By Chris Moschovitis, Chairman & CEO of tmg-emedia, inc.
“What we’ve got here is failure to communicate!”
– The Captain, Cool Hand Luke
This failure between cybersecurity professionals on one hand, and business and government leaders on the other, is costing us billions and putting our institutions and democracies in harm’s way.
According to ISACA’s State of Cybersecurity survey, cyber-attacks are on the rise and will continue to increase, with 50% of security leaders experiencing a higher volume of attacks in 2018 than in 2017.
ISACA’s State of Cyber report 2018
If we stand a chance of managing the rising volume of attacks, we must firstly define how best to communicate as an industry. How do we bridge this gap and build effective cybersecurity programs?
We start by developing a common language – a way for both of us to engage in this shared responsibility. Think of it this way, we all know enough about our car to talk to our car mechanic, maybe even change the occasional tire. We all know enough about medicine to have a meaningful conversation with our doctors (thank you Dr. Google!) And, we know enough about law to call our lawyer when we’re in trouble!
I’ll go a step further: There is no CEO worthy of the “C” that can’t “speak” fairly fluently finance, marketing, strategy and operations. But… the moment we bring up cybersecurity, eyes glaze over, palms sweat, bodies start fidgeting in place. Frequently, the answer might as well be something like: “IT will take care of this! We keep them in a dark room with lots of tiny blinking lights and throw them some raw meat every other day. They keep us running and protected. No worries!”
To begin with, IT creates value and cybersecurity protects value – two parallel tracks. You should not have one reporting into the other; there is an obvious conflict of interest! The way we need to be thinking about cybersecurity, from a governance perspective, is not as a technology problem, but as a risk management problem. And, who’s responsible for risk management? If you said the board of directors, you are right! In their absence, it is the owners of the firm. Sometimes the owners are themselves members of the C-Suite, other times, not. Irrespectively, the only ones that can accept risk, including cybersecurity risk, are the owners.
Accept risk? How about eliminate risk? Therein lies the rub. Risk can never be zero. It is all about your specific risk appetite that guides the development of the specific cybersecurity program for your firm, your institution, or your country.
Getting in touch with your inner risk acceptance is not enough. We need to understand what we are protecting – our assets. What are they, exactly? What is their value? How long can we be without them? How fast do we need to recover? Questions like these help us develop the business impact analysis, unit-by-unit, department-by-department, and ultimately company-wide, or country-wide.
What are we protecting these assets from? What are the threats? Who’s out to get you? Why? In this step, we ask all sorts of questions like these to help us develop our threat and risk assessment. These questions have very different answers when you are a law firm, a hospital, a school, or a municipality. And, yes, of course size matters. A multinational concern has a very different risk register than the local bakery. But, don’t think for a minute that your baguette is not at risk.
Armed with all this due diligence, we can take the next step: develop a defense-in-depth cybersecurity strategy that deploys a range of preventive, detective, corrective and compensating controls. Not surprisingly, ISACA’s State of Cyber survey reveals that active defense strategies are highly effective (according to the 87% of respondents who use them), but they are not used widely enough, with 40% of respondents saying they are not familiar with active defense strategies.
ISACA’s State of Cyber report 2018
Once we take that next step in a implementing a defense-in-depth cybersecurity strategy, the real fun begins. We need to engage our people in frequent cybersecurity awareness training, we need to develop our incident response plans, we need to train our teams, and practice, practice, practice! Only then can we begin to sleep somewhat easier knowing that we’ve exercised our due care and that we’re prepared to respond to any attack. Only then can we begin to “live” cybersecure.
Author’s note: I am honored to present “Challenges in Cybersecurity Program Development” at ISACA’s 2018 CSX Europe conference, to take place 29-31 October in London. The session is specifically designed for business executives who need to understand how to complete the handshake with cybersecurity professionals, understand what they need to know to be successful, devoid of techno-jargon-speak, and develop a pragmatic approach for their cybersecurity program. The presentation will be based on my recent book “Cybersecurity Program Development for Business: The Essential Planning Guide”(Wiley 2018).