6th April 2016
The short answer is yes. Change the culture.
“Cyber defense of DoD systems is [my] highest cyber priority; if DoD systems are not dependable in the face of cyber warfare, all other DoD missions are at risk.”
– US Secretary of Defense Ashton Carter, April 18, 2015
Cyber security is a leadership issue. Period. Yet, too many boards and CEOs are leaving it in the hands of CIOs, CTOs, CISOs and the like. And even though boards are scrambling to fill open positions with cyber security experts, a 2015 PWC report indicates boards still see cyber security not as CEO matter but as an information technology issue. They’re wrong.
In late 2015 I shared a post titled “7 Actions CEO Can Take Right Now to Protect Their Data and Networks.” The 7 actions are:
- Create a climate of tight cyber security
- Ban USB thumb drives
- Get serious about passwords
- Re-certify every E-mail account
- Implement mandatory information assurance training
- Track and monitor software patch implementation
- Limit access to most sensitive data
Good post, but not long enough to go into each of the actions in depth. This article begins a series to cover each of the 7 actions more fully.
Cyber Security Companies Can Only Do So Much
Like any cultural shift within an organization it’s going to take time, persistence, hard work and leadership commitment and involvement.
Steve Denning, in Forbes, tells us this concerning culture change, “In general, the most fruitful success strategy is to begin with leadership tools, including a vision or story of the future, cement the change in place with management tools, such as role definitions, measurement and control systems, and use the pure power tools of coercion and punishments as a last resort, when all else fails.”
It’s not enough to subscribe to a service or simply tell the CIO to implement an information security plan. It’s also not a one person or one department function. It requires each member of the organization to take a proactive approach and to remain vigilant.
This only happens if the CEO is engaged, enthused and is a leading advocate of cyber security.
US Department of Defense Is Doing It Right
Earlier this week US Secretary of Defense Ash Carter publically released their cyber defense plan. More importantly, Secretary Carter will conduct monthly strategic-level cyber security reviews. Additionally, each level of management below him will dig into deeper detail with smaller sized units reporting their cyber readiness in the Defense Readiness Reporting System (DRRS).
Although DRRS cyber security reporting is new, commander involvement in cyber threats is not.
I remember very distinctly my three-star boss in 2013 reminding us junior one-star commanders cyber security was commander business and that he would hold us and only us accountable should something go wrong. Trust me, we got the message loud and clear.
I understand changing cyber security culture doesn’t sound fun or exciting. There are normally “far more pressing” issues at hand like restructures, reorganizations, buyouts, increasing shareholder value and so on. What happens if the company’s data is breached or held hostage to ransom ware? Won’t this affect everything else?
The DoD is the world’s largest employer, has a $600B budget and its mission is national defense. Yet, if Secretary Carter can dedicate his time and attention to cyber defense then can’t CEOs and Boards do the same?
Boards Are Getting Serious About Cyber Attacks
Boards are hiring more individuals with cyber experience and this is a good start but it’s hardly a panacea. Because cyber threats and cyber attacks affect shareholder value and the long-term viability of the company, boards are going to have to develop a deeper understanding of all the issues surrounding cyber security.
They’ve got to go beyond asking the CISO about firewalls, anti-virus protection or what cyber security subscription service the company uses. Furthermore, throwing money at cyber security won’t do the trick either if the accompanying policies, procedures, climate and culture aren’t in place as well.
Clint Boulton, a Senior Writer for CIO agrees, “(Boards) have to embrace it, get a deep understanding and connection to it, and then drive the change at their companies so that they can make the proper investments. Because it’s a significant investment, and a significant change to your culture and budgets that is really difficult to drive from the bottom up. It has to come from top down. That’s a multi-year process and we’re nowhere near the finish line.”
It is going to take time and we are nowhere near the finish line. Ultimately Boards and CEOs are going to drive the changes, but insurance companies and shareholders are going to demand those changes. Don’t get me wrong, CIOs and CISOs are worth their weight in gold, but until cyber security is seen and accepted as a leadership issue, change will come at a much slower pace, if at all.
Paul is a retired US Air Force General Officer who spent ten years in senior leadership positions wrestling with cyber security strategy issues. He’s an advisory board member to Crypta Labs and is a cyber security policy and guidance expert, and has written extensively on this subject.
Follow Paul on twitter @phmcgillicuddy.