I confess to having spent more than a little time lately thinking about cybersecurity, but maybe not for the same reasons as most. My thoughts range from skepticism about the naiveté, ignorance or disingenuousness (depending on your perspective) expressed at some fairly high levels about how widespread and pernicious such activity is, to serious concern that the management of such risk in many places is dangerously deficient.
Having directly dealt with this issue as a CRO and a consultant, my worries are predicated on the fact that a) this is not a new series of challenges, b) a lot of smart people have spent a great deal of time and effort thinking about how to deal with the multidimensional challenges of cyber risk and c) it is growing, metastasizing and not going away.
It is hard not to raise an eyebrow when one hears comments about lack of awareness or sensitivity to cyber risk, especially from governments (or the national headquarters of major political parties) and large firms. If such activity hasn’t been near or at the top of the risk inventory for years, if it isn’t something the CEO and the CRO talk about regularly and isn’t the subject of consistent reporting to stakeholders and the board (or their equivalents), something is seriously awry.
And if you are still approaching the issue from the perspective that you can keep the barbarians from the gate, you are even further behind the eight ball.
At the beginning of the decade, those such as the U.S. Department of Defense and the Department of Homeland Security, among others, who were serious about addressing cyber risk had already moved from prevention to active management, based on the presumption that the enterprise had already been hacked or would be. This shift sounds simple, but, as with many implementation issues, it is extremely challenging to effect in practice. This is because of the multidimensional nature of the problem.
There are external as well as internal issues to managing the cyber risk problem, and unless all of these are addressed, monitored and modified simultaneously and constantly, a hole in one’s defenses is likely to occur. Real-time, three-dimensional chess is an apt analogy for what is needed to keep things under control.
It’s hard not to raise an eyebrow about the lack of awareness to cyber risk from governments and large firms.
A comprehensive explanation of how to address cyber risk is beyond the scope of this column; however, below is a high-level overview of the most critical ingredients that should feature in any such effort:
- Drain the moat and stay away from the ramparts: Trying to keep out those that would seek to do you harm is a fool’s errand at this point. Instead, as a first step, fully identify, prioritize and address the cyber aspects of your potential critical information, operational and competitive vulnerabilities.
- Explicitly revise your strategy and business plans in light of these findings: These threats need to be fully incorporated into your strategic deliberations and your performance and risk measurement frameworks. Everyone on the senior management team, as well as the board, needs to be fully informed about the types of exposures that could arise, what the potential implications of different kinds of breaches could be, how the firm is/plans going forward to manage them in a multi-layered, reward-to-potential risk prioritized way, how they should respond if and when such an attack(s) materializes and, as important, what specific aspects of cyber risk management they are personally responsible for and will be held accountable for managing according to the policies and guidelines established. To achieve these last two objectives, explicit appetites and tolerances for different types of cyber events needs to be established, monitored and reported to management and the board. And the subject should be a standing agenda item for both the board and management.
- Think and act “inside out” as well as “outside in”: In most, if not all, cases—given that email and social media are the most prevalent vehicles used by hackers—your employees need to be the first line of detection and defense. Continuing education, training and periodic internal testing should be mandatory for all employees and board members. The better your staff understands the possible ways in which outsiders may try to get in to your systems and the potential consequences that could ensue, the better you will be at constraining/containing potential adverse impacts.
- … and “bottom up” as well as “top down”: Little things are likely to matter as much (and in some cases more) than a major systems breach. The latter is certainly going to be extremely harmful if it occurs, but unless you are woefully derelict, it is very hard to achieve. It is far easier (and the much more often employed tactic) to find a weak link—such as an employee clicking on an email containing malware, giving the malware access to your system and the ability to migrate through it to find and extract data and information over time. This is why a comprehensive, layered system monitoring and reporting capability is critical. It is the electronic equivalent of the “If you see something, say something” approach that was developed after 9/11.
There is a great deal more that needs to be done to create a top-notch cybersecurity framework, as the devil truly is in the details. Regrettably, the almost daily headlines suggest that far too many firms, governments, and other entities have yet to achieve even this level of proficiency.