By Emilian Papadopoulos and Rob Knake – Good Harbor Security Risk Management
With every passing headline, we learn of another company or organisation being hacked. As Sony rebuilds its network and State Department officials testify to the Senate about their email breach, CareFirst disclosed a data breach and Penn State University’s College of Engineering disconnected itself from the internet after discovering ‘incredibly serious’ intrusions.
For companies large and small, critical and not, the cybersecurity problem persists.
Why? The problem is not that board directors and management aren’t paying attention: a recent survey of members of more than 250 boards of public, private and non-profit organisations ranked cybersecurity and IT risk as the second most important concern for boards.1
The problem is not, for many medium and large companies at least, a lack of funds devoted to technology solutions. Companies are spending millions, fuelling an industry that is estimated to be worth $90bn or more. Asked where they would concentrate increased spending, IT leaders ranked security technologies priority number one, above cloud computing, business analytics, application development and mobile.2 Bank of America chief executive Brian Moynihan took things to the extreme yet accurately captured our zeitgeist when he issued a ‘blank cheque’ for cybersecurity.
The truth is that there is no silver bullet explanation for the persistent cybersecurity problem: malicious actors are getting more sophisticated, international cooperation is inadequate and many IT manufacturers are failing to produce inherently secure hardware and software. For individual companies, however, one of the critical opportunities to exercise control and to choose between success and failure is to have a coherent, focused strategy.
Without a strategy, companies fail to engage the whole enterprise in tackling this tough challenge, management teams don’t agree on what their biggest cyber risks are and budgets focus on out-dated practices like perimeter defence instead of aligning with risk. With a coherent strategy, management works together, prioritises risks, tailors best practices to the company and is prepared to handle the worst if a cyber incident happens.
So, what are the most important dos and don’ts for building a coherent, risk-aligned strategy?
Accept that your company has distinct cyber risks
This is not an abstract problem for other companies to worry about. Your first goal should be to avoid ever saying, “I never thought it would happen to us”. Of course, companies in defence, banking, oil and gas and the pharmaceutical industry are prime targets, as are retailers with credit card information, but companies don’t need to have state secrets, intellectual property or tens of thousands of credit card numbers to be targeted. “Stopping every attack is impossible. Instead of failing to solve every problem, succeed at making the worst problems manageable”
“Stopping every attack is impossible. Instead of failing to solve every problem, succeed at making the worst problems manageable”
Hospitals are under attack: in late 2014, security research firm Websense noted a 600 per cent increase in attacks over 10 months.3 Universities are too, as Penn State’s current predicament and countless breaches of student data prove. Manufacturers, law firms, think tanks and hedge funds… the list goes on.
Motivations vary. Communication provider WhatsApp was targeted for users’ contact details, possibly to target future social engineering attacks. The online code-sharing service GitHub came under ‘massive denial-of-service attacks’ that downed the site intermittently over five days, reportedly for upsetting Chinese government censors.4 Las Vegas Sands Corporation estimated it will spend $40m to recover from a destructive attack that seems to have been retaliation for incendiary statements by its CEO about nuclear negotiations with Iran.5
Consequences vary, too. Coding site CodeSpaces tried to repel an attack on its networks, so the attackers wiped its network and forced it out of business.6 US retailer Target lost tens of millions of credit cards and paid a price in 2014, but it reported over half a billion in profits in the first quarter of 2015.7
Every company has cyber risks and those cyber risks are different for every company, depending on a range of factors, including what information assets are most vital to its operations, as well as its business strategy, geographic footprint, corporate culture and competitive landscape.
Focus on mitigating the most material risks
Stopping every attack is impossible. Reducing risks to zero is impossible. Instead of failing to solve every problem, succeed at making the worst problems manageable.
Start with an enterprise-wide ‘discovery process’ that solicits input from key business managers about what information makes their part of the business tick, what systems they depend on and what sensitive information their business units possess. By identifying crown jewels that need to be protected and worst-case scenarios that need to be avoided, companies can focus resources on reducing the gravest risks.
Focusing on key risks also puts compliance in perspective. Compliance matters and non-compliance can trigger material legal, financial and reputational risks; however, over-emphasising compliance can distract from even more important risks. In addition, being compliant does not mean that risks are under control – Target confirmed it was audited as compliant with Payment Card Industry Data Security Standards (PCI-DSS) shortly before its breach began in 2013.8
Get governance right: decide who is responsible for what, make it clear and empower them
Like any major, emerging business risk, cyber risk requires leadership, effective decision-making and an enterprise-wide effort. Good governance is never one-size-fits-all, but consider best practices and how to tailor them to your company. One critical question is who ‘owns’ or ‘leads’ cyber risk.
Today’s best practice in medium and large companies is for cyber risk to be owned by a senior officer with a direct reporting line to the CEO. Sometimes, companies will establish a senior position of chief information security/risk officer (CISO/CIRO) or chief risk officer (CRO). Otherwise, the general counsel often fills this role, which can be a logical fit because of the significant legal implications of cyber incidents.
In other companies, a senior officer will convene a cybersecurity council. This model can work so long as the council is set up to make decisions, marshall resources and report to management and the board, not just discuss problems endlessly.
Many small companies manage IT through a management tiger team that typically includes the CEO, CFO, general counsel, head of business operations, CIO and IT security lead.
One model to avoid is burying cyber risk under IT. Because of the historic IT origins of cyber risk, some companies have cybersecurity reporting to IT and then up to a CIO. The problem is that IT and IT/cybersecurity have goals that, while not mutually exclusive, do have inherent tensions: IT is typically focused on innovation, up-time and easy-to-access information, while cybersecurity is focused on protecting information. Having both functions report to one officer overly concentrates decisions and trade-offs, putting the officer in an impossible position, forced to choose between daily, concrete business imperatives on IT and the more abstract goal of risk management; given this trade-off, cybersecurity often loses. When the inevitable hack happens, the officer and the company lose, too.
Separating IT and cybersecurity gives each of these important priorities an advocate and fosters more thoughtful, enterprise-wide decision-making. Of course, IT and cybersecurity should always be closely linked when it comes to implementing cybersecurity through IT systems and incorporating cybersecurity-by-design into long-term IT planning, which can reduce the need for tough trade-offs altogether.
Involve the whole enterprise in the strategy
Cyber risk is an enterprise-wide problem and requires enterprise-wide solutions. Assessing risks and building a strategy to mitigate them requires working with every part of the business.
Each part of the business not only has different kinds of sensitive data and information dependencies but also serves valuable cybersecurity functions, as a few key examples show. Human resources (educating, restricting access as employees change roles or leave the company); procurement and business units (managing supply chain risk, conducting cyber risk diligence during mergers and acquisitions activity); finance (budgeting, incorporating cybersecurity into project planning and procurement); investor relations, communications and customer-facing teams (communications, especially during incident response); legal and risk management (incorporating cybersecurity into contracts, procuring cyber insurance); IT (incorporating cybersecurity into IT design, implementing); and the CEO and c-suite management (deciding risk tolerance and policy, setting tone from the top).
Governance and strategy are also important times for engagement with board directors. Boards typically oversee three things – the company’s risk management process; progress in strategic cybersecurity initiatives; and preparation for responding to material incidents.
Throughout strategy development and execution, management needs to affirm that cybersecurity is not just ‘IT’s job’ but rather requires a whole-of-enterprise effort. “Do not let your first cyber crisis be a real one; instead, practice responding to a material cyber incident through a tabletop exercise or simulation”
“Do not let your first cyber crisis be a real one; instead, practice responding to a material cyber incident through a tabletop exercise or simulation”
Start with a short, crisp strategy
The strategy is not a budget, an acceptable use policy, a list of action items or a set of detailed procedures or technologies.
The strategy should lay out key propositions, including how the company perceives its cyber risks and what its risk management objectives are. The strategy should document governance.
The strategy should identify guiding principles. These will vary by company. One company might adopt a ‘fault tolerant’ approach, building a resilient network that does not depend on employees to be perfect and never click the bad link in the spear phishing email. Another company might see data classification as central to its strategy. A third company could decide that good IT, including modern systems and robust change management, is key to its strategy.
The strategy should set a timeline for a policy and technology roadmap, typically three to five years with semi-annual course corrections.
The strategy should identify how management and the board will measure performance. Some metrics are useful: companies can measure whether budget dollars are being spent in alignment with risks and the strategy and measuring how long it takes to patch critical vulnerabilities or how long it takes to revoke credentials from off-boarded employees. These all offer good indicators of resources, awareness and sound cybersecurity practices. Other metrics are less useful: knowing whether the network of a large company sees 40,000 or 42,000 pings per day is not especially interesting, particularly since, as we learned from Captain Ramius in The Hunt for Red October that a sophisticated actor can scope an adversary and verify range to target with just ‘a ping, … one ping only, please.’
Finally, the strategy can be an opportunity to identify areas of focus that might otherwise get lost in the day-to-day, for example spending time on managing cybersecurity talent, scanning the horizon for emerging threats or considering the company’s involvement in industry information-sharing and in policy debates.
All these objectives can be achieved in a five-page strategy that gives tone from the top and sets the company’s direction without becoming shelfware nobody reads.
Move beyond protecting the perimeter
One of the greatest challenges for companies is shifting their way of thinking and spending from an abandoned perimeter defence model that tries to keep the bad guys out to new best practices, which focus on building resilient systems that can detect and withstand the inevitable breach with minimal damage.
Many companies say they have moved beyond perimeter defence, but budgets tell a different story: most resources are still focused on firewalls and anti-virus. Instead, companies should focus budgets on functions, such as identity and access management, encrypting important data, endpoint monitoring and protection, analytics to detect anomalous behaviour, data loss prevention, incident response and recovery.
Be prepared to ‘fail’
For as long as software and hardware are inherently secure and bad actors are motivated, breaches will happen. While breaches may be inevitable, the damage to a company is not. Use the strategy as a launching point for a whole-of-enterprise incident response plan. Most importantly, do not let your first cyber crisis be a real one; instead, practice responding to a material cyber incident through a tabletop exercise or simulation. The exercise will bring the management team together, raise awareness and improve response in a real crisis.
Planning for incidents also helps companies distinguish between failure and success. While experiencing a breach may count as ‘failing’ to protect the perimeter, if the attack is detected and mitigated without damage to networks or compromise of the company’s most sensitive data, the final outcome could be counted a success for a coherent cybersecurity strategy. If a company does all the right things to mitigate the risk and minimise damage, shareholders and customers might just agree, too.
About The Authors:
Emilian Papadopoulos is president of Good Harbor Security Risk Management, a cyber risk management advisory firm. Mr. Papadopoulos leads the firm’s business operations and advises Boards, CEOs, investment professionals, and government leaders on managing cyber risk. He has helped clients across sectors including energy, insurance, law, technology, defense, and manufacturing. Mr. Papadopoulos’ experience in strategic planning and international security risk management spans North America, the Middle East, Latin America, and Asia. He has published and presented extensively on topics including cyber risk management and cybersecurity diligence. Before joining Good Harbor, Mr. Papadopoulos worked for Foreign Affairs Canada and for the Canadian Embassy in Washington, D.C.
Rob Knake re-joined Good Harbor as senior advisor from his last job as director, Cyber Security Policy at the National Security Council in the White House. In that capacity, he developed Executive Orders and national policy to deal with the emerging cyber threats. Prior to his White House assignment, he worked on cyber threats in the Department of Homeland Security. Earlier, he co-authored the seminal book Cyber War: The Next Threat to National Security and What to Do About It and was a Principal at Good Harbor Consulting. In addition to his role at Good Harbor, Rob is also a Senior Fellow for Cyber Policy at the Council on Foreign Relations. He holds a master’s degree from the Harvard Kennedy School in national security and undergraduate degrees in history and government. He and his wife, daughter, and son live in the District of Columbia.