Beyond the Told

by Dr. David M Robertson

Leadership and Cybersecurity

Advertisements

Not long ago, I stumbled upon an article in the Harvard Business Review by Alex Blau. In it, he suggested that the leaders of organizations needed to change their perspective on cybersecurity and focus more on risk management. I couldn’t agree more. Whether you are a leader inside an IT department or the leader of an organization with an IT department, we all need to get on the same page regarding cybersecurity initiatives. Too often, the IT department and the leadership teams are head-to-head regarding funding, effectiveness, resources, and policies. This is counterproductive and can be dangerous for your organization, people, and customers.

Change Your Cybersecurity Viewpoint

There is no such thing as total protection! We must stop looking at cybersecurity as something that we can control. You cannot! You cannot control when or if someone else decides to attack your systems. Furthermore, your IT department shouldn’t be treated as though that were the case. Cyberattacks will happen, and some will be successful, so I would also challenge you not to see breaches as “failures.”

It’s a drastic change in mindset for some, but it’s necessary. Understand that you fail at cybersecurity only when you are not proactively and aggressively trying to stay one step ahead in your cybersecurity initiatives. And suppose we are going to change the way we view cybersecurity. In that case, we must also change the way we look at our leadership roles and the way we approach the topic of cybersecurity as an organization. Cybersecurity threats constantly evolve, and we must evolve our thoughts and efforts accordingly. 

Think of your cybersecurity team as your organization’s personal army. Your army is faced with protecting your organization and customers against attacks from other armies around the globe. Those other armies are constantly upgrading their arsenals and training up to conquer your army. A defeat will likely occur if you allow your army to get stuck with outdated weapons and training. If you don’t want that, you need to empower your “generals” to acquire the necessary tools and skills to keep your organization ready. You also must understand that even if your generals are fully equipped, the other side is continually trying to figure out ways to win and could be empowered in ways your generals are not. It’s a never-ending process and struggle, which is why we must change how we view cybersecurity to increase our odds of success.

The irony is that most organizations have already adopted appropriate mindsets regarding other areas of their business. Shrink happens but is managed via loss prevention or asset protection efforts. Accidents are inevitable, but it is managed via education and training. Environmental risks are always there, but they are managed by implementing measures to control harmful substances. Waste happens but is managed by tracking the waste produced and implementing better practices to reduce it. Cybersecurity can be similar if we accept that it’s a threat that requires risk management and not an internal expense that can be skimped on.

Risk has a couple of definitions. Essentially, it’s exposing something valuable to danger, harm, or loss. I always encourage organizations to first explore what assets might be considered valuable. This can sometimes be a complicated task, but when we realize the vast amount of information available through a computer, we can only begin to manage the risk of exposure by exploring options, priorities, threats, and vulnerabilities.

Not only does tech have vulnerabilities, but those vulnerabilities are likely connected to your network and pose serious security risks. The risk increases with each connected device. According to Cisco, 500 billion devices are expected to be connected by 2030, and some of these connected devices have numerous identified security vulnerabilities. Do the math! Of course, the part that scares me isn’t the vulnerabilities that we have identified. The part that scares me is the vulnerabilities that we haven’t.

What thoughts run through your head about an organization that has recently been hacked? Are you confident that your information is secure? Do you still trust that organization? Do you feel as though their reputation has been tarnished? What will happen to your organization if a breach occurs?

Now imagine the chaos that comes with damage control for an organization after a breach. They have to deal with PR issues, stock price issues, marketing efforts to inform the public that those things are better now, and so on. It can be very costly. In many ways, an organization could have saved money, time, and effort by taking some of that money used for damage control and placing it into its cybersecurity initiatives in the first place.

Again, it’s a change in mindset, but it’s necessary. This is because most organizations are not prepared for the problems that come with an under-equipped cybersecurity team. To give you a better example, in Look Who’s Watching: Surveillance, Treachery and Trust Online by Fen Osler Hampson and Eric Jardine, I saw a statistic stating that the vast majority of organizations that were attacked in 2014 had to be told that someone outside of the organization attacked them. The organization didn’t even know! Making it worse, it often took months to find out. That’s scary. We need to lead the way. We must change how we approach the problem and stop expecting attackers to conform to what we think a threat should be.

So What Can Leaders Do to Help?

No doubt that the topic of cybersecurity is a tough one. It’s also a costly one. It can be managed and successful if you just take a few steps in the right direction. Here are some suggestions to help leaders navigate the issue.

  • To begin with, leaders need to embrace the idea that their IT teams are probably going to know more about the problem and be willing to listen to them – even when leaders don’t like what is being said.
  • Leaders must embrace the idea that cybersecurity is not the department to ignore or under-fund simply because the ROI is difficult to track.
  • Leaders must be ready for the attack and anticipate new security threats. Leaders must work with their IT and cybersecurity teams to build robust cyber incident response plans and take a proactive approach in preparing for the INEVITABLE attack.
  • Leaders need to appreciate the sophistication of the opposition. These attacks are not coming from some kid in the basement of his mother’s house. In recent years, we have seen attacks from national governments like the Russians, Chinese, and North Koreans (and more), terrorist groups, industrial spies, organized crime, hackers, business competitors, and so on and so forth. Belittling what IT really does only helps to undermine what it should or could do.
  • Leaders need to understand that cyber-threats are not just spyware, malware, Trojans, and phishing anymore. Your teams are now faced with protecting your organization against botnets, ransomware, wiper attacks, distributed denial of service attacks, various types of theft, data manipulation, rogue software, and more.
  • Leaders must ensure that their IT teams have a robust knowledge of network security methodologies, risk management processes, vulnerabilities, and application vulnerabilities and know the difference between an attack and a relationship, and so on.
  • Leaders must communicate with their IT teams. Ensure an open dialog and be prepared to hear “we need more.” Of course, they do! Understand that what you currently have will never be enough because things are always evolving. This expense doesn’t go away.
  • Leaders need to empower their cybersecurity teams and allow them to be a bigger part of the organization. Cybersecurity is not just an IT problem; it’s an organizational initiative, and your teams need to be armed accordingly.
  • Business leadership and technology leaders must work together. It will take both to discover potential risks, formulate protection plans, and determine what will be done when and after the attack occurs.
  • Leaders need to support their IT and Cybersecurity teams in regard to acquiring better network security measures and help them to implement solid policies and procedures to aid in that mission. This should include the necessary devices and programs needed to minimize threats to the network. They should also work together to solidify rules for employees in regard to passwords, email, and website usage.
  • Leaders need to keep their cybersecurity teams trained. New techniques, new equipment, and new programs are being developed all of the time. Leaders must ensure that their teams are on the cutting edge and help to ensure that organizational policies reflect the advancements and implementation of newer tools and tactics.
  • Leaders should be aware of cyber competitions and perhaps even encourage their teams to participate in them. These are great ways to get practice and practical knowledge. In the coming years, these will become more popular, and the chances are good that there are already some in your region.
  • Leaders must help develop and maintain an organizational culture of security and education. Security awareness is simply not enough. A Keeper Security analysis of 10 million passwords revealed by data breaches in 2016 found that nearly 17 percent of accounts were protected by the password “123456”. That’s just silly. Now factor in advanced tactics like “Social Engineering” that manipulate individuals into divulging confidential information willingly.

It’s a lot, I know. I’m sure some of this seems overwhelming. The sad part is that there is even more to it, but I have chosen not to get into it in this article. However, if all of this seems too much for your organization to handle, then I would suggest you outsource your efforts to an organization that can effectively handle all of this. Doing so could be a cost-effective way to ensure your organization’s security without spending the money to continually chase technology and training. Several organizations are dedicated to this mission, and their pricing models are quite affordable. Organizations like Ember Technologies LLC come to mind.

Of course, for some organizations and leaders, having an IT department or their cybersecurity efforts outsourced is still not an option. That’s okay. There are still a few steps that you can take to protect yourself and your organization. While not robust or comprehensive, the following are some basic suggestions that can go a long way toward helping you step up security.

  1. Educate employees (again and again) about security protocols and what is considered risky behavior. 
  2. Use proper passwords. Passwords that are at least 15 characters long, consisting of meaningless words, numbers, and random symbols, are best.
  3. Encrypt.
  4. Don’t click on unfamiliar links. This is security 101. If you don’t recognize the sender, if you recognize the sender but it’s not something the sender would normally send, or if you feel that anything is even remotely “off,” – DON’T CLICK THE LINK!
  5. Get antivirus programs and firewalls and keep them up-to-date. Updates are usually provided when new ways of protecting the system have been discovered. Use them and ensure you are always current.
  6. Protect devices with authentication. You wouldn’t give your house key to everyone in your organization, and you shouldn’t be giving out keys to your devices. Ensure that the people on your devices are supposed to be. Give everyone his or her own access credentials. 
  7. Back up your information and keep that backed-up information off your main network.

Hopefully, these tools and recommendations can help you achieve the security levels your organization and customers deserve. If you have any questions about this, talk with an IT professional. Threats, attacks, prevention measures, and solutions will differ from organization to organization, so you want to ensure that your protocols are right for you.

Good luck! 


Did you enjoy this article? You might also like my article “Performing a Risk Analysis.

Advertisements