This post reflects a collaboration between Dr. Dale Meyerrose, major general, U.S. Air Force (retired), president of the MeyerRose Group and Maureen Metcalf, founder and CEO of Metcalf & Associates, and is written in conjunction with an interview on VoiceAmerica aired on May 24, âCybersecurity: Thriving in a High Threat Environment.â
Dale sees âcyberâ as much a language as the medium over which data flows. In turn, cybersecurity is about ensuring trust in virtual functions and services.
One often thinks cybersecurity is the job of specialists working in an information technology (IT) services organization, or of analysts in the security shop. Yet, when something goes wrong, it cannot only affect the very health and reputation of an entire organization, but possibly its existence.
Over the past five years, the headlines have been replete of examples of high-profile organizations and individuals who have had their data, records, and identity compromised by criminals, terrorists, governments, and âevil doers.â As a consequence, many have formed opinions based on impressions created by the mediaâmany of those impressions may not be grounded in fact. So, what is the proper context?
Thereâs a tendency to focus on the large number of compromised records in some of the more infamous cases, particularly involving retail and entertainment firms, and the U.S. government. Yet, these sensational cases arenât necessarily the largest in numeric terms. We are familiar with these cases for reasons other than strictly the number of compromised records and/or identities. The publicity of these crises were likely for other reasons, such as participant notoriety, shock value, timing, potential liability, among other aspects. We tend to forget that cybersecurity issues exist in the context of the outside world and the human experience in general. Inserting âcyber,â or âe,â or âIâ in front of a criminal act, doesnât change the motivations behind the theft, espionage, or destruction.
âEvil doersâ act in their own self-interests and are, by-and-large, rational. Â However, they arenât necessarily more intelligent or infallible. Just like in other forms of crime, they take the path of least resistance in committing cyber attacks. Like other manner of crime and conduct, whether cyber is involved or not, the perpetratorâs motivations are the same. And, increasingly itâs difficult for any crime not to have some kind of cyber facet or implication as we, as a society, have become more dependent on cyber capabilities in both our professional and personal lives.
Additionally, specialists spend most of their âsecurity cyclesâ worrying about not becoming the next âposter childâ for a breach. They build layers of detection aimed at penetration alerts so that the culprits can be ousted and the vulnerability that permits the breach repaired. This reactive approach spawns much of the current computer security industry and network-centric thinking. It persists today under the rubric of cybersecurityâin the language that we hear in the media and from the security industry. Â In fact, by all appearances most of these previous policies were updated using a universal word search of ânetworkâ and âcomputer,â and merely replaced what are now considered passÃ© terms with the more modern word âcyber.â Â They did so without adjusting their thinking to take into account a vastly changed, dynamic environment.
To better understand some key facets of cybersecurity, we compiled five foundational tenants that organizational leaders should know when learning about cybersecurity. This understanding prepares you to be driven by the âart-of-the-possibleâ than be paralyzed by the âfear-of-the-inevitable.â
Five key cybersecurity tenants
1. âEvil doersâ and âgood guysâ value the same things. The former looking to gain access to, and the latter trying to protect the same. What youâre proudest of, criminals covet most. The value of the information architecture now supporting the global economy likely runs into the trillions of dollarsâif you are not protecting your organization, an infiltration could threaten your data, your reputation, and even your existence. For most businesses and organizations, if not all, critical information is created, manipulated, accessed, transmitted, and stored electronicallyâand subject to infiltration, exposure, and exploitation.
2. Cybersecurity is a people issue, not a technical one. Â Cybersecurity strategy is more about organizational resolve than devising a great plan for the future. Cybersecurity is inseparably linked with every strategy and investment. Human talent is the only true competitive differentiator in business or any walk-of-life. This applies not only to your technical staff, but the trainability of the entire organization. Security is what you do, not something you have, buy, or install.
3. The workforce has largely moved outside the firewall to do their jobs. An enterprise is only as secure as its least protected device or point of access. If we think about someone trying to hack into a home computer, an intruder would likely choose to gain access through another device that is connected to the computer, thus circumventing the traditional security measures. Â As the âInternet of Thingsâ becomes more of a reality, backdoor access to that home computer will most likely come through a networked appliance like a thermostat, refrigerator, baby monitor, or alarm system. In a similar fashion, a mobile and agile workforce will expose organizations to similar risks and potential exploitation.
4. Organizations need to first look inward. Most cyber attacks come from careless employee actions and gaps in security protocols rather than brilliant data thieves. Most, maybe as high as 90 percent of cyber attackers, gain their initial infiltration through insider behavior such as phishing e-mail, social engineering, or employee carelessness. So, irrespective of intent, most modern-day compromises, even the biggest ones, start out âlow techâ in other domains and then migrate to âhigh techâ cyber once behind the firewall or inside an organizationâs network. Â In essence, modern cybersecurity is an âinside-outâ proposition, not the âoutside-inâ that we are led to believe.
5. Cybersecurity is a leadership responsibility. Board directors and senior executives across the leadership team should recognize that all cybersecurity compromises constitute an organizational crisisâthe resolution of which needs to be led by the most senior echelons. Top-level leadership is accountable for every aspect of an organization, particularly a crisis. And, there should be no such thing as a security or cybersecurity responseâit is a crisis response. The reputation and future operation of the entire organization is at stake. Â This is a non-delegable responsibility that requires not only a complete remediation of the current situation, butâespecially in the case of cybersecurityâconstructing the ânew normalâ for future operations.
To date, many in leadership have ignored the potential impact of cybersecurity. We proceed with our key business processes and pay little attention to cybersecurity as an organizational priority. We are often focused on operating the business, while relying on IT or cybersecurity specialists to take care of the rest. It is time to update how we think about cybersecurityâand specifically what we do about it.
Dr. Dale Meyerrose, major general, U.S. Air Force (retired) is president of the MeyerRose Groupâa cybersecurity, executive training/coaching, and eHealth technology consulting company. He is an adjunct instructor at Carnegie Mellon University, Institute for Software Research running their Cybersecurity Leadership Certificate program. General Meyerrose, a Southwest Asia veteran, was the first Senate-confirmed, President-appointed Chief Information Officer for the Intelligence Community after over three decades of military service.
Maureen Metcalf, founder and CEO of Metcalf & Associates, Inc., is a renowned executive advisor, author, speaker, and coach who brings thirty years of business experience to provide high-impact, practical solutions that support her clients’ leadership development and organizational transformations. She is recognized as an innovative, principled thought leader who combines intellectual rigor and discipline with an ability to translate theory into practice. Her operational skills are coupled with the strategic ability to analyze, develop, and implement successful strategies for profitability, growth, and sustainability.
In addition to working as an executive advisor, Maureen designs and teaches MBA classes in Leadership and Organizational Transformation. She is also the host of an international radio show focusing on innovative leadership, and the author of an award-winning book series on Innovative Leadership, including the Innovative Leaders Guide to Transforming Organizations, winner of a 2014 International Book Award.
photo credit: www.flickr.com infocux technologies