must create much tighter connections between the cybersecurity team and each critical business function – product development, marketing and sales, supply chain, corporate affairs, human resources (HR), and risk management – in order to make the appropriate trade-offs between protecting information assets and operating key business processes efficiently and effectively.
4. Enlist frontline personnel to protect the information assets they use. Users are often the biggest vulnerability an institution has – they click on links they should not, choose insecure passwords, and e-mail sensitive files to broad distribution lists. Institutions need to segment users based on the assets they need to access, and help each group understand the business risks associated with their everyday actions.
5. Integrate cybersecurity into the technology environment. Almost every part of the broader technology environment affects an institution’s ability to protect itself – from application development practices to policies for replacing outdated hardware. Institutions must move from a crude “bolt-on security” mentality and instead train their entire staff to incorporate it into technology projects from day one.
6. Deploy active defenses to engage attackers. There is a massive amount of information available about potential attacks – both from external intelligence sources and from an institution’s own technology environment. Companies will need to develop the capabilities to aggregate and analyze the most relevant information, proactively engage with attackers, and tune defenses accordingly.
7. Test continuously to improve incident response across business func- tions. An inadequate response to a breach – not only by the technology team, but also from marketing, public affairs, or customer service functions – can be as damaging as the breach itself. Institutions should run cross-functional “cyber-war games” to improve their ability to respond effectively in real time.
There are three important points about this list:
1. Technology executives believe that these actions collectively could be game changing in terms of digital resilience.
2. Only two are primarily cybersecurity levers; the remainder require broader IT or business process change.
3. Companies are not making progress on these levers fast enough. On average, technology executives gave their companies C to C– grades on their efforts so far.
The seven levers are discussed in Chapters 3 through 7. Chapter 3 looks at how to prioritize business risks and put in place different levels of protection for the most important information assets. Chapter 4 provides a perspective on how to incorporate cybersecurity considerations into business decision making and how frontline users can help protect information assets. Chapter 5 shows how cybersecurity must be built into the broader IT environment. Chapter 6 describes integrating intelligence, analytics, and operations into active defenses that can respond quickly to emerging threats. Chapter 7 covers the use of war gaming to build incident response skills across business functions.
BUSINESS LEADERS MUST DRIVE CHANGE
Cybersecurity has several characteristics that make it tough for large, complicated institutions to address in an integrated way. Cybersecurity is pervasive – it touches just about every business process, which means that many cybersecurity decisions have a far-reaching market and strategic impact, requiring senior management engagement. Conversely, getting the right level of senior engagement is also tough: the language is arcane, cybersecurity teams often lack the skills to interact with senior executives, and few tools exist to quantify cybersecurity risk or mitigation.
Too many companies put programs in place that avoid these inherent challenges rather than address them. They conduct mechanistic assessments that may not unearth the real issues. They fail to consider the full range of risk reduction mechanisms. They approach the task of achieving digital resilience as a technology program focused on compensating controls rather than as a business strategy and operations program with significant technology implications. Perhaps worst of all, they neglect to engage senior business leaders effectively.
An effective cybersecurity program that will make rapid and sustained progress toward digital resilience must be designed from the start around three principles:
1. Collaborative engagement between the cybersecurity team and their business partners to prioritize risks, make intelligent trade-offs, and, where appropriate, change business processes and behaviors rather than implement technology solutions to manage risks.
2. A focus on resiliency in the broader IT organization, to facilitate the convergence of security, efficiency, and agility – and to make sure that IT managers design technology platforms from the very beginning to be resilient and secure.
3. A dramatic upgrade of the skills and capabilities of the cybersecurity team so its managers can understand business risks, collaborate effectively with business partners, navigate a rapidly changing technology environment, influence application and infrastructure environments, and implement active defense tactics.
This implies an ambitious agenda, and companies may be inclined to walk before they run. Unfortunately, attackers will not patiently wait for cautious companies to improve their cybersecurity capabilities in this incremental manner – companies must act in a proactive and determined fashion now.
THE BROADER ECOSYSTEM MUST ENABLE DIGITAL RESILIENCE
While companies must upgrade their own capabilities, technology executives told us that individual institutions could not be left to fend for themselves and that governments, private institutions, and civil society should work together to build a resilient digital ecosystem.
There was a wide range of views about the value and feasibility of the specific actions governments could take, but a set of potential aspirations did emerge. Countries should create national cybersecurity strategies that have clear lines of accountability among public- sector agencies and provide support and assistance to the public and civil sectors. Law enforcement, prosecutorial, and judicial functions should increase their familiarity with and expertise in cybersecurity issues so that they can better combat cyber-crime. Finally, countries should prioritize cybersecurity issues in bilateral exchanges in order to create transparency into motivations, constraints, and objectives for actions in this field.
Equally critically, industry associations and voluntary groups will have to enable companies to share intelligence, disseminate best practices, align on how to address challenging issues, and eventually create shared utilities to provide important cybersecurity functions.
At the same time, financial institutions and insurance companies could support progress by creating markets for pricing the risk of cyber-attacks.
The final two chapters of the book discuss how leaders can advance the cause of digital resilience. Chapter 8 describes how companies can design and launch a cybersecurity program that will sustain progress. Chapter 9 addresses the role played by the broader set of players in the digital ecosystem – including regulators, vendors, and others – in facilitating the path to digital resilience.
Sustaining the pace of innovation and growth in the global economy in the face of determined cyber-attacks will require dramatic change. Companies must make the transition from managing cybersecurity as a control function to implementing the practices required to protect information assets into their business processes and their entire IT environment. In addition, regulators, technology vendors, and law enforcement must collaborate with companies to create an ecosystem that facilitates digital resilience. Changes of this scale and complexity cannot be achieved without the active engagement and participation of the most senior business leaders and policymakers.
1
Cyber-attacks Jeopardize Companies’ Pace of Innovation
All business investments require trade-offs between risk and reward. Does the interest rate on a new bond issue adequately compensate for the risk of default? Are the potential revenues from entering a new emerging market greater than the risk that the investments will be confiscated by a new regime? Does the value of oil extracted via deep-water, offshore drilling outweigh the chance of a catastrophic accident? Tough questions must be answered