C For Cybersecurity: C For C-Suite Leadership
By Chuck Brooks, Skytop Contributor / April 4th, 2022
Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and subject matter expert on Cybersecurity and Emerging Technologies. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named by Thomson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020 Onalytica “Who’s Who in Cybersecurity” – as one of the top Influencers for cybersecurity issues. He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic. He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, Expert for Executive Mosaic/GovCon, and a Contributor to FORBES. He has also been a featured author in technology and cybersecurity blogs & events by IBM, AT&T, Microsoft, Cylance, Xerox, Malwarebytes, General Dynamics Mission Systems, and many others. He recently presented to the G20 on Energy Cybersecurity.
Chuck is on the Faculty of Georgetown University where he teaches in the Graduate Applied Intelligence and Cybersecurity Risk Programs. In government, Chuck was a “plank holder” at The Department of Homeland Security (DHS) serving as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill. He has an M.A from the University of Chicago and a B.A. from DePauw University.
“Cybersecurity is the most significant governance challenge for the public and private sector, it’s not just the exclusive domain of the CIO and CTO and is now in the domain of the CEO and the corporate board.”
-Former Homeland Secretary Hon. Tom Ridge
Analyzing the Disconnects
The Internet was invented in a government laboratory, and it was the corporate vision that had it commercialized and institutionalized, leading to a new era of social and technological change. But the internet was built without security being the key consideration. Consequently, it evolved faster than security protocols, without convening strategies that could mitigate anticipated threats, and few corporate CEOs or boards even took notice.
The prevailing result of the rapid rise of the internet is that there is a lack of expertise on cybersecurity in corporate leadership. According to a recent National Association of Corporate Directors (NACD) survey, although almost 90% of directors at public companies claim their board discusses cyber risk regularly, only 14% have deep knowledge of the topic. The survey also concluded that the cyber threat landscape is becoming more complex and challenging.
There is little value in discussing something you do not know much about at the Board level, except perhaps fine dining. That is a starting point for analyzing the disconnects inherent in the corporate cybersecurity ecosystem.
Industry in the Crosshairs
The C-Suite disconnect was understandable a few years back when breaches first became part of the nightly news but is no longer and needs to be rectified. The reality is that we live in an increasingly hyper-connected world that impacts all aspects of our lives. From now onward, managing and protecting data will be a growing responsibility for anyone engaged in commerce. The exponential rate of cyber-threats and breaches in industry necessitate a clearly defined security strategy for who and how to manage this constantly evolving landscape styles of cyber threats — from phishing scams, bots, distributed denial of service attacks, ransomware, and a host of insider threats.
The wake up calls are a long list of mega breaches from Colonial Pipeline, Solar Winds, Anthem, Target, Home Depot, Sony … to even the Office of Personnel Management in the federal government. Millions of accounts with personal information have been compromised. Forty percent of companies now admit to having cyber breaches, but it’s easy to surmise that the numbers are much larger.
Consider that worldwide spending on cybersecurity is forecasted to reach $133.7 billion in 2022. (Gartner). Cybercrime will cost the world $6 trillion annually by 2021 (Cybersecurity Ventures)
The reality is that threat actors, including state-sponsored and criminal enterprises, are taking advantage of the expanding cyber-attack surface by using their resources to employ more sophisticated means for discovering target vulnerabilities, automating their phishing attacks, and finding new deceptive paths for infiltrating malware. Industry is in their crosshairs.
What Companies Should Do To Fortify Their Cybersecurity
There are several steps that can be immediately taken to address cyber-threats:
1. Hiring Subject Matter Experts On Cybersecurity
A first action item that applies well to any company is to hire outside subject matter experts (SMEs) who understand policies, compliance, technologies, and the protocols of cybersecurity risk management. Keeping up with cybersecurity threats is often daunting and requires a special effort. The overriding goal should be to always minimize risk by doing information security due diligence. There are a wide variety of architectures, systems, and jurisdictions to navigate and adaptability and scalability to upgrade to new security technologies and processes is a significant challenge.
As the capabilities and connectivity of cyber devices, including BYOD, has grown exponentially, so have the cyber intrusions and threats from malware and hackers requiring restructuring of priorities. The cyber threat includes various criminal enterprises and adversarial nation states. A change in the cyber risk environment has corresponded with a heightened investment in threat awareness and information-sharing. Outside SMEs are a particularly valuable component for evaluating the threat horizon and vulnerabilities. It can be a big benefit to bring in outside SMEs who can “think outside the box” and bring in new perspectives.
2. Creating A Collaborative Framework For Communications And Planning
Interoperable communications are really the biggest disconnects in company leadership when it comes to cybersecurity. It could be characterized as C-Suite executives are from Mars and corporate CTO/CIO shops are from Venus. To each other they are aliens. They certainly do not speak the same language and the focus of their serious concerns often differs. This can be ameliorated by establishing a shared framework between the C-Suite and the IT professionals of operations that includes means for communication and most importantly, a shared strategy. Collaboration is king.
The interoperable communications element is a mutually conceived strategy plan. From the very start, that plan should identify and name the corporate decision-makers and spell out responsibilities. After that is established, the working process can begin. A primary goal for the CTO and CIO and SMEs should be to educate the Board. This means communicating a top down or bottom up framework on what constitutes the cybersecurity ecosphere in lexicon that is understandable. The themes of the framework should include protecting data, corporate IP, and establishing governance.
Developing an understanding and creating an effective cybersecurity operational strategy really depends on a Ying/Yang formula. You need the technical people who understand the street view challenges of industry from an engineering perspective and the executives who run P & L to facilitate the operations and go to market efforts, both then need to sign off on a clearly defined plan that aligns all business elements, including marketing and sales, with cybersecurity.
A successful collaborative strategy requires stepping up in assessing situational awareness, information sharing, and especially resilience. In C-Suite terms, what is the price tag for staying in business? In IT terms this may include operational components of encryption, biometrics, smarter analytics, and automated network security, informed risk management software, cyber certifications and training, network monitoring, and incorporating NextGen layered hardware/software technologies for the enterprise network, payload, and endpoint security. It is best if the plan is calibrated by outside SMEs, the CTO, and CIO for specific Cybersecurity requirements.
Also, it is imperative that any strategy and plan include working mechanisms for operational incident response, gap analysis, resilience, and audits. Cybersecurity is integral to brand reputation and no matter what, breaches will happen. It’s how quickly and effectively a company responds will be a consequence to the bottom line to shareholders.
3. Implementing The Plan: A C-Suite-CTO/CIO/SMEs Cyber Security Framework
It is one thing to meet and another thing to do. All talk and no action will mean more cyber breaches. Speed and agility are paramount in addressing incidents and without organization those elements cannot be actualized. While the framework below is not totally encompassing nor practical for every situation, it is an example framework that can be morphed into a working plan. It can also help erase some of the communication disconnects and can be a basis for a common language list of priorities for the C-Suite-CTO/CIO/SMEs corporate team:
Establishing Priorities And Creating Scope:
Defining and monitoring the threat landscape to the company
Crisis and risk management (identifying, assessing, and responding to threats- i.e., NIST Framework: Protect, Detect, Respond, Recover
Public/private cooperation
Modernizing security architectures
Better encryption and biometrics (quantum encryption, keyless authentication)
Automated network-security correcting systems (self-encrypting drives)
Technologies for “real time” horizon scanning and monitoring of networks
Access and identity management and control
Endpoint protection
Diagnostics, data analytics, and forensics (network traffic analysis, payload analysis, and endpoint behavior analysis)
Advanced defense for framework layers (network, payload, endpoint, firewalls, and anti-virus)
Enterprise and client network isolation to protect against malware, botnets, insider threats.
Employee awareness programs and training
Cyber Insurance
Analytics and cyber-forensics
Audit
Evaluate Emerging Cyber Technologies:
Artificial intelligence and machine learning
Augmented and virtual reality
Quantum and supercomputing
Nanotechnologies and neuromorphic chips
Wireless mobility and identity management
Finally, it is incumbent on everyone at a company to practice cyber-hygiene. That means having strong passwords, multi factor authentication, and cyber-awareness. Humans are still the greatest risk. As operations, reputation and the viability of a business can be ruined by a breach, the C-suite can no longer view cybersecurity as a cost item but as a mechanism for ensuring that their company has a future.