By Jonathan Reichental, Ph.D.
Chief Information Officer
City of Palo Alto
It’s a widely believed view by leaders that their organization is either one that has already experienced a cyber-attack or one that will be a target of an attack in the future. A more accurate conclusion by those who study this field suggests reality is somewhat different. Their assessment is that every organization falls into one of these two categories: It’s either already been attacked and knows about it or it’s been attacked and doesn’t know about it. Bad guys don’t always leave a calling card. Even more alarming, with many cyber-attacks being orchestrated over long periods rather than sudden attack-and-grab approaches, an ongoing effort may be underway right now without organizational knowledge.
It’s a grim assessment but sadly, a very real one. I’d be highly redundant if I listed just a few of the major, high-profile breaches that have taken place in recent years. It’s enough to report from the Ponemon Institute that 43% of all enterprises were the victims of a known cybersecurity event in 2014.
It’s not all bad news. A recent PwC survey noted that 76% of businesses executives acknowledge the serious risk to their organizations from cyber-crime.
This is a positive sign. But let’s dig a little deeper. Recognizing a risk is an important first step, but it amounts to nothing if little action is taken.
Cyber-attacks, while clearly disruptive and often highly expensive, are now existential threats to organizations. It’s more than just the impacts of, say, brand risk and legal costs. A concerted and far-reaching IT security event can effectively destroy a business. Throwing a few dollars and some talent at the challenge is little more than rearranging the deckchairs on the Titanic.
Organizations need a complete wake-up call on cybersecurity.
From the highest level of the organization, cybersecurity must be made a priority with significant investment and executive and staff-level talent acquisition.
Bottom line? Organizations need to be in the cybersecurity business.
What exactly does being in the cybersecurity business mean?
Sadly, for most organizations, the investment and effort in security is the equivalent of insurance: it doesn’t contribute directly to the bottom line, but it’s an essential cost for every organization. Cybersecurity, if it’s being successful in your enterprise, will largely be invisible.
Let me be clear. Being in the cybersecurity business isn’t defined by employing the basics such as having anti-virus software and a firewall in your infrastructure. By that definition we’d be done already.
Being in the cybersecurity business means leadership of the organization has identified information technology (IT) security as an enterprise risk and is taking substantive and on-going action across all aspects of the organization to prevent future attacks.
Three things that organizations must do right now
1. Establish an enforceable cybersecurity policy
After you’re done reading this post, assuming you’re not sure, ask your team if a cybersecurity or IT security policy exists and whether it is current. Sure, you might have one, but does it reflect today’s realities?
A quality IT security policy will clearly outline the context and rules in which your organization operates and protects its digital assets. It will speak to dimensions that impact employees, customers, the public, and the wide range of stakeholders that interface with the organization.
It will be a document that has been endorsed by all leaders across the enterprise and it will be regularly updated as conditions dictate. There’s a large body of available knowledge on IT security policies, so a starting point is easy. If you recognize that your organization is now in the cybersecurity business, a meaningful IT security policy is a baseline artifact. Make it happen or improve upon what you have.
2. Train all employees in the basics of cybersecurity
Conventional wisdom suggests that the weakest link in cybersecurity in most organizations is its employees. But it’s more than that. Employees can be your best enforcers of a high-quality cybersecurity posture. Let’s take each of those ideas separately.
You know that your employees want to do the right thing. They deserve the insight on how best to protect your organization. It begins with the obvious such as guidance and enforcement of strict password rules. It should include what to look out for when evaluating whether to open an email attachment or enter security details in an online form. But it needs to go further to help employees know how to handle credit cards and social security numbers. It’s a leadership responsibility to ensure employees have the skills to do the job being asked and that includes protecting the enterprise.
On the second point: your employees can be some of your best enforcers too. Make it safe for them to report suspicious activity or for them to make independent judgement calls such as prohibiting tail-gating into restricted areas. An empowered workforce is a cybersecurity army that’s ready to be unleashed.
Finally, good behavior in cybersecurity must be reflected by leadership. They must demonstrate support for cybersecurity actions and be role-models in all aspects of your organizations IT security policy.
3. Complete an independent risk assessment of the enterprise
Let’s acknowledge that your organization has likely done many of the basics in IT security. Well done. To be in the cybersecurity business means doing a lot more. At this moment, do you have a confident understanding of where vulnerabilities are in your organization? The evidence suggests that many leaders simply don’t. Recent research by PwC puts the number as high as 50% of leadership that see cybersecurity simply as an IT risk, and not an enterprise risk. This nugget alone helps to validate why cybersecurity isn’t being made the enterprise priority it needs to be.
If your organization hasn’t done this recently, it’s time to get an independent assessment performed. In addition to providing you with sobering insight into your enterprise cybersecurity risks, you’ll have the evidence to create a case for action.
Congratulations, you’re now in the cybersecurity business
If you make cybersecurity an enterprise priority with strategic and tactical investments; hire the right talent; empower and train employees; and have an enforceable policy that reflects current risks, you will have a more resilient organization. In a world where we’re likely to never fully protect ourselves from cyber-attacks, we can take the necessary and urgent steps to be better able to anticipate, defend, and recover from attacks. To make this happen, like just about everything else in our organizations, it’s going to require bold and informed leadership.
It’s a new day for enterprise risk and a new day needs new thinking. You probably didn’t realize it before, but assuming you do the right things right now, you’ll soon be in the cybersecurity business.
Named one of the 20 most influential Chief Information Officers in the United States in 2016, Jonathan Reichental is an experienced IT leader with over 25 years of success in driving and achieving organizational goals in both the private and public sectors in a variety of key technology positions including Chief Information Officer (CIO), IT Innovation Director, Software Engineering Senior Manager, and external IT Consultant. Follow him on Twitter @reichental