When you were a kid, your parents were always in your face: Eat your vegetables. Do your homework. Stop playing that videogame.
When you became an adult, all the pundits had urgent advice for you: Eat healthier. Work out more. Save for your retirement.
And now, as a business executive trying to assess cyber risk, the sense of urgency can seem overwhelming: Don’t let employees use public cloud services at work. Make sure all your endpoints are secure. Watch out for zero-day threats.
When it comes to dealing with escalating and expanding cyber threats, it’s easy to be overwhelmed. The potential for disaster is well understood, but you never seem to have enough personnel or budget to handle it all in real time. Somewhere, a bad actor is watching, seeing if you’re going to leave something open or overlook a weak point. And then they’ll move in on you, plundering your most valuable asset: Data.
What do you do first? In today’s breakneck pace of cyberattacks and expanding threat vectors, no one can survive without a strong sense of risk prioritization. This is not some lofty goal you heard in B-school, or when you attended that executive training course. It’s not a simulation or tabletop exercise; it’s real world.
You may think you covered the bases when you and the board approved the CISO’s urgent request for a bigger budget so they could deploy modernized tools to monitor security events. Think again. I guarantee you that your SecOps team is in the midst of severe “alert overload.” How bad is it? Really bad. In the banking industry, for instance, research conducted with bank security leaders say their teams have to sort through hundreds of thousands of security alerts every day.
A big driver in establishing the right priorities is to remain agile in the face of rapid change in cyber threats, technology defenses, business conditions, and organizational goals. For instance, the U.S. Department of Homeland Security recently codified a new cybersecurity risk prioritization policy with the underlying principle that “not all cybersecurity risks are equal, and that it and other agencies must prioritize those risks in their approach.”
How can business leaders help steer their organizations clear of this mess, without micro-managing their CISO and their SecOps teams? “Leaders aren’t just paid to make decisions on what to do; it’s just as important for them to make decisions on what not to do,” said Naveen Zutshi, chief information officer at Palo Alto Networks.
“The pace of business has never been faster, and it will only continue to accelerate,” he pointed out. “You have to run faster than ever just to stay in place, and you have to go twice as fast to get to the next place. And if you are not smart in setting and sticking to security priorities, your SecOps and IT teams will be overwhelmed and overrun.”
So, what are some of the key steps in establishing a smart, actionable set of cyber risk priorities?
“Start with the crown jewels–data on your employees and your customers,” said Zutshi. “If those are compromised, you may not be able to recover as an organization.” Then there are numerous other mission-critical priorities, such as protecting intellectual property and anything else that acts as a source of competitive advantage for your organization or threatens your business continuity if its availability is interrupted for any meaningful period of time.
Lose your email for an hour or two? Inconvenient, but not an end-of-life event for your organization. Find out that your customer lists and their payment card metadata have been breached, or that you’ve lost your ability to take online orders for a day? Call that emergency board meeting right now.
While it’s logical to put issues such as regulatory compliance, legal risks, and corporate governance on your “must-protect-at-all-costs” lists, the reality is that those issues will take care of themselves if you are doing the right job prioritizing the data and other digital assets. That’s not to say they don’t matter, but they are the result of a lack of prioritization, not a cause of your problem.
Of course, every business-unit head in your organization will have a different definition of “if this is breached the world will end.” Your head of sales will demand that CRM systems are the most important priority, your VP of manufacturing will threaten to quit unless you put robotic factory automation systems at the top of your list, and the CEO may decide protecting virtual public networks so he or she can continue to work at home two days a week is a must-have.
That’s why cyber risk prioritization has to be assessed in a big-picture context, tied to critical business goals and weighed against a realistic threat-versus-resources examination. Of course, that’s done at the C-level, probably with significant input from the board, and it must be communicated clearly to all involved.
“Business leaders have to simplify the message to one that aligns with business priorities,” said Zutshi. “What are the one or two things that are really strategic, that we can’t afford to be without for any very small windows?”
Then, there is going to be a very long list under those top-tier priorities, all of which will vie for attention and resources. In this second tier, it still remains essential to prioritize, but everyone in the organization needs clear, consistent signals that certain activities and areas take precedence when applying budgets, personnel, tools, and brainpower.
What else should business leaders do in creating the right priorities in tackling the fast-growing list of cyber threats?
- Hold all personnel accountable–with clearly defined metrics–for meeting the cybersecurity priorities.
- Be flexible to adapt to rapidly changing business conditions that could force a re-ordering of tactical priorities. (Your strategic business goals aren’t likely to change, but the tactics your teams employee need to accommodate unforeseen changes.)
- Don’t get in the way of your teams. Set the priorities, communicate them, and let your good people do their jobs.
- Be mindful of the fact that “executive wants,” when communicated to your SecOps and IT teams, have a funny way of getting translated into a priority–even if it really doesn’t rise to the level of strategic. “Hey, the boss wouldn’t have asked me to do this if it wasn’t critical.”
Finally, be sure to keep in mind that a critical goal of making smart decisions in prioritizing cybersecurity risk is to make sure your people can do their best work without getting frustrated and burned out. “It’s very demotivating for employees to have a lot of work-in-progress items,” said Zutshi. “They take pride in getting work done and in helping to advance the organization’s goals. If they’re juggling too many things and not finishing their critical tasks, their productivity will erode and their work satisfaction will, too.”
Mike Perkowski, co-founder of New Reality Media, is an award-winning journalist who founded, led, or helped develop some of the most successful and influential high-tech media properties over the past several decades.