If you’re an executive in any organization, you should be feeling the pressure to prevent breaches of your customer and employee personal data. And for good reason: As we’ve seen over and over again in the past five years, a digital trust failure can cost millions of dollars (Home Depot), result in bankruptcy (Code Spaces), or even expose you to personal liability for the breach (Caremark).
Beyond data breaches, if you’re unlucky, an online criminal gang will encrypt all your data (Hollywood Presbyterian Medical Center) unless you pay them a ransom.
If you’re very unlucky, you’ll get caught in the cross-fire of a cyberwar: Online reprisals by nation-states that can completely destroy your computers (Saudi Aramco) or publicly expose all your secrets (Sony).
Because cybersecurity has become so disruptive to our sense of what to expect in our modern world and being on the Internet, most executives don’t know how to deal with this “new normal”. This often leads to the kind of false thinking that causes them to see it as a mere technology problem, trivialize the risks, or even deny having any responsibility for it at all.
Of course, none of that is helpful. The unfortunate truth for everyone using the Internet is this:
Cyberspace is more dangerous than ever and it will get even more so in the coming years, and none of the institutions we’ve relied on for generations to keep us safe (congress, law enforcement, military) can help us very much in the foreseeable future.
Don’t believe me? In 2015, the FBI began publicly advising that if you fall victim to ransomware, your best bet is to pay up. Did you ever think the FBI would say something like that?
So, we’re on our own, folks. And the only sure way to opt out of these risks is to disconnect from the Internet. But that’s not very practical, is it?
Let’s do something different about the new normal: Let’s lean into the cyber risks, to reduce our risk, find safe harbors, increase our competitiveness, and preserve digital trust with our customers. Let’s manage our cyber risks so well that we become highly resilient to cyber failures, errors, and attacks. Leaning in will enable us to operate not only in today’s online markets, but put us on the leading edge for tomorrow’s landscape.
Sounds crazy, right? So did e-commerce, when it first showed up about 20 years ago.
How do you lean in? By pursuing cyber resilience through measurement, smart prioritization of future spending, and continuous improvement. Let’s quickly step through the plan right now, at a high level
How quickly and easily could you recover from a massive customer data breach, severe denial of service attack, or public loss of intellectual property? Don’t know? You’re not resilient enough.
Companies who are cyber resilient gain a competitive advantage. When they get hacked, it’s infrequent, quickly contained, and they bounce back. In contrast, unprepared competitors who get hacked stumble for months and bleed money all over the place while you keep driving towards your goals.
You need an appropriate standard to measure yourself against and a straightforward scoring system that everyone in your organization can understand. There are many choices of standards, including ISO 27001/2, COBIT, and the Center for Internet Security’s Critical Security Controls.
We use the NIST Cybersecurity Framework (CSF) and a scoring system I invented that can show if you’re in a “green zone” of cybersecurity or not. And, unlike money, which no one can ever seem to have enough of, we can measure when you’re too secure and overspending in a particular area.
Here’s how we actually score a CSF outcome, such as RS.Co-1 from the Respond function, defined as “Personnel know their roles and order of operations when a response is needed.” Look at the scoring key below. We ask the people closest to the action (the experts) to read a series of statements (left column) and then select the corresponding score (right column).
All scores are then rolled up into an easy to understand scorecard. You can see an excerpt of one below.
Once you know where you are, then you can set your desired scores and then close the gaps that create the most resilience benefits. What was once murky now becomes clear.
We organize the benefits of increasing your cyber resilience into four major areas:
As you can see below, each area is composed of specific benefits for the next dollar you spend on cyber resilience. Our tools make it clear what you will get for your money. This allows you to prioritize your limited resources in the face of more risks than anyone can afford to fully manage.
After you measure and begin managing your cyber resilience, you’ll need to find a way for your organization to treat cyber risk management as a way of life and not as just a handful of tech projects. In the “new normal,” no one’s cybersecurity problems will ever be “fixed”.
Next, your organization needs to accept that becoming cyber resilient requires more than just more or better technology. You’ve also got to:
Because you never have enough money to manage all your cyber risks down to an acceptable level, executives need to set and prioritize their goals for cyber resilience. Tell your stakeholders about your priorities as often as you can.
Finally, you will need to encourage a culture of candid respect and accountability, otherwise people are unlikely to take the measurements very seriously. And that will make your job much more difficult.
Alright! Are you ready to lean into the new normal?