So I just read another article about how boards and c-suites will begin to get serious about cybersecurity in 2017. (http://www.information-age.com/changing-role-cio-boardroom-2017-123463403/)
I am chagrined and frustrated by the fact we continue to make essentially the same three points year after year:
- Boards need to ensure that cybersecurity is a strategic business issue, not just an IT “thing.”
- CIOs need to be better equipped to articulate the interaction between IT and security and the relationship of both of those to the business from both a risk and an ROI perspective.
- Enterprise perimeter security as we know it is grossly insufficient to defend our interests in today’s cloud and mobile-based world against threats who have access to a wide variety of advanced tools.
I suppose we keep making these three points because there has been little wide-spread change in corporate culture despite the increased frequency and publicity of attacks. The exception from my perspective is at the high end of the financial sector. For example, I had dinner with the CEO of a very large financial entity and he would be insulted if you showed up with these three points as the basis of your presentation. But most companies appear to still be in the education and awareness phase and they need to move to the action phase.
Here are three action steps that your company can take to move from awareness to action. And they are not technical steps. These are leadership behaviors that set a corporate culture that recognizes security as a key component to all aspects of the business.
- There needs to be a director on the board with real experience in managing cyber-risk. I have seen boards where the designated technical expert is the former CFO of a defunct tech corporation. Not the right person to serve as the cybersecurity advocate. At the same time boards cannot afford to seat one-trick ponies. Too many boards have been burned seating a previous CIO or other technically oriented person only to find out they have no way to make an effective contribution to the strategic business discussions. Admittedly we are looking for unicorn-like directors, but there are execs with both significant leadership and management experience across diverse organizations who also have meaningful technical skills.
- Get promising business leaders real experience in IT and cybersecurity by having them serve a rotation as the deputy-CIO or CISO in the company. A three year stint working the technical issues would do two things. First, it significantly broadens the execs ability to understand the core issues facing the CIO and CISO and that understanding will provide him or her a much better decision making baseline when they eventually become a COO or CEO. Second, that high performing business unit leader will bring a new perspective to the CIO shop and help them up their game when it comes to making IT and cybersecurity issues relevant to the board and the executive leadership team.
- Designate a specific portion of the IT or security budget to next generation cyber defense technologies that are focused on leveraging machine learning and artificial intelligence to detect anomalous activity in the environment. Detecting anomalies that are likely to be early indicators of an attack is the only way we are going to defend ourselves in the cloud and mobile device world as well as in the world of IoT. There is still a role for firewalls and anti-virus to lower the noise threshold but active defense relies on finding those very subtle first steps that the sophisticated attacker uses to establish a foothold in your network.
So I got it that we need to continue to beat the drum on the basics, but we need to do everything we can to move business leaders from awareness to action when it comes to managing cyber-risk. If cyber-security is not a deliberate point of discussion in every business decision, then there is leadership work to do.