As leaders brace to address the impact of cybersecurity today, one thing is becoming very clear. The questions have changed and become more complex – and consequently the answers.
There are top three issues that CEO’s are continually evaluating, according to Marianne Lewis, namely:
- Create value for shareholders or stockholders;
- Meeting short term demands or working on the long term vision;
- Support local demands and local variations, or build for the scale at a global level.
A successful CEO addresses these issues as paradoxes instead of an either-or approach, as interwoven instead of picking one over the other.
Add to this the eternal paradox of security. Cyber-Security is one paradox which has not been fully understood or adequately addressed for impact on the bottom-line. To further complicate the premise is changing, paradox is getting bigger and therefore poses a bigger challenge.
Unsurmountable? No, but bigger nonetheless.
There are many impediments to achieving an effective clear, risk averse Cyber-Security posture which contribute to the paradox including
- It (CyberSecurity) doesn’t directly create value for an organization and it is complex and expensive thus incurring additional cost,
- Difficult to demonstrate/prove and therefore not a clear value proposition to stakeholders;
- Makes the user experience less seamless, they have to do more, take more steps, use more technology etc.
- Adversaries are many and different from the past – the digital or connected enterprise is at risk from cyber criminals, State threat actors, Hactivists, competitors, internal rogue employees and nuisance hackers.
- Internet of Things have, always connected state of insecure devices has exploded the risk surface at an individual and business level, yet there may be no control on the supply chain.
- Emerging technology such as AI that is not understood well enough and has no security paradigms.
CEOs and Board members think in terms of risks but often don’t understand the connection between Cyber-Security and business risk. Relating to the top three issues on CEO’s mind, Security can clearly add value to both stakeholders and shareholders.
What is the Cyber-Security paradox I am proposing? In order to be successful in the digital economy companies have to focus on the greater good in order to be successful. The focus required is on establishing trust within the ecosystem and being trustworthy;
First and foremost this will require changing the questions and their underlying assumptions. Definition of Success will have to change from “what do we need to succeed as company to how do contribute trust to the environment we are operating in. To each and every touch point with our stakeholders – customers, partners, suppliers.”
An example that comes to mind is the security of voice-activated smart speakers from Google and Amazon, also known as smart home voice-activated assistants such as Google Home and Alexa. Security and Privacy are critical due to the location of these devices in homes but an additional concern is interaction between these devices and others in the environment such as with cars, online ordering, etc. This explodes the risk which can be addressed by careful risk based security features in these devices such as authentication before allowing them to give a command to the front door or car.
30 percent companies today have stricter vendor security requirements, and this is extremely important, but in order to succeed today, this trust has to be mutual. All companies require a risk based security posture, one based on business risks in addition to baseline security controls such as required by NIST Cybersecurity Framework, ISO 2700n, and AICPA Systems and Controls framework (SOC). Its critical to protect sensitive data, critical assets and crown jewels but also risks based on their context. I conclude with a couple of examples:
Strava, a popular app for tracking running, cycling and swimming, is not the most obvious go-to for exposing national secrets, but a heatmap of activity from users was found to unearth the locations of U.S. military bases worldwide. This geolocation tracking capability is an example of a context based risk, this is not regulated data or considered personally identifiable information but clearly an issue in this case and for other organizations with a need for secrecy.
