I am in the insurance business, and for years I delivered a stump speech to CEOs, CFOs, CROs and risk managers trying to get them to pay attention to cyber risk. I don’t have to make that speech anymore.
Mary Jo White, head of the SEC, said recently that cyber attacks represent the “biggest systemic risk” facing the US. In Davos, Switzerland, world leaders at this year’s World Economic Forum were all focused on cyber risk as they listened to speakers warn of the “internet of threats” and other imminent realities.
The president of the United States thereafter issued an executive order directing the government and businesses to share more information about cyber threats. The president signed another executive order recently aimed at combating global cyber crime.
So people are paying attention.
Cyber Risk is Different
Cyber risk isn’t like other risks organizations face. With other risks, the vulnerabilities are usually pretty obvious and so are the potential solutions: You assess your problem, contemplate a range of response options, and then implement a plan. Done. Not that any of these steps are necessarily simple or easy, but the issues and the methods are pretty clear. Cyber risk isn’t like that.
First of all, there’s no avoiding it. You wouldn’t be reading this if it wasn’t for digital delivery of information. If you wanted to avoid all cyber risk you’d be off email, off your computer, off your smart phone, off your digital land line.
Another factor that sets cyber risk apart is interconnectivity. The partnerships on which businesses depend – suppliers, payment processers, service providers of any kind – are increasingly digital relationships that create a cyber chain extending geometrically in many directions beyond the company firewall. As the digital degrees of separation between companies decrease, the exposures through these relationships increase.
Now what we are trying to do is help organizations frame a response. This goes far beyond insurance.
An Unusual Perspective
I recently found myself at a small gathering at Northwestern University with Admiral Michael S. Rogers, Commander of the US Cyber Command, Director of the National Security Agency, and Chief of the Central Security Service – and a fellow Chicago-area native. This meeting gave me the chance to see the cyber risk issue from a vantage point that few – extremely few – are privy to.
Admiral Rogers sees the depth and breadth of the problem as well as the collaborative approach that effective solutions require. In a recent statement before the Senate Committee on Armed Services, he said,
… cyber defense is no longer information technology (IT), it is not a mere support function that they can safely delegate to someone on their staff.
The Admiral called computer security “an enterprise-wide project,” and has been quoted as saying that cyber security is “the ultimate team sport.” He told the senators:
Neither the US Government, the states, nor the private sector can defend their information systems on their own against the most powerful cyber forces. The public and private sectors need one another’s help.
Sitting around a table in Evanston, Admiral Rogers offered some further detail. In the cyber battlefield, like any battlefield, smart defense requires moments of offense and vice versa. If the US Cyber Command develops an offensive strategy to pursue a criminal, he said that is just the kind of information that should be shared with the cyber security community – not to reveal our plans, but to point out potential weaknesses that we may be exploiting, which our enemies could be exploiting as well.
A Response Like no Other
The most basic sharing – reporting on data breaches – is just a part of it. A risk like no other needs a collective response like no other.
Create a Culture of Cyber Resilience
The solution for an issue that permeates the business is a response that permeates the business. This is not an IT issue.
In fact, if there’s one message I believe passionately, it’s this: Don’t functionalize the response. Don’t make it a function of technology, risk management, legal, human resources (HR), or any other group. It’s a strategic business issue, and the business must respond. And the response must be led from the top. President Obama has gotten that message, and whether you watch Fox News or MSNBC, you probably see the need for government leadership on this.
If there’s a second message to deliver, it’s about the necessity of responding in partnership.
Clearly, I mean partnerships across all stakeholders within an organization: IT, risk management, legal, HR, operations and communications all sitting down together – with organizational leaders at the head of the table. This will mean breaking down boundaries within the organization – a good thing on its own.
I’m also talking about breaking down boundaries between organizations. That’s not easy, either, but in a war where the weaponry is digital, competitors will probably have to share data if they want to successfully defend against their common enemies.
The US Department of Homeland Security has a group looking at cyber insurance, and at the top of their list of action items is setting up a repository for sharing data about cyber incidents.
If there’s a third message, it’s get involved. I suggest that anyone in the business of helping organizations address their cyber risk support the Cybersecurity Information Sharing Act of 2015 (CISA), now being batted about in Washington DC. The act, which has bipartisan support, would promote sharing of information and provide liability protections for organizations sharing data.
If you have a problem with that bill, then get involved with an industry organization that’s finding ways to pool information about the risks that are multiplying out there and the solutions that are frantically trying to keep up. Or find another way to plug in.
Ask Yourself Some Questions
The first step a business leader should take in dealing with the 800-petabyte gorilla in the room is: Ask yourself some questions.
- Have you accepted the fact that cyber invulnerability does not exist, and every aspect of your business that depends on the cyber world—i.e., every aspect of your business—is potentially at risk?
- Do you understand the scope and the potential impact of that risk on your overall business?
- Do you understand how many and what type of cyber threats your organization faces on a regular basis? Do you gather, evaluate and share this information with appropriate stakeholders, including law enforcement?
- Do you have in place the right people with appropriate training, skills, and expertise to help align your organization’s goals around cyber security?
- Are you involved in legislative activities to improve cyber security in your industry, and have you joined the appropriate industry groups that are attempting to set standards for cyber security?
- Do you follow the same cyber security best practices that everyone in your company and industry is expected to follow for cyber security – because like it or not you set the standards for those you lead?
- Do you have a breach response plan? Has it been tested? Do you have a breach coach?
- Have you consulted with legal counsel about reaching out directly to your competitors and sharing the most relevant information regarding the threats facing your industry?
- Are you really leading from the top?
In the end, you’re going to have to get under the hood and understand how the cyber engines run inside your company. And then start creating a framework for addressing the totality of the risk both inside and outside the organization.