CEOs, you don’t have to out swim the shark… just the other guy
For well over a decade, the collective “We” viewed cyber as an IT compliance issue relegated to the nerds (nerds, you know we luv ya) in the company basement to manage. This was also when we viewed the cyber world with the bad guys on the outside of the “wall”.
So, how did that work for us? Hundreds of millions of our records stolen every year, thousands of breaches, six different identity services associated with each of us and the bad guys laughing all the way to the bank.
How did we get here? IT pro’s saw the problem similar to the way battles have been fought for generations. Keep the bad guys out. We thought if we protected the perimeter, we will sleep like a baby. Well, think we can all agree, that ain’t workin.
The Barbarians are in the Gate. This is the new normal; plan accordingly
What is interesting is how many CEO’s don’t understand this shift in the cyber business model. For well over a decade and with many organizations today, the IT and Cyber peeps were employees you avoided on the way to Dunkin Donuts.
With all the advancements in tech, low skill bad guys can buy cyber sludge for pennies on the dollar and launch an attack from the kegerator in your hip new Millennial-style layout. As for the cyber pro’s…fuhgeddaboudit. Whether they are well financed criminal outfits or nation state actors, they have a simple mission. Take what is yours; something you and your team have worked so hard to build. And if successful, present your organization with the biggest threat you will face as the boss…destroying the public’s trust in you.
Yet most companies and government organizations still think this problem can be addressed by compliance and throwing money with shiny new tech. Have yet to see where that actually achieves the results.
However, all is not lost. Take this complex problem, keep it simple and chive on. Think of it this way.
If you drive through a neighborhood and see a house with an alarm company sign in front yard, Ring Cameras at the front door, a sign on the fence saying “Beware of Brutus” and a sticker on the front window that says “House protected by the Good Lord and a .45; if you have come here to do harm, you may meet them both”. After a small smile, you keep on driving and then notice the other 4 houses on the cul de sac that don’t have any of these signs. Further, all these homeowners are active on FaceTwitPinSnapGram, telling people they don’t know, that they will be in Europe for a Summer vacay. If you were a robber, where you going? Same goes for Cyber Security and swimming with sharks.
Here are 3 simple things any CEO can do to reduce your risk posture in a world where you haven’t been hacked yet, because you don’t know you have already been hacked.
· Good Housekeeping:
· You can’t protect what you can’t see. You should expect your tech team is able to generate a scan and produce a daily report for all your IT assets and their respective vulnerabilities (focusing on how long the critical and high’s stay open). Sounds basic, but would put the number of organizations who can actually do this at less than 10% globally. Bad guys really enjoy this stat.
· Make sure the techies have loaded up Anti-Virus across all your gear.
· Provide tailored cyber training for the propeller heads as well as to your staff who couldn’t describe cyber security if their paycheck depended on it.
· Have all external emails into your company marked with “External” in the Subject header.
· Have an outside 3rd party firm zap your environment every month and you and your leadership team get the results; for the first few months have a throat lozenge handy because you will be doing a lot of yelling…but it does get better.
· Compliance in and of itself is of value. If you are in a heavy regulated industry (what isn’t anymore?) you have to. Just understand cyber bad guys aren’t “auditing” you for a government penalty. Compliance can be helpful but should not be the end state goal, rather a means to an end. Similar to the way you don’t have an HR organization to give people jobs, rather you hire them so your company can create value.
· Put calories into hunting and Incident Response activities — small to mid size companies, recommend using a 3rd party firm. For larger companies, hire your own team and use a 3rd party as back up
· Finally, whoever you hire to be accountable and responsible for Cyber Security in your organization, reports directly to you and. Give them 10 minutes every board meeting to provide a state of cyber affairs — the good, the bad and the ugly
· Lock Down your data: Pretend you have a safe in your house. And that safe has a pretty good lock on it and you store all your valuables in there. Stocks, bonds, wills, cash, jewelry, health records, and cherished pictures of you with hair. Now you leave it unlocked. Pretty dumb eh? Then why has your CIO and CISO not encrypted all your company data? You should make this a priority and monitor progress closely.
· Know your Risk Tolerance: Everyone’s risk tolerance is different. Put Cyber right in the same category as you weigh other company risks (product launch, economic downturns, new regulations, lawsuits, etc..). Know this: Your risk will never get to 0 and cyber is a game of pay me now or pay me later. Spend your money wisely and surround yourself with people you trust who know this space. And pay’em. Make thoughtful investments in technology, but prioritize talented people using repeatable best business processes and practices because you can’t simply out tech this problem.
You set the tone, if important to you, will be important to your troops.
All is not lost and if you do the above, you will buy down risk. As the cyber bad guys realize your organization is not worth the squeeze they will refocus their attention on others.
Just remember, “You don’t have to out swim the shark…”