5 Min Cybersecurity for CEOs
In my role, I get to sit with CEOs on an ongoing basis and try to paint them a picture of the individual series of cyber threats they face and how to respond to those threats in their businesses.
At this point, nearly 2020, most executive leaders understand that a serious cyber attack can do more than just take out a few servers. It can hobble a business, a brand, or a service in a way that isn’t always recoverable.
That’s right, it can permanently damage trust in your brand, your service, or cause a data loss you never really recover from. If you’re in a leadership role, you may be thinking, ‘ok, that’s all doom and gloom, but how do I rise to meet the challenge in a way that doesn’t distract my teams from the goals of our company or clients, or require me to buy a lot of tools and talent I can’t really afford?’ That’s a good question as the answer is not always intuitive.
For instance, safeguarding your company against cyber threats actually lies more with your business process and operations discipline than in the sophistication and pure technology strategy. Why is that? In many cases, a solid adherence to a few basics prepares you better for threats than expensive tools and complex architectures.
What I mean is actually illustrated precisely in the movie Top Gun. If you remember the movie, Top Gun was created because pilots lost their dogfighting skills by relying too heavily on missiles. Just like for those pilots, there is no fancy technology that is going to be your silver bullet when you are under attack. It is actually the basics that most often win the day.
So let’s explore that idea a bit as I walk you through a simplified version of my cybersecurity methodology. I’m going to stay at a pretty high level because my aim is to teach you how to understand cybersecurity basics in a way that makes sense and also doesn't end up costing you a fortune.
Ultimately, it all boils down to your organization’s maturity. Organizational maturity is measured in Maturity Indicator Levels (or MILS, for short). This is usually a scale from one to three, with three being very mature and one being a company just starting out. I rate maturity levels based on three key capabilities. (I don’t really like acronyms, but they spell “PRO” if that helps you remember them.)
PROCESS
RESPONSE
OVERWATCH
The first principle of your cybersecurity readiness is Process.
Process is about people and the ability of your organization to repeat activities through a disciplined approach. It’s no secret that people make up a huge portion of the attackable area of your company, so how they govern themselves from least maturity to most maturity matters.
The biggest process I analyze is change management, which encompasses everything from authentication and identity management all the way to modifying your core business processes. Show me a business that manages change well, and I’ll show you one that has the discipline to succeed at cybersecurity. Remember, it’s not how you manage the status quo, but your ability to be disciplined in managing change that matters most. Truly mature companies have deep roots in change management, software development life cycle management, and quality control. This takes time and human capital, but usually very little direct spending. Process is where you start. It’s forms the basis for training, predictability, and assessing risk.
To begin venturing down this road, start by collecting and analyzing data to build your processes—and, remember, you don’t have to reinvent the wheel. There are many great frameworks out there that include process and controls that can be tuned and right-sized for your organization. I know it gives some people nightmares at the mention of it, but don’t be afraid of an ISO 27001 or any other ISO implementation. You don’t have to implement everything or even go for the certification, but the groundwork in ISO is a good starting place. There are many other frameworks you could adopt, too, and I’m always happy to talk to you about finding one that fits your needs.
The second foundational element to Organization Maturity is Response.
This is your organization's ability to respond to threats. It’s comprised of training, tools, talent, financial resources, infrastructure planning, disaster recovery capabilities, and the like. Your ability to respond is paramount, but not something you always do alone. Emergency remediation services, cyber insurance, or a managed security operations partner may be ways to increase your response capabilities without adding staff and expensive tools.
Truly mature organizations have detailed, practiced plans, architectures, partners, and methods for responding to threats that occur. The most important trait of these companies by far is a dedication to practicing threat response. Think about it this way, you’re in the super bowl. Is it time to roll out that play your team has never executed? No, you go to the plays you’ve drilled thousands of times. Many companies don’t drill any plays. Where does that leave you when you need to execute a critical play?
These response capabilities matter. It’s not just a deep understanding of basic remediation concepts like threat identification, isolation, inoculation and immunization, either. It’s a team-based approach of marrying tools with talent and binding them together with practice. Once you have your processes down, response is where you focus.
The third basic principle of an organization's readiness is the most difficult and costly, but also has the best name: Overwatch.
Overwatch is the system by which you become proactive. The easiest way to think about overwatch is the antivirus you have installed on your laptop or desktop; that's an overwatch function, albeit a very simple one. Think about a person in a watch tower looking for threats. They see them coming before they get here. They don’t hurt you because you eradicate, immunize yourself or avoid them altogether before they every really become a threat.
This requires more advanced technology, configuration, and constant gardener-ship. The training requirements, data monitoring, and understanding of an environment outside of your company are the biggest challenges here. This is where a true Chief Information Security Officers (CISO) or even a virtual CISO (VCISO) shine. Overwatch functions connect to your controls and keep an eye on areas of weakness in your response planning.
Now a word of caution. While Process, Response, and Overwatch are presented here in the order I recommend you approach them in, I don’t mean to suggest you have to perfect one before moving to the next. Invest in all three where practical and affordable, but put your emphasis on building maturity in the order I’ve presented them in. Why? They are in order of difficulty. They are also in order of direct cost. Lastly, they are in the order of how much they will likely make you ready for threats. If your processes are weak, you’re going to be weak all around. Response and Overwatch you can contract with external parties to backfill a lot more easily while we work on your process maturity and framework.
I hope this gives you a starting point to begin thinking about how to approach cybersecurity in your company. If you’re honest with yourself, how mature is each of these processes in your company? Ask the technical teams around you and fish for the answer. You don’t have to be a cyber expert to tell the difference between a team that practices every month and one that hasn’t practiced since last year!
Remember, leadership in the modern world is hard; take care of each other out there.
