It was just about 10 years ago that I made the tricky transition from fighter pilot to IT/cyber professional. The first challenge I identified was the tremendous gap in language, perception and understanding between those who made the strategic leadership decisions for the organization and those who technically understood IT and cybersecurity. We cannot close the gap from just one side. We have to work both sides of the equation. We have to bring technical leaders into the business meetings and business leaders must devote time to learn the basic terms, concepts and business risk factors associated managing technical risk. My experience has been that much more time needs to be spent on the latter group. Many business leaders are still not sufficiently fluent in cyber.
There are a variety of reasons that business leaders are reluctant to get up to speed, but most are just excuses for not devoting the time. It is not that hard; it just takes a little effort. One way to get “smart” is to engage in regular dialogue with the CISO. Here are three key issues the CEO should address with the CISO along with some questions for discussion. Think of these as the cybersecurity value drivers for the business.
- How well do we understand the threat?
- Is our understanding sufficient to prevent an attack, or at least to substantially lower the risk of a successful attack?
- Is our threat intelligence specifically tailored to our company size, our business sector and our geographic location?
- Are we still relying on legacy information sharing arrangements that are based on known bad signatures and IP addresses, or have we moved to a more sophisticated understanding of adversary behavior?
- Do we get threat information in near real-time shared machine-to-machine or do we rely on emails or downloaded files?
- Do we have any interaction with government sources of threat information? Do we contribute to a private sector-government sharing initiative?
While you cannot expect to prevent an attack, targeted, company specific threat information delivered at speed is going to position you to prevent most attacks.
- Can we survive a successful attack?
- How quickly can we identify that we have been breached?
- How well are we prepared to protect critical data, systems and processes once an intruder has breached our network perimeter?
- Can we meet the 1-10-60 standard? Can we detect an attack in 1 minute, analyze it in 10 minutes, neutralize the attacker in 60 minutes?
- When was the last time we practiced our incident response plan? Is our incident response plan a technical plan or a business plan?
- Have we run an exercise involving all of the business leaders so we understand the business impact?
- In the event of a breach, do we know what we will tell our customers, employees, partners, shareholders, regulators and law enforcement?
Technical preparation is key to surviving a breach, but that is really the easy part. How you respond as a business determines whether you survive as a business.
- How do we know we are investing effectively in cybersecurity?
- Do we have a holistic business strategy that addresses cyber risk or do we look at cybersecurity as a technical problem? Do we take a risk-based approach that prioritizes spend against the most essential data, processes and systems?
- Are the business leaders and the technical leaders intimately involved in the risk discussions and trade-offs necessary to allocate limited security dollars?
- Do we use established frameworks such as CIS or NIST but understand that adherence to a compliance structure does not guarantee security?
- Do we consider cybersecurity risk during the M&A process, so we understand the total potential cost-benefit analysis with an acquisition?
- Do we consciously allocate budget to foundational capabilities, but at the same time look to leading edge solutions?
- What have we decided to outsource and why? If we have outsourced, do we have sufficient visibility to understand how well our risk is managed?
- Is our cybersecurity spend ultimately targeted at understanding the threat and early detection of, and response to, an attack?
You can spend a lot of money trying to buy a magic box that will keep the Russians or the Chinese out of your network and you will ultimately fail. An essential part of your business strategy has to be oriented on managing cyber risk.
Asking these questions is not sufficient. As the CEO, you have to also understand the answers and make sure the answers line up with your risk tolerance and resource allocation priorities. Finally, challenge your CISO to come up with relevant metrics that articulate how well you are doing against these three cybersecurity value drivers.
If you are a CEO, start having these discussions with your CISO. If you are a CISO and your CEO is not asking you these questions, then find a way to get them on the agenda.