At DEF CON you’ll often hear that “every company is receiving penetration testing, but some companies pay for the pleasure.” My take is that every company pays for penetration testing – some companies pay in planned expenditures, but others pay in response costs, reputation loss, business interruption, legal liability, and increased insurance premiums. Or as Claus Moser observed, “Education costs money, but then so does ignorance.”
Last week’s DEF CON post shared insights from DEF CON 23 presenters on the fast-moving threat environment. Below are post-DEF CON observations on strengthening an organization’s cyber risk management strategy.
Organizations’ cyber risk management strategies vary in complexity, so this post focuses on general principles to improve strategy execution regardless of your risk management approach. If you’re new to the cyber risk management table, the Department of Homeland Security offers initial questions your CEO should consider: Cyber Risk Management Primer for CEOs.
A 2015 Harvard Business Review article explores why strategy execution commonly unravels. Below are the article’s solutions, based on research and case studies, as applied to the cyber security context.
- Implement a structure that coordinates cyber risk management activities across business units.
Top-down strategy directives are mistakenly viewed as the way to improve execution. Emerging threats are not one size fits all. Different business units and functions may have unique cyber exposures, and threats may cross business units without respect to internal organizational turf. Having a flexible structure in place to facilitate cyber coordination across business units, whether for proactive security or for breach response activities, is key. The structure should address both internal and external coordination platforms.
- Focus on flexibility – reallocate resources, people, and attention as quickly as conditions change.
Having a plan (who does what, when and how) is of course crucial. But a static plan for a dynamic threat environment spells trouble. The plan should be flexible enough to change just as quickly as your technology and threat environment change. For example, if security policies or technology controls are outdated, change direction and get creative with your budget.
- Don’t merely communicate your strategy – engage it.
Relentlessly communicating strategy is mistakenly viewed as an important aspect to successful strategy execution. Instead, focus on engagement, because what’s important is not what we say we’ll do, but what we actually do. Engage with your cyber risk management strategy on all levels for better understanding and ultimately better execution. For example, if you have a breach response readiness plan that has been clearly communicated, take it to the next level and engage on the plan by periodically meeting for brief mock exercises so that execution will be top of mind. Don’t reveal the incident scenario to the participants until they arrive at the meeting, and in subsequent meetings, mix things up over time with various different incident patterns. Better yet, involve “Plan B” personnel in the breach response exercises (“Oops, Bill’s out with the flu today, so Jill, you’re on deck!”) to deepen the engagement in key roles, and to be better prepared when the inevitable real-world response is needed.
- Promote a strategy-execution culture focused on agility, teamwork, and ambition.
Managers often link failed execution with weak performance cultures, but strategy execution encompasses more than merely each employee performing his or her designated duty. Companies should encourage agility, teamwork, and ambition. For example, if cyber risk management strategy is well-understood because employees have been properly engaged, even an employee in a non-management role can feel empowered enough (ambition) to report suspicious activities on-site (teamwork) and be aware of other potential threats (agile) to the overall cyber risk management strategy. Remember, human beings may be the weakest link, as confirmed by the responses of employees at telecommunication companies deceptively contacted during DEF CON 23’s social engineering contest, in which participants obtained information by simply calling and asking questions about security practices (“By the way, what shipping company do you use?”).
It’s difficult to guard against threats of which you’re unaware, or in Rumsfeld-parlance, the “unknown unknowns.” Stay up-to-date with new developments that may threaten your industry. Some may even take a page out of the Federal Trade Commission’s playbook and sponsor hackers at DEF CON to create new developments. Another government-led initiative that may revolutionize how we protect networks is the U.S. Department of Defense’s Cyber Grand Challenge, to be held at next year’s DEF CON 24. The Cyber Grand Challenge is a network-security simulation that will pit machine vs. machine in what is normally a task for human hackers: attack and defend.