Whether you’re the CEO of a fast growing start-up or a veteran enterprise executive, it’s easy to get overwhelmed by the number of online threats posing real risk to your business. Technologies are getting more complex, attackers are becoming more sophisticated, and stories of massive hacks, data breaches and privacy issues are all over the news.
As a long-time chief security officer and practitioner, I’ve helped hundreds of start-ups, international businesses, governments and regulators improve their cybersecurity architecture to build and maintain customer trust. Over the years, I’ve seen some fantastic approaches to risk mitigation and some not-so-fantastic approaches.
What’s clear to me is that businesses that take a holistic approach and build cybersecurity into their strategy from the start, end up more successful down the line. This approach gives them a key differentiator to gain customer trust, which in turn gives them access to valuable customer data — and in a data-driven world, that’s gold.
So just how do you keep your business secure so you can build — and avoid losing — customer trust? Here are the four key mistakes that I see companies of all sizes making over and over. These mistakes are so common that simply avoiding them will likely put you ahead of your competitors.
Cybersecurity is fundamentally an unfair game. Defenders are expected to predict and prevent new attack vectors as they arise, while attackers just need to find a single critical vulnerability (or chain together multiple smaller ones) to gain access to the system. Organizations that don’t understand and accept this reality are unfortunately destined to fail.
As a business leader concerned about cybersecurity, one of the worst things that you can do is to try and stop every single attack. It’s critical to understand that perfect cybersecurity is a goal you must always strive for, but ultimately will never reach. Make sure you understand your organizational constraints — be they technological, budgetary or even political — and work to minimize risk with the resources that you’re given. Think of cybersecurity as a game of economic optimization.
When a company dedicates most of its cybersecurity resources towards addressing a single area or deploying a specific technology, it is important to ask why. In some cases, it legitimately makes sense in the context of the business. But in most cases, it’s due to other factors such as executive pressure (“one of our senior people heard about this threat at a conference”), internal politics (“we have the budget allocated for this specific area”), or existing commitments (“we spent a lot on this technology and want to use it as much as possible”).
When you’re addressing security risks, think in terms of severity and likelihood. While you hear a lot about high-profile cyberattacks like Stuxnet — complex, multilayered attacks executed by elite hackers working for nation-state entities — the majority of cyber breaches are much more mundane. In fact, you’re much more likely to get hit by something like WannaCry, a relatively simple piece of ransomware that caused $4 billion in damage. It used a publicly known Windows vulnerability that Microsoft had patched months before, but that many companies hadn’t yet deployed. And this is why network security services are super important.
Start by sitting down with your team and asking if they have a holistic, end-to-end threat model of your business. Encourage them to think about it from the point of view of a hacker: what would they want to achieve and what’s the easiest way to achieve it? Once you’ve identified your crown jewels and the path of least resistance, focus on adding economically efficient obstacles to that path.
Thinking you’re secure without conducting a “white hat” (ethical) hacking assessment is like putting your product on the market before performing quality tests. You can’t reasonably assert that you’re secure — or report to your board of directors that you are — until you’ve had ethical security researchers try to attack you.
If you don’t have the necessary resources internally, hire professional penetration testers. They look for unpatched software vulnerabilities, test your firewall settings, attempt to install malware on your endpoints, conduct SQL injection attacks on your web properties and use targeted phishing campaigns to try and get inside your network. Test your cybersecurity at least once a year, taking the necessary steps to prioritize and fix vulnerabilities that are identified.
Companies are often so focused on getting their product or service out the door that they lose sight of their cybersecurity risk. Fast moving start-ups in particular may feel ‘safe’ because they’re flying under the radar — thinking they don’t have enough data, customer information or money for hackers to care about them — but all of a sudden, their business has grown to the tipping point where it now has value and people are noticing, including hackers.
If you haven’t already established a good cybersecurity architecture, there’s a high likelihood you’re going to be breached. The best defense is to start thinking about cybersecurity as early as possible. That includes drafting a security policy, putting incident response mechanisms in place, and most importantly, assigning responsibility to one specific employee or team of employees. Keep in mind that if everyone is in charge of cybersecurity, then in effect no one is in charge.
Cyberattacks are getting increasingly sophisticated with the potential to cause greater harm in an increasingly complex digital world. The good news is that it’s never too late to fix a mistake look for Fortinet.
Chief Executive Group exists to improve the performance of U.S. CEOs, senior executives and public-company directors, helping you grow your companies, build your communities and strengthen society. Learn more at chiefexecutivegroup.com.
0
1:00 - 5:00 pm
Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process
Executives expressed frustration with their current strategic planning process. Issues include:
Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns. They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning. Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process. This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented. If you are ready for a Strategic Planning tune-up, select this workshop in your registration form. The additional fee of $695 will be added to your total.
2:00 - 5:00 pm
Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations.
Limited space available.
10:30 - 5:00 pm
General’s Retreat at Hermitage Golf Course
Sponsored by UBS
General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.
The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.
