This post reflects a collaboration between Dr. Dale Meyerrose, major general, U.S. Air Force (retired), president of the MeyerRose Group and Maureen Metcalf, founder and CEO of Metcalf & Associates, and is written in conjunction with an interview on Voice America aired on May 24, “Cybersecurity: Thriving in a High Threat Environment.”
Dale sees “cyber” as much a language as the medium over which data flows. In turn, cybersecurity is about ensuring trust in virtual functions and services.
One often thinks cybersecurity is the job of specialists working in an information technology (IT) services organization, or of analysts in the security shop. Yet, when something goes wrong, it cannot only affect the very health and reputation of an entire organization, but possibly its existence.
Over the past five years, the headlines have been replete of examples of high-profile organizations and individuals who have had their data, records, and identity compromised by criminals, terrorists, governments, and “evil doers.” As a consequence, many have formed opinions based on impressions created by the media—many of those impressions may not be grounded in fact. So, what is the proper context?
There’s a tendency to focus on the large number of compromised records in some of the more infamous cases, particularly involving retail and entertainment firms, and the U.S. government. Yet, these sensational cases aren’t necessarily the largest in numeric terms. We are familiar with these cases for reasons other than strictly the number of compromised records and/or identities. The publicity of these crises were likely for other reasons, such as participant notoriety, shock value, timing, potential liability, among other aspects. We tend to forget that cybersecurity issues exist in the context of the outside world and the human experience in general. Inserting “cyber,” or “e,” or “I” in front of a criminal act, doesn’t change the motivations behind the theft, espionage, or destruction.
“Evil doers” act in their own self-interests and are, by-and-large, rational. However, they aren’t necessarily more intelligent or infallible. Just like in other forms of crime, they take the path of least resistance in committing cyber attacks. Like other manner of crime and conduct, whether cyber is involved or not, the perpetrator’s motivations are the same. And, increasingly it’s difficult for any crime not to have some kind of cyber facet or implication as we, as a society, have become more dependent on cyber capabilities in both our professional and personal lives.
Additionally, specialists spend most of their “security cycles” worrying about not becoming the next “poster child” for a breach. They build layers of detection aimed at penetration alerts so that the culprits can be ousted and the vulnerability that permits the breach repaired. This reactive approach spawns much of the current computer security industry and network-centric thinking. It persists today under the rubric of cybersecurity—in the language that we hear in the media and from the security industry. In fact, by all appearances most of these previous policies were updated using a universal word search of “network” and “computer,” and merely replaced what are now considered passé terms with the more modern word “cyber.” They did so without adjusting their thinking to take into account a vastly changed, dynamic environment.
To better understand some key facets of cybersecurity, we compiled five foundational tenants that organizational leaders should know when learning about cybersecurity. This understanding prepares you to be driven by the “art-of-the-possible” than be paralyzed by the “fear-of-the-inevitable.”
Five key cybersecurity tenents
- “Evil doers” and “good guys” value the same things. The former looking to gain access to, and the latter trying to protect the same. What you’re proudest of, criminals covet most. The value of the information architecture now supporting the global economy likely runs into the trillions of dollars—if you are not protecting your organization, an infiltration could threaten your data, your reputation, and even your existence. For most businesses and organizations, if not all, critical information is created, manipulated, accessed, transmitted, and stored electronically—and subject to infiltration, exposure, and exploitation.
- Cybersecurity is a people issue, not a technical one. Cybersecurity strategy is more about organizational resolve than devising a great plan for the future. Cybersecurity is inseparably linked with every strategy and investment. Human talent is the only true competitive differentiator in business or any walk-of-life. This applies not only to your technical staff, but the trainability of the entire organization. Security is what you do, not something you have, buy, or install.
- The workforce has largely moved outside the firewall to do their jobs. An enterprise is only as secure as its least protected device or point of access. If we think about someone trying to hack into a home computer, an intruder would likely choose to gain access through another device that is connected to the computer, thus circumventing the traditional security measures. As the “Internet of Things” becomes more of a reality, backdoor access to that home computer will most likely come through a networked appliance like a thermostat, refrigerator, baby monitor, or alarm system. In a similar fashion, a mobile and agile workforce will expose organizations to similar risks and potential exploitation.
- Organizations need to first look inward. Most cyber attacks come from careless employee actions and gaps in security protocols rather than brilliant data thieves. Most, maybe as high as 90 percent of cyber attackers, gain their initial infiltration through insider behavior such as phishing e-mail, social engineering, or employee carelessness. So, irrespective of intent, most modern-day compromises, even the biggest ones, start out “low tech” in other domains and then migrate to “high tech” cyber once behind the firewall or inside an organization’s network. In essence, modern cybersecurity is an “inside-out” proposition, not the “outside-in” that we are led to believe.
- Cybersecurity is a leadership responsibility. Board directors and senior executives across the leadership team should recognize that all cybersecurity compromises constitute an organizational crisis—the resolution of which needs to be led by the most senior echelons. Top-level leadership is accountable for every aspect of an organization, particularly a crisis. And, there should be no such thing as a security or cybersecurity response—it is a crisis response. The reputation and future operation of the entire organization is at stake. This is a non-delegable responsibility that requires not only a complete remediation of the current situation, but—especially in the case of cybersecurity—constructing the “new normal” for future operations.
To date, many in leadership have ignored the potential impact of cybersecurity. We proceed with our key business processes and pay little attention to cybersecurity as an organizational priority. We are often focused on operating the business, while relying on IT or cybersecurity specialists to take care of the rest. It is time to update how we think about cybersecurity—and specifically what we do about it.
Dr. Dale Meyerrose, major general, U.S. Air Force (retired) is president of the MeyerRose Group—a cybersecurity, executive training/coaching, and eHealth technology consulting company. He is an adjunct instructor at Carnegie Mellon University, Institute for Software Research running their Cybersecurity Leadership Certificate program. General Meyerrose, a Southwest Asia veteran, was the first Senate-confirmed, President-appointed Chief Information Officer for the Intelligence Community after over three decades of military service.
Maureen Metcalf, founder and CEO of Metcalf & Associates, Inc., is a renowned executive advisor, author, speaker, and coach who brings thirty years of business experience to provide high-impact, practical solutions that support her clients’ leadership development and organizational transformations. She is recognized as an innovative, principled thought leader who combines intellectual rigor and discipline with an ability to translate theory into practice. Her operational skills are coupled with the strategic ability to analyze, develop, and implement successful strategies for profitability, growth, and sustainability.
In addition to working as an executive advisor, Maureen designs and teaches MBA classes in Leadership and Organizational Transformation. She is also the host of an international radio show focusing on innovative leadership, and the author of an award-winning book series on Innovative Leadership, including the Innovative Leaders Guide to Transforming Organizations, winner of a 2014 International Book Award.