Wednesday, July 9, 2014

Why Cybersecurity Initiatives Fail

By James McFarlin

My July 1 post addressed the misdirection that ensues when an organization’s senior management awareness of cyber threats turns to anxiety, and that anxiety into fevered action.

Nothing will get a board of directors to the anxiety stage as quickly as seeing a high profile business face cyberattack-induced loss of competitive advantage, reputational damage, and financial consequences in the billions of dollars.

Therefore, preventing such anxiety-fed misdirection must take center stage as an organization forms its cybersecurity strategy.

What follows are three solid suggestions on how cybersecurity initiatives can be successfully formulated, as stated and practiced by the experts.

But I will warn you: There is a caveat, and it’s a big one, as you’ll see.

1. Get Priorities Straight

As reported in my recent SecurityWeek article, Control Risks’ Rebecca Scorzato told the audience at the recent Spooks and Suits NYC cybersecurity conference that “to be effective, preparation for data breaches must be enterprise risk-driven rather than cybersecurity tool-driven.”

To put it another way, this means asking, “What are our most critical business assets and how can we ensure they are protected?” The days of believing we can “secure the cyber perimeter” have long past. Protecting data must be the focus.

The takeaway advice is this: Assume cyber breaches are a certainty. Do not try to protect everything, but use risk assessments to focus on that information which is critical – whether it be customer data, proprietary high-tech designs, even product mix ingredients – and protect it with a vengeance.

2. A Cybersecurity Champion with Clout

A recent Wall Street Journal article discussed the role of Goldman Sachs’ partner responsible for risk management: he has the power to curtail, or at least cause to be reviewed at a senior level, proposed business actions that he feels place the company at risk.

The same principle applies to protecting cyber assets. This is a good responsibility for your CISO or other risk-oriented senior level executive. Make sure it is.

3. CEO Ownership

A recent McKinsey&Company article entitled “Why Senior Leaders Are the Front Line Against Cyberattacks” addresses the limitations of compliance-driven cybersecurity models and the pervasiveness of cybersecurity risks throughout all organizations that demand CEO-level attention.

As good as this article is, the piece fails to address what is the Achilles heel in its argument: The senior executives referenced, from the CEO down, are making decisions about something they have never made decisions on before. Given the vast technology/cultural/procedural ecosystem needed to deal with cyberattacks, what are the odds of error in even one critical element?

This point is amplified in a recent Wall Street Journal article which quotes Carl Wright, former chief information security officer of the U.S. Marine Corps, who said,
“This is the most dangerous time we’ve had as a country, specific to cyber. The reason is that we have senior leadership in corporations and government that are barely IT-literate. They are making policies and decisions they truly don’t understand.”

But these executives are smart, you might say. They can obtain guidance from their younger, tech-savvy staff. Perhaps, except as pointed out here, there is a significant cultural and language gap between senior executives and those tech-savvy experts. In a word, they can’t communicate.

In all likelihood, it will be 20 years before today’s tech-savvy junior management advance into positions of authority and begin to make informed enterprise-level decisions on matters relating to cybersecurity. 

During this time, there will be cybersecurity successes in spite of the communication and cultural gap, but also, many initiatives will fail.

What will happen to those organizations with failing security – and ours – in the meantime?

Buckle up, because this is anyone’s guess. And not one I shall attempt here. At least for now.

("Unlocked Padlock Computer Screen" by Stuart Miles/

No comments:

Post a Comment