The War on Cyber Crime Should Start at the Top | Technological Leadership Institute
Breaches, breaches and more breaches. In the last month alone, we have learned that Yahoo! actually lost $3 billion of our account records; trusted cybersecurity consultancy Deloitte announced a breach of their internal systems; the U.S. Securities and Exchange Commission shared that the EDGAR database had been compromised (more than a year ago); and Equifax finally told us that they lost 145 million of our most sensitive personal and financial records earlier this year. These shocking revelations have made announcements of data breaches from retailers like Sonic Drive-Ins and Whole Foods appear almost mundane and barely worthy of news coverage compared to the current state of the larger cybersecurity problem.
If you are a seasoned security professional, most breach announcements have tended to roll off our backs. We are familiar with the challenges of security systems and networks and the constantly-evolving threat environment. We understand that there is no such thing as 100 percent secure. Our days are consumed with trying to keep up with the endless patching and systems management that is a foundation of what we hope is an effective information security risk management program. We are busy implementing better tools to monitor an improved process to manage our dynamic and interconnected environments. We fight for resources and funding against the myriad of other business priorities including activities that actually generate revenue and increase the stock price, something in which senior management and boards of directors are pretty interested.
So how do cybersecurity professionals battle these priorities? After all, increased business success is a good thing for everyone at a company, since we all want our businesses to still be here so we can come back to work tomorrow and earn a paycheck. When will the reality of the potential impact from a cyber event be enough to finally get the attention of the right leaders in your company and how can we attain this basic goal?
While improved cybersecurity awareness activities and possibly stronger regulations may help, I believe the problem starts with leadership. Both business and security leaders hold some of the blame for the state we are in. The world needs more business leaders that understand all the risks facing their organizations — including risks to data and systems from cyber threats — and realize that we have an ethical and moral obligation to protect to the best of our abilities the sensitive data entrusted to us by our customers (or in the case of Equifax, by the population in general). We must do what is right and make sure that taking those actions works for both the business bottom line and the expectations of the people who are impacted by our failures.
Security leaders need to be better communicators who are more effective at sharing the message of cyber risk. We need to make the business case for comparing risks and investments for cyber security with priorities from all areas of the organization. We need to build enterprise plans that incorporate the right people, policies and procedures to make cybersecurity capabilities’ successes and weaknesses transparent to business leadership. We need to help them understand the repercussions of the lack of success in this area.
Leading cyber security cannot be only about acquiring the newest tools and technology that promise to solve our security problem. Communications and influence skills take practice, and security leaders need to always be learning, about security risks and technologies, as well as business needs and drivers. Security leadership can and must be the facilitator that will hopefully help organizations do the right thing and turn the corner on improving the security of our most important asset, our personal data, before there is nothing left to protect.
We must do what is right and make sure that taking those actions works for both the business bottom line and the expectations of the people who are impacted by our failures.