William Stewart, EVP, Booz Allen Hamilton
Cyber risk–the threat of a data breach–has become an everyday reality and a Board-level priority. And now it is about to get personal. Threats are growing: the “attack surface” is changing to include even wearable devices. For the senior technology executive (CIO, CTO, CISO, CRO), the future of cyber security is both daunting and encouraging. We are learning how to anticipate potential attacks. But there are several areas where the c-suite must step up its game.
Something happened last year that raised the stakes. Reports of data breaches blew up. Cyber went mainstream–the subject of daily headlines, a dinner table topic. U.S. data breaches hit a record high of 783 reported incidents in 2014 according to the Identity Theft Resource Center. That is a 27.5 percent one-year increase.
When a portion of downtown Washington, DC, lost power earlier this year, immediate speculation was that a cyber attack was to blame–not weather, equipment failure or a fire. What was once the stuff of “what if?” speculation or obscure contingency planning is now common.
As the cyber threat went mainstream, it went upstream. Data protection became a top priority for the c-suite. It evolved from an item on the “to do” list to a Board level concern. The risk of a cyber attack – and a bungled response – became one of the threshold issues that could shorten the tenure of a CEO.
Yet with one attack after another, there was some good news. We learned. Some companies learned the hard way; now, many others are now quietly going about approaching cyber security in a different manner. Tired of being a step behind, senior technology executives are gravitating to a more active, anticipatory approach to preparedness and defense, one that looks over the horizon at emerging criminal patterns and active threat actors.
The shift is similar to what took place in natural disaster response, where use of predictive weather data now enables communities to take preventive measures before the storm hits.
And if the cyber threat was waiting for us to catch up, organizations would be in great shape. But that is not the case.
The “attack surface” is about to fundamentally change. And this is where cyber security will get personal.
In the months ahead, organizations will begin to face new threats to medical data, connected vehicles, mobile payments and “Internet of Things” devices. Emerging technologies like wearables create new risks: employees may come to work wearing a compromised smart watch. They may pull their hacked connected vehicle into the company parking garage.
Something as far removed from the corporate IT ecosystem as a chip-embedded laundry detergent container, sitting in an employee’s laundry room, is a vulnerability waiting to be exploited.
This scenario adds a third dimension to the traditional inside or outside the firewall environments–a risk that floats between the two. And it requires another layer of preparedness. Now, an employee’s personal possessions–not just their company provided laptop or even their BYOD smartphone–create risk.
To prepare for what lies ahead, senior technology leaders must elevate their organization’s approach in five areas:
Defense: get active – It is an emerging trend that any technology executive must follow: the adoption of a more dynamic, proactive approach to cyber security. “Active defense” measures employing an intel-to-operations model are now a requirement, not an experiment. Cyber strategies now use real-time intelligence and assessment data to shape decision making, fine-tune defenses and preempt threats.
Leadership: syndicate the risk – Too often, the cyber threat is treated as an IT problem requiring an IT solution. Yet as the stakes grow higher, cyber attacks now touch every part of the organization. Product development, organizational strategy, HR, legal, marketing: they all play a role in preparedness, defense and response. It is critical that risk and responsibility be spread out across the organization. Anything less will result in a flawed approach–and a potentially shortened tenure for the senior technology executive.
Systems, product development: think cyber – Historically, speed-to-market has been the number one imperative driving everything from product design to systems implementation. Cyber security considerations were once an afterthought: now, they are becoming a consideration, albeit one that is largely retroactive. IT leadership must lead a fundamental shift to “embedded security,” with cyber defense a driver of product and systems development, rather than a bolt-on. This shift is particularly important as the Internet of Things expands the attack surface.
response:cut through the hype – With cyber a mainstream and Board-level issue, the market is crowded with companies pitching “incident response” capabilities. For the corporate buyer, it is a hype-fueled, “buyer beware” environment. Does the incident response offer include the right balance of multidisciplinary expertise needed–like crisis communications, legal, policy, business and technical? What about the people behind it and the proposed step-by-step methodology? With the stakes growing higher, leaders must take a discerning look at incident response solutions.
Preparation: practice or perish – An effective cyber response requires two behaviors that do not come naturally to large organizations. First, different areas like individual business units, legal, HR and marketing must work together around an issue where there has been little collaboration. Second, they must do so quickly, with an operational velocity that is often lacking in the day-to-day business. Practice–through collaborative planning and real-time simulation drills–is the only way to achieve the required level of readiness. Without practice, you will fail.
There is little doubt: we are entering an entirely new phase in the fight against cyber a attacks . Heightened activity, public concern and Board-level scrutiny have made cyber security a top priority, while driving advancements in preparedness, defense, detection and response. But with new, “personal” cyber threats looming, now is the time for the c-suite to rethink its approach. By doing so, they can avoid learning the hard way.