Everyone understands natural disasters are inevitable, and the economic, human, and social impacts can be enormous, if not deadly. So it’s imperative that representatives from all parts of the community share the responsibility to prepare for the onslaught of any threat or hazard.
Doing that means everyone has to get out ahead of the problem, prepare for a wide range of potential challenges, and ensure that protective actions and defensive measures can be sustained in wave after wave of potential disasters.
Wave after wave of potential disasters: Sounds like the current state of cybersecurity, doesn’t it?
We all have to rethink our strategies to ensure our organizations and our communities can achieve and maintain a stronger state of cybersecurity. And, those strategies must be built on resiliency, and subsequently, the twin pillars of preparedness and sustainability. Unless leaders move toward a mindset that emphasizes long-term planning and sustainable cyber-resilience, informed by the lessons learned from any given event, we will continue to fall further and further behind.
Many organizations still view cybersecurity through a perimeter security lens, where the focus is on securing the network against intruders—an outdated castle-and-moat approach. Too many organizations have built cybersecurity defenses focused on addressing individual problems or reacting to specific threats. Unfortunately, that has created numerous cybersecurity silos and stovepipes, and intruders and malicious insiders exploit the seams and gaps this approach creates.
We must dramatically expand the focus of cybersecurity, so we can not only secure our networks but also secure our products and services used by other businesses, organizations, and individuals. It’s a transformation/shift in how we think and approach doing business. At the heart of our recommendations on how to improve cyber resilience are the concepts of preparedness and sustainability.
By preparedness, we mean getting out in front not only of today’s cyber risks, but also to anticipate what may be coming next. Together, these steps help organizations determine the potential business impact of cyber risks, and enable them to put in place heightened business continuity plans and incident response plans that are tested through training and exercises and updated regularly—not just after the latest incident.
The concept of sustainability is intricately tied to preparedness because it also recognizes the need to engage today in order to ensure the same or better opportunities tomorrow. Sustainability management expands the aperture of a company’s product – whether hardware, software, or service – from the moment just before it goes to market to the point at which the company expends resources toward the product. Companies adopting sustainability management practices work across business lines to assess supply chains, interoperability and scale, consumer engagement, and regulatory compliance to ensure what goes to market today will withstand tomorrow’s challenges and that the product’s lifecycle is fully understood.
An organization’s cybersecurity preparation must be sustained over time in the face of new threat vectors and rapidly changing business requirements. It’s like shifting thinking of your business processes that support the enterprise from the view of IT acquisition, to extending supply chain risk management to your entire business operations—truly knowing who your vendors are, who they rely on, knowing your product’s lifecycle, and how you will support it throughout, including managing vulnerabilities and patching to data collection, retention, and use.
The harsh reality is that our business leaders are far too optimistic about their organizations’ current state of cybersecurity resilience. As a result, they often fail to see the upside of developing cybersecurity strategies in the same way they develop long-term product roadmaps or multi-year market development programs. Leaders still too often see cybersecurity as a cost of doing business rather than as a step toward improving customer experience, enhancing workforce productivity, maintaining trust with customers, or protecting the organization’s brand.
To counter this mindset, business leaders and board members need to discard the all-too-prevalent, “what is this going to cost us?” reaction to cybersecurity measures to “how can cybersecurity investments improve our business competitiveness and deliver a better ROI.”
At the Cyber Threat Alliance, we recognize that information sharing supports an organization’s preparedness efforts, and ultimately, its resilience. In fact, information sharing—whether human-to-human or near real-time automated machine-to-machine—demonstrates an organization’s confidence in its own products and services. Moreover, it’s no longer how much data an organization has access to, but it’s what their products can do with the data.
Through its members, CTA enables near-real-time actionable cyber threat and incident information sharing among highly competitive cybersecurity providers. These competitors have voluntarily come together to improve the cybersecurity of the digital ecosystem in an effort to better prepare and protect customers, and ideally, achieve a more digital resilient world. They all believe this collaboration will improve their profitability, not weaken it.
As Megan wrote in “Securing the Modern Economy: Transforming Cybersecurity Through Sustainability,” reliance on technology to do both mission-critical and everyday tasks in business, at home, and in our communities will only accelerate. Without a commitment to organizational preparedness and sustainability, organizations and individuals and the internet ecosystem will be put at greater risk as we are exposed to more and more public instances of information security problems: “Maintaining public trust in technology relies, in significant part, on all stakeholders maintaining cybersecurity.”
As organizations commit to a cybersecurity mindset based on preparedness and sustainability, executives and boards must challenge each other to rethink their most basic assumptions about technology usage and cybersecurity resilience. For instance, they must:
- Make cybersecurity a C-suite priority with their active participation. A number of chapters have talked about why cybersecurity should be a C-suite priority. But their active participation is critical. This starts with conveying in management meetings, employee all-hands, and even your reports for publicly traded companies how serious you regard the cybersecurity threats facing your organization and ultimately, what you’re doing to prepare and sustain your organization, both when an incident or breach occurs and when you take products – services or devices – to market.
- Make cybersecurity intuitive in your day-to-day business operations. Organizations should maximize opportunities for educating and raising awareness within the workplace, so that employees better protect the organization while “on the job” and understand how they can reduce their own digital risks “off the job.” Software vendors should be required to demonstrate that they have secure development processes, supported by a software bill of materials. Next, organizations should communicate what is expected of employees by requiring best practices in the enterprise environment and following product deployment, and encouraging their adoption at home.
- Recognize that cybersecurity underpins all business operations. Security is a business problem, not an IT problem. Therefore, it’s important to remember that a great risk management framework integrates technical solutions with business goals. Putting security first in all business operations enhances confidence in the processes that develop products and services, which results in better products and services that support the brand and ultimately leads to increased profits.
- Inform your approach to cybersecurity planning with worst-case scenario consequences. Consider not just the enterprise network, but also everything it depends upon (vendors, employees, power, physical structures) and attaches to it when assessing cybersecurity risk. In addition to adopting the Cybersecurity Framework promulgated by the National Institute for Standards and Technology to manage enterprise risk, get incident response and continuity plans in order, practice them regularly, and update plans, policies, and processes appropriately.
- Actively participate in an information-sharing organization … or two. Business leaders often struggle to get past their innate discomfort at sharing information with others. But as indicated earlier in this chapter, in the rapidly evolving cybersecurity landscape, this reluctance can no longer be tolerated. Invest now in learning some best practices about what, when, where, and how to share information, because going it alone is no longer an option.
As you undoubtedly imagine, this kind of holistic, integrated, comprehensive, and deliberate change in the way an organization thinks and approaches its business demands the support and active participation by every organization’s executive team, from the corner office to the board room. It’s essential for executives and board members to embrace this mindset; otherwise you risk leaving your organization to expend countless resources on a defensive posture that’s always going to be playing catch up to the bad guys.
Heather King is Chief Operating Officer for the Cyber Threat Alliance. Megan Stifel is an Attorney and the Founder of Silicon Harbor Consultants, authors in Navigating the Digital Age, second edition.