29 Mar C-Suite Executives Shouldn’t Leave Cybersecurity To CIOs And CISOs

Effective leaders defeat cyber adversaries with people, not technology

– Jeremy King, President, Benchmark Executive Search

Reston, Va. – Apr. 3, 2018

So much has been written about cybersecurity without any agreement on a common definition. Since there is no agreed upon singular recognized description, let’s define Cybersecurity as Leadership (Not Just Technology).

Cybersecurity is about reducing digital risks. Good cybersecurity programs reduce the risk of data theft and the unauthorized use of corporate resources. Cybersecurity ensures all users in the enterprise have access to the data and applications they need, wherever they are. Great leaders (government, military or industry) get great results, bad leaders get bad results. Leadership is essential to every segment of any business. In this case, cybersecurity is not unique. Increasingly, there is one and only one factor that will determine whether or not an organization has a good cybersecurity program: LEADERSHIP!

The cyber landscape is a completely manmade domain and as such people create opportunities and challenges alike. The technology of this manmade domain is important, but getting results, that is all about leadership. Most companies are today trying to “manage” their way through how cyber affects every aspect of a business. Cybersecurity is much more than basic hygiene. It is a way of thinking and looking at cyber risk in everything that is strategically and tactically done in the company. Without this understanding across every aspect of a company and a new standardized common view of cybersecurity, even the best leader is incapable of leading in this area.

Industry today hasn’t really figured out how to solve the full spectrum of cybersecurity challenges of our time. It is said insanity is doing the same things and expecting a different result. We believe it is time to try a new approach and demand results to keep our nation’s corporate assets protected. Benchmark is working on a white paper that will outline a new organizational structure which will better enable organizations to defend themselves and protect the value, assets, and brand already achieved.

What is the Problem?

Most boards and media publications talk about cybersecurity breaches as a ‘What’ or ‘How’ problem, and some even delve into ‘Why.’ The focus is on what they steal, what damage they do or what are we going to do about it. The ‘How’ are the various techniques used to penetrate and steal data, secrets or money. Cybersecurity is first and foremost a ‘Who’ problem, as in ‘Who’ are the perpetrators (external threats or insider threats); ‘Who’ at your company is the weakest link in the chain; ‘Who’ at your company is going to lead the charge to play defense to mitigate these risks. Leaders who want to prevent cybersecurity attacks need to be fully engaged in defining acceptable and unacceptable risk and focus more on the ‘Who.’

What is Needed by Leaders at all Levels?

It is as simple as winning and losing. Your company (shareholders, board, CEO, customers, employees) all want to keep winning and put points on the board (revenues, profits, market cap, valuation for private companies). Your adversaries (hackers and thieves, whether they be nation-state sponsored, misinformed hacktivists, or cyber criminals) want you to lose. Whether just a minor hack setback or ransomware payment to avoid destruction of your company’s value or brand, it comes down to winning and losing, and leadership is responsible for winning and losing. Everyone understands P&L (Profit and Loss); let’s create a new kind of P&L (Prevention of Loss).

Acknowledging and Understanding the Threat is a Leader’s Responsibility

The threat is not malware, ransomware or a virus; these are merely the strategies employed to accomplish an end. The threat is bad people wanting to do bad things to your company, shareholders, and employees, coupled with the threat of our inattention to the vulnerabilities created by bad practices and leadership. We have to move beyond just threat awareness. Leaders must instill a deep understanding of the threats important to them, and demand respect for the threats they face. In everything, if you don’t understand your opponent or respect their capabilities, you will be surprised and your chance of winning is reduced.

Cyber Training & Education – A Leader’s Responsibility

Our government conducts war-gaming exercises just to better understand the threat. Once you know your adversary, only then can you outthink, out-innovate and outmaneuver them. It is time corporate leadership and corporate boards model this proactive practice of war-gaming. The Pentagon spends more time and treasure than any organization on earth to prepare for every what-if scenario. Training and education are not mutually exclusive. It is a leadership responsibility to determine the proper ratio between training, education and hands-on experience. Why do so few corporate boards/senior management do real table-top response exercises? The importance of small, decentralized A-teams who understand the intent and are empowered to defend the enterprise and defend the value and brand of the company is essential. There is no substitute for challenging, realistic training.

The most prescient quote I’ve come across about cyber and its future impact is from General Michael Hayden, the only person to run both the NSA and CIA. He said this about cyber, not just on the risk to governments and companies today, but the global impact on civilization the next hundred years, “The advancement of the human race from innovations such as gunpowder, printing press, and EVEN nukes all HAPPENED OVER TIME AND combined will not compare to the impact cyber will have on the world IN A MUCH MORE COMPRESSED PERIOD.” General Hayden added, “The next 15 years we will see more change than the last 100 years. Buckle up.”

What Questions Should Leaders be Asking?

The question is how will business and industry respond. The norm is to buy a point solution, or add some people, or get a certification. General Hayden’s call to “buckle up” is turned into action at the leadership level—in the boardrooms and the C-suites. In order to be effective, leaders should:

1. Become thoroughly familiar with the cyber components of the company—not just leave all of that to the CTO, CIO, CSO or CISO. Board members and C-suite leaders need to be as familiar with the cyber aspect of the business as they are with any other key aspect. To change the paradigm, everyone must agree that this is not just a technical problem.
2. Develop corporate policies and procedures to create a corporate culture that is aware of, sensitive to, and ahead of cybersecurity requirements.
3. Regularly educate the leadership on cybersecurity trends and technology. From network operations to network defense to insider threat. The key is to measure how cyber affects or threatens business continuity.
4. Conduct routine desktop and corporate level exercises to stress test the response system. In addition, to effectively use outside penetration and other validation capabilities to assess daily cyber processes, determine cyber resilience, and modify corporate behavior based on the results.

So, the cyber definition for the next century should focus on leadership, culpability and accountability. Accountability is way overused by people who don’t understand you can’t be accountable for that of which you have no control. Change does not bubble up, but must be mandated from the top down. Great leaders set the vision, tone and direction that requires great managers to execute it. It’s a team sport. Only leadership will develop and chart the future or be forever reacting to it.

– Jeremy King is President at Benchmark Executive Search, a boutique executive search firm with over seventy years of CxO, VP, GM and Board level executive search experience working with companies providing technology (hardware, software, infrastructure and services), cybersecurity, systems engineering and scientific products and services to the federal and commercial markets.