Board Directors and Senior Executives: What are we missing?

More often now, on the topic of cyber security, I’m asked by board directors – “what are we missing”? This is great news given the question used to be – “Sal, what are you talking about” – or a strange look accompanied by silence indicating similar.

I get it. Having come from this board/ business/ corporate entrepreneurship background myself, I, too, had been looked after by great cyber security experts – but the world has changed and personal accountability is more important than ever to ensure their good efforts are not easily undone – and to grave consequence. We all have to gain a cyber security skillset and do our part.

When the lightbulb first turned on for me (which I now take great delight in seeing turned on in others – note to all, a healthy business this does not make today, let me bring you to surfboards later in this share) my reaction was “What? How can no one know about this?”.

It appeared at the time naturally certain everyone must have heard about this cyber security problem – I had missed something.

Having looked into the issue, and here I pause …. to remind myself along with the reader that at this point – despite preaching much to the contrary to many entrepreneurs in many countries – I had performed innovation mistake #1 no market research to allow me to realise that no other board director, business owner or entrepreneur was any the wiser, … but here’s why I think that was – in looking into the issue I found much online that was in tech-speak, more often wrong and what appeared to be three differing clarifying answers that were from experts I trusted.

The latter I later realised was actually my misunderstanding of the subtleties – and cyber security is full of them. It culminated in Gotcha!, which demystifies cyber security. It was designed for my heritage – boards and business leaders, and most importantly independent and corporate entrepreneurs – the lifeblood of any economy. There are now many great awareness pieces available through government channels as well.

To reflect on my earlier point – I had started building my knowledge assuming I was the only one who didn’t know. However, in building this knowledge, not only did I realise that there was a group of people who knew and were frustrated – there weren’t any like me who actually did appear to know – and they were frustrating the ones who did. Let me express this clearly FRUSTRATING the ones who did (and do)….

So I set about understanding how people consume cyber security, realising that if I’m only as strong as my weakest link, then I’m only as secure as you are, and the person connected to you and so on. This led to an analogy to STD’s, which led me to an analogy of Herd Immunity – also a medical term. This characterised the problem more correctly to my mind –while yes a FUD issue (Fear Uncertainty and Doubt), it was less a motivational issue and more of a hygiene issue that required education and herd immunity – all parts of the community, the critical mass of the masses, ‘vaccinating’ or protecting – to be effective.

Now we walk into mistake #2 on the innovation path – educating the market is expensive. Yet again, not practicing that which I’d learned and preached, I embarked on educating the community about cyber security – Universities, Major Corps, SMBs, the community. I can say my MBA and Doctorate was well earned. All edumecation correct – market education is expensive, especially when no one knows who you are.

Innovation Mistake #3 – elegant solution with no problem. As a wonderful senior former army strategy expert said to me – “Sal – you’ve built a beautiful surfboard and you’re waiting in a big, calm ocean to catch the wave in” I share this as preferable to “Sal what you’re selling is like heaven to a suicide bomber – they can’t test what they’re buying”. And he was right. There is no test for reasonable care – I could only offer documentation of care taken and holding oneself and ones organisation accountable on basic good practice before (or rather as and unfortunately after) someone else has. This, too, where cyber security is still only considered a risk yet even if we “look left and right before crossing the road” we will still be hit. The thing to manage is consequence. There is a moral hazard to cyber security and ultimately the user pays. The consequence is therefore greater than the organisation that has detected the breach. They, as we can see for many breaches, are only the custodians of the data – not necessarily the owners or at least the ones who will ultimately bear the consequence.

My point? Perhaps as good as the good word I preach on entrepreneurship but most certainly reflective of the good word on cyber security: we need to communicate, collaborate and ask the right questions. Blaming the victim, just as going offline, achieves what the attacker may want and many do – it destroys value, ultimately affecting the health of our companies and so our standard of living.

For boards, business owners, entrepreneurs and investors, I know from our research and ongoing anecdotal experience:

1/ The Situation may not be as it seems.

With thanks to Neil Rackham and Huthwaite, we know that without the right understanding of the situation, we won’t understand the problem, implication or need. The situation is not that our firewall 100% protects us, that our IT people are looking after us and our network is 100% secure. This is a personal accountability issue that needs to be distributed throughout the organisation or all that good spend on all those good IT and security people can be undone. Regardless there is no 100% solution. Anyone saying that – walk away.

Questions to ask?

Let’s have a real conversation about our cyber security, what question am I not asking you? – Hint – wait until they are sitting back in the chair they’ve just fallen off, don’t glaze over, if necessary have a translator handy – we do exist – listen.

Basic business principle applied to cyber security? Mintzberg’s “Structure follows Strategy”. If we make cyber security a strategic imperative in line with our business strategy, the structures will follow – and clearly if we don’t, they likely won’t.

2/ We may be surprised where our data is

In our research, we found that what data we have and what of it is important are mostly easily answered. Where it is – not so much. We can create a mindmap of where our data is at rest and in transit. It may be a heatmap of vulnerability with much of that heatmap sitting outside our control. Breathe. The first step to resolving an issue is understanding it.

Questions to ask?

Could you provide me with a mind map of where our data <insert important data> is at rest and in transit?

Basic business principle applied to cyber security? We can’t manage what we can’t measure

3/ Don’t close the can on the worms

Now we have a better understanding of where our data is, we need to simplify the locations that data exists. Yes, it is not unusual to find information that is 10 years old (older!) sitting in random, discovered anew, spots. Big tick for finding it. Shut it down. Customer base been emailed in the clear? Passwords to the customer base? Stop now.

Questions to ask?

1/ Do we need to store and transmit all of this information? What of this information do we actually need?

2/ Given the number of locations we store and transmit data raises our risk, how can we simplify this map?

Basic business principle applied to cyber security? Lean operating environments and business processes

4/ Understand who is supposed to have access

Now we know where our data is, Big Tick #1, we need to understand who has access to it, do they need that access, how is any change to their access requirements accommodated. As a very wise man once said to me – there are no such things as movers, only leavers and joiners.

Questions to ask?

1/ How do we control access to that information?

2/ How do we accommodate changes to that access with a change in role and responsibility?

Basic business principle applied to cyber security? Mintzberg: nominally 70% of strategy failure (success) is in its execution

5/Assess the protections and implications

How to keep information a) available to those who we mean it to be available to and not to those we don’t want it available to, b) changed only by those we mean it to be changed by and in the way we mean them to change it, and c) seen by those we mean to see it and not seen by anyone else?

We now ask these questions knowing from the points earlier, we can’t always directly control the answers.

It is clearly a much longer story than an entire read of my fave Friday edition of the AFR could include even if on all of its pages. Now we are actually talking about cyber security – and a program. Not that hard or painful now, was it?

Don’t be disheartened – it’s not all gloom and doom. Cyber security is a collaborative journey that takes time, requires personal accountability and someone who knows what they’re doing by our side. There is no shifting risk, that just raises the risk we own.

Questions to ask

1/ Given our strategy is x, and our y information is top priority to that strategy including our reputation and share price, what cyber security issues on this cyber map should we address first.

2/ Am I, personally, leading by example on this issue?

Basic business principle applied to cyber security? People can’t report on what they don’t understand. Everyone needs a cyber security skillset.

Finally, innovation lesson #4 – fail fast.

And, I will add learn, morph and let success breed success. As US General Alexander said in 2012 – this is the biggest transfer of national wealth in history… [after reading off a list of companies that had been breached} I want to deal with these companies – they know they’ve been breached. I will add – we need Herd Immunity. And further add – yes the date of this article is 2015.

Questions to ask

1/ How quickly can we detect we’ve been breached?

2/ What do we do when we know something’s gone wrong?

3/ Is my supply chain/ ecosystem asking the same questions? – Let’s ask them.

There is no one-size fits all and no magic box or silver bullet to cyber security but we can implement some basic good practice and standardise the process of its customisation to our organisations, and encourage our supply chains and ecosystems to do the same. Through this, we can build our digital economy, and collaborate to influence the digital economy globally, while making it safer.

Dr Sally Ernst I UK and Australian Cyber Security Networks I I I @DrSallyErnst

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s