Email: Chad.Holmes1@ey.com

What's your view?

Got an opinion on this issue? Send a letter to the editor, and you just might get published.