Cybersecurity continues to be managed in bits and bytes. Threats are rarely discussed at the executive or board level and the result is that many organizations are taken by surprise and left to react. Instead, cyber-risk must be evaluated through a strategic lens, much like sales, marketing, finance and other key business units.
Regular, thoughtful planning and discussion will strengthen risk mitigation and significantly improve an organization’s security posture. Here are three practical steps to ensure a more cyber-resilient organization.
Make Cyber a Living, Breathing, Evolving Part of Your Overall Business Strategy
Strategy in business is too often rendered a cold, calculating, lifeless endeavor. This is how the great Jack Welch described business leaders’ take on ‘strategy’:
“I have listened to their presentations in disbelief. It’s not that I don’t understand their theories about competitive advantage, core competencies, virtual commerce, supply chain economics, disruptive innovation, and so on, it’s just that the way these experts tend to talk about strategy — as if it is some kind of high-brain scientific methodology — feels really off to me. I know that strategy is a living, breathing, totally dynamic game. It’s fun — and fast. And it’s alive.”
In all domains of a business, nowhere is this ‘strategy problem’ more evident than in cybersecurity.
Most cyber-defense efforts are staffed and led by very good engineers or former engineers. By their nature, they’re deliberating, accurate, precise and thoughtful. That’s good for coding, configuring and tuning, but can be paralyzing for anything that requires quick, deliberate and reflexive action.
Strategy, as it can be applied to the world of cyber, should identify clear, simple ways to move based on good organizational data with the right action-oriented people in charge who follow informed best practices to achieve strategic goals despite dynamic change. Security leaders must make focused, quick decisions at every turn that support strategic goals. Strategy is then alive.
The problem with the traditional approach is that we are burying ourselves in low-level data, trying to find the needle in the haystack. But what we end up doing is searching lots of haystacks – which takes time and resources and more often than not, ends up ineffective. Instead, look at cyber through a different lens and try to answer specific questions from a business perspective, such as, ‘what cyber risks are impacting my supply chain?’ and ‘has my cloud provider suffered a breach in the last month?’
Elevate the Cybersecurity Discussion
For too long, cybersecurity has been someone else’s problem. Security leadership has not been ‘eating at the same table’ as other key business area leaders. Good leaders who can define and communicate the mission and strategy are critical.
“Organizations too often settle for data about the possible or assumed rather than the proven”
According to Jack Welch, good leaders, amongst other things, make sure everyone sees, lives and breathes the vision; relentlessly upgrade the team; use every opportunity to evaluate, coach, and build confidence; and have the courage to make quick, unpopular decisions and go with their gut.
A CSO must be a strong leader but they also need the same opportunities given to other business unit leaders to make their case.
Improve Cyber-Resilience with Evaluated Intelligence
Successful corporations run on evaluated intelligence: sales data, financial numbers, marketing expenditures etc. All this information leads to insights and diligence that help businesses become resilient over time and survive (or avoid) the unexpected. Cyber should be no exception.
Evaluated intelligence is the cyber-activity you know, even if you can’t yet pin it to a negative outcome.
There are many examples of evaluated intelligence that you can use to improve cyber-resilience. Perhaps a database storing personally identifiable information has been targeted – and others in your industry have been hit by similar attacks. A vendor in your supply chain that supports your customer fulfilment process may discover malware on their systems that law enforcement has seen before. Or your brand maybe mentioned on social media by malicious actors, indicating a potential future event.
Unfortunately, the data is rarely collected in-depth, much less in standard, predictable and intuitive ways. Instead, organizations too often settle for data about the possible or assumed rather than the proven. Without evaluated intelligence, business leadership is unable to efficiently baseline a domain it cannot make amenable to time-tested business strategies and formulas.
Without the information, the business side cannot apply the same level of planning and strategy to cyber as they do elsewhere, thus they can’t help the entire organization become more cyber-resilient. Over time, using evaluated cyber-intelligence provides leaders with a way to get a handle on cyber-planning and better support security operations long term.
As you plan how to maintain and grow your business, here are some important questions for you to consider around cyber and its impact: Is your cybersecurity a full part of your business? Is your cyber strategy alive? Are your leaders the right people for the job? Are you leveraging evaluated cyber intelligence?
If not, you’re not likely to survive the long haul.
About the Author
Jason Polancich is a serial entrepreneur focused on solving complex internet security and cyber-defense problems, with more than 20 years of experience as an intelligence analyst, software engineer, systems architect and corporate executive.