Raytheon CEO Thomas Kennedy is in charge of a $27 billion company, with 67,000 employees.
Needless to say, cybersecurity is something he pays attention to—both internally and in the work that defense contractor does for its clients.
Chief Executive asked Kennedy to discuss what the CEO’s role is in creating a cyber-safe workspace. The Raytheon CEO also touched upon the role company culture plays in creating a more secure organization, how his leadership style has evolved and more. Below are excerpts from this email conversation.
What is the CEO’s role in creating a cyber-safe workplace?
The simple truth is that when everything is connected, everything is vulnerable. So CEOs must be the ones setting the tone at the top that cyber securing the enterprise is a top priority. In words and actions, they need to become champions for cybersecurity. And they need to support it with investments, getting the right IT and operations talent in place and empowering managers to implement effective systems, processes and plans.
Companies can gain significant competitive advantage by leveraging new technologies for automation, cloud computing, global supply chains, and networked products and services. But all of these must be secured and monitored—across the entire system of systems, whether an internal tool or a product you sell—from its IT components, to operational technology (OT) hardware and software, to internet of things devices and connected third-party services. The business must manage the associated cybersecurity risks of all of these elements, since the impacts can be severe. There are the very real dangers of business disruption; health and safety impairment; damage to a company’s brand and its public trust; lawsuits and fines; and the loss of critical intellectual property and privacy data.
I like to say that there are two types of companies out there relative to cyber: those that know they’ve been breached, and those that don’t know they’ve been breached. As a result, CEOs need to be proactive. They can’t assume they’re not a target – they are.
How can CEOs best communicate the importance of cybersecurity to their employees?
The challenge for companies is that employees are both the strongest defense and the weakest link relative to cybersecurity.
This risk is called “the insider threat” – and there are two kinds of threats from employees here. There’s the employee deliberately downloading sensitive files or intellectual property to sell or bring with them to a competitor when they leave; and/or sabotaging the OT system. Then, more commonly, there’s the employee who unintentionally falls victim to an external bad actor, such as through a phishing scheme, or who circumvents security controls in a misguided effort to do some work. No matter the intent, there has been a stream of headlines of such actions leading to the critical loss of IP on IT systems, and sabotage against the OT systems of factories, industrial control systems and even hospital equipment.
Getting employees to become part of the solution needs to be communicated through employee education. It’s a high payoff activity. Since increased training not only lowers the risk that employees will unknowingly facilitate breaches, but that when bad things do happen, they know how to respond and minimize the impact. Good training brings to life the dangers of bending rules and how to be alert for malicious insiders.
At my company, IT partners with Communications to get the word out through an employee education initiative we’ve branded RTN Secure. And it’s regularly updated to highlight new vulnerabilities and best practices as the threats evolve.
Cyber-aware employees then become your best line of defense and a critical component of your organization’s cyber resiliency. You have to assume compromise; it’s not if, but when.
What role does company culture play in creating a more secure organization?
As with every part of your business, culture is key. It provides the solid foundation of compliance, collaboration and communication required to ensure the resilience of your organization.
You may invest millions of dollars in employee cybersecurity education, but for it to truly pay dividends, you must have a culture of community and shared risk across the organization – it needs to be part of the organizational DNA.