31 Jul Four-Time CEO Says Corporate Culture is the Most Important Defense in Cybersecurity
That culture eats strategy for lunch is an idea often attributed to the late management guru, Peter Drucker. Mr. Drucker may have never imagined the world of cybersecurity we have today, but the power of good ideas is that they hold up over time.
To that end, culture may be the most important factor any CEO has within reach to secure their organization, according to Ben Levitan. Over the course of his career, Mr. Levitan has held the CEO title four different times and influenced many more as a board member and during his tenure as a venture partner at In-Q-Tel.
Mr. Levitan serves on the board here at Bricata, and given his experience in the corner office, we thought it would be useful to sit down for an interview and get his take on what CEOs really need to know about cybersecurity.
1) In doing research for this interview, we noticed some headlines saying in effect, CEOs suddenly care about cybersecurity. Do you think that’s true?
BL: CEOs have cared about security for a long time for three primary reasons. First, the scale of attacks is a steady drumbeat of breaches and a new threat count seems to grow daily. Secondly, the financial impact has grown significantly. And third, cybersecurity is a compliance and reputational risk in every industry and in every organization.
Another key reason why CEOs care more about cybersecurity is the effect breaches have stretched across the business to outside relationships with suppliers and customers. This means security touches more people than ever and CEOs now recognize this risk to their businesses as they are increasingly digitally connected and integrated with customers and suppliers.
It’s worth noting, the pace of regulation has picked up recently which makes security hard to ignore. For example, the General Data Protection Regulation (GDPR) framework comes with significant fines or the threat of significant fines. This affects any organization doing business within the European Union (EU) or with a European citizen – and that essentially means everyone!
2) In the grand scheme of the responsibilities that CEOs have across employees, customers, stakeholders, where should cybersecurity fit on the very long list of priorities that they already have?
BL: In some businesses, cybersecurity fits as an area of business enablement or, more specifically risk, security and compliance. In other businesses, security is closer to the operations function. While cybersecurity impacts business performance and how a business operates, it remains a support function.
Accordingly, many CEOs have a group of people tasked with managing this function reporting to another executive. When a CEO needs to know something, depending on the issue, it is usually the chief information officer (CIO) and chief information security officer (CISO) supported by a cross-disciplinary group that spans compliance, risk management, operations and finance (insurance) that helps the CEO address the incident.
Where organizations sometimes get into trouble is when they address risk management and cybersecurity too aggressively and impose business constraints. Poor password management, access control methodologies and constantly changing cybersecurity policies are a few examples of what I see.
3) Any businesses of any size will have a staff tasked with a cybersecurity. Knowing that, how involved should a CEO be in security?
BL: It depends on the size of the firm and the extent to which it is a digitally-oriented company. If the company does a substantial portion of their business over the web, which of course, is increasingly common, a CEO needs to be dialed-in to what the risk posture of the business is, what parts of the company are exposed, what plans are underway to close the gaps, and what mitigating steps and incident response plans are in place.
As I mentioned earlier, this issue extends beyond the company’s walls. For example, a manufacturing company must consider security risk in their supply chain such as:
– How well equipped are the suppliers?
– What effect would a breach within a supplier have on your business?
– Does a relationship you have with a supplier allow someone else to reach inside your network?
The other aspect that I think is within the CEOs control is the level of risk from the company’s own employees. Every CEO should insist that their company’s employees work to eliminate (unforced) errors that social engineering hacks exploit. A simple thing to ask is whether every employee completes rudimentary awareness training?
4) If you think about the levers the CEO has in terms of hardening defenses, there are three – people, process and technology. What should a CEO be thinking about in terms of those three areas to strengthen up security?
BL: A CEO can absolutely allocate people and grow the size of a cybersecurity team. They can also insist on good processes and standards, including audits. And certainly, they can acquire and implement new technologies. That’s all true, but what binds people, process and technology together is culture. Culture is where the CEO can add the most value to the security posture. They can lead from the front by highlighting the important benefit of managing cybersecurity and risk. They can help explain key policies.
Culture in cybersecurity means creating the behaviors and norms that work in coordination to help the company manage their risk profile. Some corporate cultures are naturally more inclined to this approach because they deal with business secrets such as a special formulation or a secretive new product. What I’m referring to goes outside those parameters to the day-to-day of managing, distributing, archiving and administering information. Every employee is an actor in that process and can make an impact.
In terms of the security operation, I have seen many CEOs provide leadership by stepping back and trusting their team, and I have seen CEOs play a more active role around certain topics such as insurance and transaction risk. In all cases, the effective CEO helps the business by going beyond spending money on the tools and asking if the people on the security team have what they need to be successful.
5) Culture and leadership are two things that are traditionally in a CEO’s skill set, but security is often technical and sometimes that goes beyond the skill level of a business leader. How does the CEO know if their cybersecurity team is doing the right things?
BL: CEOs are trained to inspect work and gauge the relative health of an organization and the competency of an individual. In the area of risk management and cybersecurity, what they inspect varies based on the size of the firm, the complexity of the problem and their comfort with the people leading the work. Cybersecurity can often appear to be a black box, but well-trained leaders know how to raise their skill level by spending time with experts and others that can help them learn more about cybersecurity.
More practically, most CEOs rely on a process of inspection to help them gauge whether a program or initiative is being done satisfactorily and it’s no different in cybersecurity, with one exception: There are many short-notice incidents or threats that force the CEO to sit up and take notice. Aside from these ‘events’, most organizations conduct planning exercises that improve resiliency (and increase executive confidence).
6) A study by Accenture recently found that security leaders believe their responsibilities to protect the organization are growing faster than their capacity. Part of the problem is that security responsibility is disbursed – decentralized – where a big company might delegate cybersecurity to business unit leaders. So, you have a CISO for the whole company, but the business unit leaders, pull rank on policy. What’s your take on that from a CEO perspective?
BL: That’s as it ever was and it’s not new. What you’re seeing in that report is a recognition that the consequences of not following a consistent framework are much bigger than they may have been in the past which is creating more pressure for the CISO or CIO to ‘take charge’. The CIO and CISO will continue to clamor to get mindshare in the business wherever accountability lays – whether that is decentralized in a different reporting chain or consolidated into central structure. In all instances, the annual planning and audit processes provide an excellent vehicle to address their concerns.
This question begs the issue of executive skills that CISOs need to succeed when they engage with the business. While a portion of the CISO’s job centers on technical matters that are complex and sophisticated, they still need to work with business leaders as peers. The good news that I see from my work is that business folks have stopped looking at the CISO as a checklist checker and now frequently view the CISO as a colleague that can help solve business problems. Overall, I view this tension between the business and cybersecurity or risk management as a good thing; it is healthy.
The fact is that compliance, risk management and security are designed to act as a ‘structured second-guess’ mechanism, and as a result, many business people view the functions as being an encumbrance not an enabler to their business success. Successful CISOs and CIOs address this matter head-on by addressing concerns up front – and being responsive.
Because cybersecurity policy can encroach on many aspects of the business, the job of the CISO and the cybersecurity team is a lot broader because it touches on so many constituencies with competing goals.
7) A burning question every CEO wants to know: how much do I have to spend on cybersecurity? Do you have a benchmark for business leaders to think about this question and get to a number?
BL: There’s no benchmark answer, but the biggest factor in determining how much to spend is how much risk you want to incur in the running of your business.
If you want to run your business in a way that is relatively rigid and easy to administer, you can do that. While you will probably spend less money on security, you’re going to suffer from flexibility and agility gaps when it comes to supporting the business – and in addressing unplanned or unforced errors.
This less flexible approach may hamper the business’ ability to quickly onboard new customers or to create collaborative workspaces for new product development activities. So, while the ‘hard cost’ may not be lower, I would characterize this approach as more expensive when you factor in the ‘soft costs’.
The way to lower cost in security is to become hyper-efficient at the basic stuff: firewalls, intrusion detection, access control, password management without being overly rigid. Focusing on doing the basics well creates good practice for the organization and builds confidence in the security team to implement add-on technologies that help solve harder problems.
Implementing the foundational elements is not simple but the option I have seen work well is to avoid proprietary and over-featured products in favor of open source software that addresses the 80% of the problem. I say spend the incremental dollars you save by not implementing proprietary solutions on the newer threats that you may not have had the budget for.
8) What resources would you recommend to CEOs that want to learn more about cybersecurity?
BL: First, I’d encourage CEOs to pay close attention to the evolving regulatory frameworks in their industry or across the world such as GDPR. As in many risk-related matters, I’d recommend getting in touch with your auditors and with outside counsel. I’d look at employees and survey results about culture as it relates to cybersecurity. Then I would reach out to your trusted technology and cybersecurity vendors to get their perspective.
CEOs should make time for periodic one-on-one sessions with their CISO – with or without the CIO and CFO present. The CEO needs to have a candid discussion at least twice a year about what the business is doing, and what it is learning about cybersecurity.
The last thing I would suggest, and this might seem a bit unorthodox but, I would suggest engaging with the government. The Department of Homeland Security publishes information, as does the U.S. Treasury, FBI and even local law enforcement that can be very useful. The government is your partner when an incident occurs, so why not make them your partner before that bad stuff happens?
* * *
If you enjoyed this post, you might also like:
7 Security Trends Shaping Intrusion Detection Technology