Over the last two decades I have participated in cyber risk assessments across many economic sectors, including in government, the military, healthcare, pharmaceuticals, aviation, defense, manufacturing, and finance. I've had great opportunities to interact with business leaders and technologists in many of these organizations and have seen first-hand what it is like to struggle against a dynamic and never-ending threat.
Most firms today leverage a foundation of very similar technologies and there are trends in what information technology is used, even across different industries. All companies have Internet connectivity, and use a mix of PC's and Macs and common off-the-shelf mobile devices. Firms all employ the same types of servers for their corporate IT and everyone is moving to the same cloud providers.
However, it isn't just technology that all firms have in common. All firms face the same threats. The bad guys in cyberspace are targeting us all. If there is a way for them to illegally scam, steal, or defraud, they will try it, and they don't discriminate regarding small, medium or large businesses.
Aside from these basic similarities, every firm also differs in key ways. Companies in different industries have very unique models of what is important to protect and, within these industries, will go to market with distinctive products and services. This means that their digital risks and mitigation strategies will vary widely.
These varieties make assessing cyber business risk a complex activity. There is an incredibly wide array of variables to consider when building recommendations for action, while still insuring that you are hitting everyone's individual critical needs.
After working on assessments across hundreds of organizations, one key factor has risen above the others and I always assess it first. The answer to that factor will tell me immediately whether an organization has a chance at effectively mitigating digital risk.
The factor is the CEO's own attitude towards cybersecurity.
If a CEO is concerned, serious, and has a sense of urgency about cybersecurity, the organization has a dramatically greater chance of preventing major cyber threats. A concerned CEO is already asking the right questions and thinking through the nightmare scenarios of a breach occurring. There is still a great deal of work to be done to reduce digital risk, but a concerned CEO will make the prudent business decisions and mitigate risks along the way.
If a CEO today is not focused on addressing their top business risks, there is little anyone else can accomplish. A CEO who believes that other members on the team are responsible for stopping online crime and fraud, is probably not going to enable, resource, and drive their efforts and bring the rest of the leadership team into the process. Time for CEO's of all generations to understand their digital age role to protect their organization's reputation and revenue and overall responsibility in making the organization resilient.
Are you the CEO who gets it? Great! My recommendation for you is to keep asking yourself the right questions about the key risk to your business, your data, your customers and keep reviewing the resources you find at places like WhiteHawk. The many tips and techniques listed here are easily tailorable to your mission or business.
Are you the CEO who is a bit oblivious? Or do you perhaps work for one? My recommendation in this case is to raise awareness. Perhaps the most impactful way to do this is to consider the publicly available information on cyber crime in your specific industry and try to bring that awareness into your company. All of us are being hit. All of us should take ownership.
Bob Gourley is the founder and CTO of Crucial PointLLC, a firm providing technology due diligence and CTO advisory services. He is the publisher of CTOvision.com. Bob was the first Director of Intelligence (J2) at DoD's cyber defense organization JTF-CND. Following retirement from the Navy, Bob was an executive with TRW and Northrop Grumman, and then returned to government service as the Chief Technology Officer (CTO) of the Defense Intelligence Agency (DIA).