By Dale Meyerrose
If you’re a regular reader of this publication, you know that integrity, trust and reliability, safety and tested and proven are among this industry’s most prominent qualities. If any of those attributes are developed, produced, marketed, sold, distributed or maintained with technology, another component must be added to that list of core competencies: cybersecurity.
Eyes gloss over at the mere mention of cybersecurity, followed by the hopeless dread of the inevitable. Yet, many would be surprised that cybersecurity is not about technology; it is a human proposition regarding value and risk. Don’t believe me? Every creditable study that I’ve seen for the past several years cites insider behavior as the initial cause for the vast majority of cybersecurity breaches – with employees falling for phishing emails and poor password discipline as the leading culprits.
There’s a glut of media headlines regarding data breaches, stolen records, and hacktivism. These calamities happen to companies in every industry sector. Even the government is not immune. Each story sounds more ominous than the last. Further, we’re led to believe that it’s only a matter of time before our company becomes the next headline. We’re told that is a consequence of using modern technology. So, what are we to think?
Instead of regarding cybersecurity as “the elephant in the room,” how about following the adage to “eat the elephant one bite at a time?” To do that, let’s look at this the way we’d examine any complex issue, analyzing it from three perspectives. First, why should our industry and company care about cybersecurity? Second, how should we think about it? And lastly, what should we do as a result of this reflection?
The dependency of this industry on technology is obvious and much recent progress is attributable to this linkage. So are its growth forecasts, customer demands and the promise of the ever-elusive competitive advantage. No part of the business has been unaffected by innovation, whether that is automation, robotics, control and safety systems, sensors, testing and even customer outreach and services. What might not be so obvious are the underlying vulnerabilities that accompany technology implementations. They include possible adverse effects on the industrial values previously cited, as well as the potential damage to the brand and reputation of the targeted organization.
A 2016 BDO risk-factor study based on corporate 10-K filings, which included parts of this industry, found that cybersecurity was cited in 92 percent of the submissions. This is up from 64 percent in 2013. In the words of the international head of BDO cybersecurity: “All it takes is one weak link in the security chain for hackers to access and corrupt a product feature, an entire supply chain or a critical piece of infrastructure.” If you’re not paying attention to cybersecurity, you can bet that your competition is. Do you need added motivation? Look no further than the mandated regulatory requirements already in place, and those likely soon to be added.
Integral to Operations
The head of U.S. Cyber Command offers a good starting point for re-orienting our views. Admiral Mike Rogers recently said that we shouldn’t make cyber out to be something special. He emphasized the need to frame cyber in a way that brings a broader sense of recognition and makes it easier to integrate it into the broad set of operational activities. In other words, don’t put cyber inside a “technical bubble.” Because it is not a domain isolated from other human activity, its security should be an all-encompassing proposition, and shouldered by everyone who uses cyber in the organization. This area of risk is too important to delegate to “techies.” Senior management has to be involved and accountable. Otherwise, it’s not a real company priority.
We need look no further than to GAWDA Chief Economist Alan Beaulieu, who discussed risk in the winter issue of this publication. His formula for addressing risk in general is equally applicable to cybersecurity. He implored us to apply the data, be specific to the industry, and go from “think” to “know.” I have decades in the cybersecurity business and I couldn’t have said it any better. All we need to do is extend these principles to how we think about cybersecurity and our ever-expanding digital dependencies.
More People Than Tech
The list of cybersecurity approaches can be endless and daunting, but it all starts with people. Emphasize the human aspects of security in all forms, venues, and behaviors, and everything else falls into place. Next, concentrate on organizational processes. Lastly, focus on enterprise and cybersecurity tools and products. The idea that an organization can buy a reliable, trusted environment or hire a “cyber expert” to build one is uninformed and naïve. Real understanding of cybersecurity begins and ends with people, not technology. Remember that insider behavior, both complicit and unintentional, is the root cause of most hacks.
Using similar logic, security, including cybersecurity, should be about protecting values, assets, and intellectual property, not just systems or technology. Whether you buy, rent or grow the cybersecurity expertise that’s right for your organization is secondary to you setting the right value-based, risk-assessed security agenda. The plan that you subsequently create should have the underlying premise that “evil doers” seek to exploit the unexpected, unwitting and dysfunctional – the ways in which we’re vulnerable – while avoiding our strengths. It’s as simple, and as hard, as that.
All cybersecurity incidents constitute an organizational crisis whose resolution should be led by top-level leadership – the people accountable for every other aspect of the organization. There should be no such thing as a security or cybersecurity response – it is a crisis response. The reputation and future operation of the entire organization is at stake. This is a nondelegable responsibility that requires not only a complete resolution of the current situation, but especially in the case of cybersecurity, constructing the “new normal” for future operations.
Dale Meyerrose, D.Prof., is president of the MeyerRose Group, a cybersecurity, executive training and technology consulting company and a retired Air Force major general. He is an adjunct instructor for Carnegie Mellon University, Institute for Software Research, running their Cybersecurity Leadership Certificate program. A Southwest Asia veteran, Meyerrose was the first Senate-confirmed, president-appointed chief information officer for the U.S. Intelligence Community after more than three decades of military service. He can be reached at: 719-434-7025, [email protected].