Why are cyber threats on top of every executive’s mind?
Sharing a few thoughts on cyber security…
I was on the phone last week with a data visualization expert and author discussing visualization problem solving—basically, how to solve problems or at least understand problems with pictures (i.e., drawing pictures). He asked a question about cyber security: “Why is a cyber threat so scary? Isn’t it just another threat?” He was right… in part—cyber is another threat, just like infectious disease, civil unrest, flood, power outage, fire, war, or accident. While we use common frameworks and capabilities for threats such as command and control, situation awareness, threat intelligence, common operating picture, common ground, and so forth, each threat has unique characteristics we need to consider. Why is cyber security on the top of every executive’s mind? It comes down to six (6) characteristics of a cyber threat:
There’s a mnemonic for these six (6) characteristics: “is wild.”
The first reason cyber threats are escalated (emotionally, financially, cognitively) is because they are intentional. With intentional threats, the threat actor seeks to ensure the attack’s success and maximize its damage. It’s a thinking threat, adaptable, unlike natural or accidental threats, and humans are innately hypersensitive to threats that desire to cause harm. And intentional threats are reputationally sensitive, as they can quickly turn public. We tend to be more relaxed when it comes to natural threats—we refer to them as Acts of God or Mother Nature, as if we have no control over them. Accidental threats get categorized in the health safety environmental bucket.
The second reason is speed. Cyber threats can move at the speed of light. Typically, you don’t warm up to them (as with a union strike) or get any warning (as with a hurricane) before you find yourself in a crisis situation. These attributes increase the complexity of the threat. New technologies bring new opportunities and new risks, and cyber threats can blindside you. Executives do not like (and rightfully so) to be caught off guard. Understanding the time element is essential in successful managing these crises.
Third reason is wild—that is, the cyber arena is still a wild frontier. Just like any wild frontier, the laws and rules are weak, there’s a huge and profitable black market to exploit them, and key persons/groups (rather than companies and governments) make the rules. The current laws, regulations, policies, politics, authority, and so forth have not caught up to the realities of today. Different incentives, rewards, and social systems exist in the wild frontiers of history before established governance.
The fourth reason is interconnectedness. The digital environment is built on connections and interdependencies. It’s a double edge sword: Being more connected and collaborative in the business world enhances our business capabilities. Unfortunately, it also opens up the field for more threats. The speed and density of our digital connectedness makes it extremely hard to relate cause and effect, and almost impossible to see cascading effects. A cyber threat can come from anywhere and anyone.
The fifth reason is location. Most other threats can be quarantined by space (proximity) and time (how quickly impact occurs). Hurricanes have a season, in addition to a defined geographical space and time. A cyber threat sits in an electronic location and can be global in nature.
The sixth reason is detectability. It can be difficult to detect cyber threats. We may be infected without knowing it. It could spread without knowledge of its effects. I found myself likening cyber threats to cancer to my colleague—just because you went in for a physical examination and received a clean bill of health doesn’t mean you don’t have cancer, it means the doctors didn’t find any evidence of cancer. If you detect a cancer early, you’re usually in a good position. If you detect a cancer late, you are in trouble.
(Side note: I attended a private security meeting recently. The meeting influenced me so much that I have instituted a new security policy at Lootok. When an associate leaves their country, they leave with a clean laptop and phone. When they return, we wipe it again.)
Lootok is not a cyber security shop; however, we do specialize in the cyber arena with crisis management and communication, reporting (data visualization), training, and awareness. Our Creative Learning Technology Center works with CSOs and CISOs to enhance companies’ awareness, communication, and training capabilities. A great example is from a CISO we know, who shared his thoughts on changing the organization’s culture to enhance its information security capabilities. He said, “Most of my problems are human and behavioral, not software or technology. If I could get the organization to live by these five (5) rules it would solve 80% of my cyber problems.”
The five items are:
- Don’t click on the link.
- Don’t go to bad websites.
- Protect it like you own it. Treat your company’s assets as if they belong to you—that is, follow the security policy for passwords, secure the assets (e.g., don’t leave an electronic device out of your sight), update patches, and so forth.
- Trust no one—keep an honest person honest by making them follow the rules.
- If something is wrong or feels wrong, tell us immediately. Bad news is good news.
When enhancing an organization’s risk and resiliency capabilities, one area of focus is culture. This is particularly true with cyber and reputation issues. Culture is a pattern of beliefs and expectations shared by a group that produces norms. Norms shape our behaviors and define what is acceptable and unacceptable. We need to shape peoples mindsets and change behaviors to battle cyber and reputation threats. To do this we rely on internal branding, marketing, communications/messaging, forums (communities), awareness, and education. This is what Jeremy Stynes’ Creative Learning Technology Center does at Lootok for our clients. When you have the right thinking, the right behavior, and the right incentives, you can create change.
Suggested further reading:
- Criminal Investigation Underway into Banking Regulator Data Breach
This is an interesting article on the FDIC data breach. It illustrates the internal behavioral challenges of living in a cyber world. Data privacy and cyber security require more than a technology solution. Organizations need to adapt their culture, provide constant and consistent training, awareness campaigns, and checks and balances. Internal campaigns, communications, marketing, and storytelling help reduce bad decisions and behavior.
- J.P. Morgan’s CIO on the Bank’s Security Game Plan
A quick and interesting read: Dana Deasy discusses the bank’s strategy since the 2014 breach, as well as working with fintech partners. Dana speaks to the value of thinking like an adversary, and creating red teams, hunt teams, kill chains, and simulations. I was surprised, though, that he did not comment on the importance culture, awareness, training, and collaboration.
- SWIFT Says Second Bank Hit by Malware Attack
An engaging piece on financial industry cyber attacks. It demonstrates the need for cyber risk aware culture, proper communication and training, and process for internal threats.
- The Ins and Outs of Cyber Risks
This article from Zurich illustrates the need for better cyber training, awareness, learning, communication, and cultural alignment.