CEO Leadership in the Age of Cyberspace

One thing that has surprised me since I left active duty as an Air Force Major General a little over two years ago, is the inconsistencies I see from company to company regarding the importance of leadership and organizational culture.  I recently have talked with a number of senior leaders who say they are engaging consultants to help develop leadership programs and to understand and, if necessary, modify their organizational culture.  Certainly a step in the right direction, but these are mature companies.  It is interesting to me that leadership and culture are just now becoming important at the most senior levels.

My experience leading a number of large, complex organizations suggests that nothing is more important than having good leaders at all levels of the company and making sure they are aligned on creating and sustaining a company culture that sets the stage for success.  Good leaders attract and retain good people and a clear set of values, a meaningful vision and mission statement linked to relevant, measurable goals all help define a culture that ensures employees can connect the dots from what they do to the ultimate success of the company.  In the age of cyberspace, nowhere is this more important than in those aspects of leadership and culture that touch cybersecurity.

Leaders exhibit behaviors that in turn establish organizational culture.  If the culture needs to change, as it does in most companies when it comes to cybersecurity, the CEO has to personally take it on.  Culture change cannot be delegated.  Here are four things cyber savvy CEOs do to inculcate an effective cybersecurity culture in their companies:

1.  The CEO is the model user.  She adheres to all of the company policies regarding password rules and acceptable internet use.  She does not ask for personal exceptions to company policies and neither does her staff.  The CEO routinely talks about the importance of user behavior in defending the company from hackers.

2.  The CEO grasps key cybersecurity terms and concepts.  This takes some work, but CEOs need a working knowledge of cybersecurity if they are going to provide the same level of management and oversight for cybersecurity that they exercise over operations, financial management, human relations and other critical functions that make the company successful.  Plus, the CEO does not want to waste time in a critical meeting because senior leaders need a primer on cybersecurity basics before they can consider the business issue at hand.

3.  The CEO holds people accountable for their actions in cyberspace.  Employees are trained and certified to do their job and in the event they fail to execute their duties, there are consequences.  People have to be held accountable at the same level for their behavior on the company network.  Importantly, everyone must be held to the same standard whether they are an hourly employee or a senior executive.

4.  The CEO insists on being prepared for a breach through a robust training and exercise program.  Companies that take cyber-risk seriously conduct initial and recurring training that is relevant to the business.  CEOs and other senior leaders sit side by side in training with other employees.  Cyber aware CEOs, conduct tough, realistic exercises to validate that the training has been effective and that everyone knows their role in the event of a breach.  This includes people like lawyers, auditors, human resource managers, public relations staff and the Board.

Technology is not the answer to every problem, even in our tech driven society.  Competent people led by exceptional leaders is the key to success in business today, just as it was well before anyone heard of the internet.  CEOs who correctly understand the nature of the cybersecurity problem realize that their personal leadership is critical to success.  Adopting these four behaviors is an essential first step to becoming an effective leader in the age of cyberspace.

Cyber-Risk Management: This is not a technical problem

In the Q&A following a keynote I gave two weeks ago, a gentleman asked me “when are we going to solve this cyber thing so we can get back to business?”  I told him I had bad news, we are never going to “solve” the cybersecurity challenge.  This is a problem that will be with us for the foreseeable future.  There is good news however.  It is manageable as long as you correctly characterize the issues and accept the fact this is fundamentally a leadership challenge.

No matter what your business sector, you rely on the ability to operate in cyberspace. The same goes for our government and especially so for the Department of Defense.  Public sector or private sector, you use cyberspace to get information, move information and use information to make better decisions faster than the competition.  And we are not going back.  Our reliance on cyberspace is here to stay, so we need to understand how we are going to handle the risk.  An important initial step is to correctly characterize the problem.

First, we have to accept the fact that from a technical perspective there is no perfect defense.  And that is not because of our technical capabilities; it is because we let humans use the network.  As long as our users are human, expect someone to click on that phishing email, someone else to plug in a thumb drive they got at the last conference, someone else is going access a file sharing site filled with malicious activity and in the worst cast, someone is going to become a disgruntled insider threat.  In all of these cases, a simple action by a human will allow an attacker to bypass the majority of defenses put in place by the security team.  So, first it is a people problem.

The second characterization of the problem is the relationship that exists between the offense and the defense.  No matter how efficient and effective the defender becomes, he will always be behind the offender for several reasons.  For one thing the defender must block every attack to be considered a success, while the offender only needs to succeed once and he is in.  A second issue is the cost of offense vs defense.  By some estimates the cost of the attacker is as little as 10% of the cost borne by the defenders.  Finally, the nature of technology means that no matter what solution the defense employs, the offense will find a technical counter resulting in a never ending spiral of competition between the technically skilled.  These characteristics all reinforce the concept that there is no permanent technical solution to the problem.

The third aspect of the problem is accepting our reliance on cyberspace and understanding why that creates risk.  We have to answer this question:  “What level of risk are we willing to accept to enjoy the benefits we gain from operating in cyberspace?”  Every business relies on access to cyberspace to compete in the marketplace.  No one can afford to disconnect from the internet.  And, almost every business has critical data or intellectual property that is accessible through cyberspace.  Since we cannot “unplug,” cybersecurity becomes a risk management problem.  Risk decisions are made every day with regard to financial risk, operational risk, legal risk and other common risk categories, but the tradeoffs involving cyber security are less quantifiable and less well understood.   The result tends to be a focus on the issues that are easier to assess and cyber-risk is delegated to those who are responsible for the technical aspects, but may not have insight into all of the business ramifications.  A holistic view of cyber risk is critical since cybersecurity touches almost every other risk category. 

There is no magic box to keep the Russians and the Chinese out of the network which is unfortunate, because solving a technical problem is actually easier than addressing the people issues and the complex risk management problem.  So our ability to manage this risk will come from good leaders who establish an organizational culture where cybersecurity is a component of every key decision.  Fortunately, good leadership is technology agnostic.