Raytheon CEO Thomas Kennedy is in charge of a $27 billion company, with 67,000 employees.
Needless to say, cybersecurity is something he pays attention to—both internally and in the work that defense contractor does for its clients.
Chief Executive asked Kennedy to discuss what the CEO’s role is in creating a cyber-safe workspace. The Raytheon CEO also touched upon the role company culture plays in creating a more secure organization, how his leadership style has evolved and more. Below are excerpts from this email conversation.
What is the CEO’s role in creating a cyber-safe workplace?
The simple truth is that when everything is connected, everything is vulnerable. So CEOs must be the ones setting the tone at the top that cyber securing the enterprise is a top priority. In words and actions, they need to become champions for cybersecurity. And they need to support it with investments, getting the right IT and operations talent in place and empowering managers to implement effective systems, processes and plans.
Companies can gain significant competitive advantage by leveraging new technologies for automation, cloud computing, global supply chains, and networked products and services. But all of these must be secured and monitored—across the entire system of systems, whether an internal tool or a product you sell—from its IT components, to operational technology (OT) hardware and software, to internet of things devices and connected third-party services. The business must manage the associated cybersecurity risks of all of these elements, since the impacts can be severe. There are the very real dangers of business disruption; health and safety impairment; damage to a company’s brand and its public trust; lawsuits and fines; and the loss of critical intellectual property and privacy data.
I like to say that there are two types of companies out there relative to cyber: those that know they’ve been breached, and those that don’t know they’ve been breached. As a result, CEOs need to be proactive. They can’t assume they’re not a target – they are.
How can CEOs best communicate the importance of cybersecurity to their employees?
The challenge for companies is that employees are both the strongest defense and the weakest link relative to cybersecurity.
This risk is called “the insider threat” – and there are two kinds of threats from employees here. There’s the employee deliberately downloading sensitive files or intellectual property to sell or bring with them to a competitor when they leave; and/or sabotaging the OT system. Then, more commonly, there’s the employee who unintentionally falls victim to an external bad actor, such as through a phishing scheme, or who circumvents security controls in a misguided effort to do some work. No matter the intent, there has been a stream of headlines of such actions leading to the critical loss of IP on IT systems, and sabotage against the OT systems of factories, industrial control systems and even hospital equipment.
Getting employees to become part of the solution needs to be communicated through employee education. It’s a high payoff activity. Since increased training not only lowers the risk that employees will unknowingly facilitate breaches, but that when bad things do happen, they know how to respond and minimize the impact. Good training brings to life the dangers of bending rules and how to be alert for malicious insiders.
At my company, IT partners with Communications to get the word out through an employee education initiative we’ve branded RTN Secure. And it’s regularly updated to highlight new vulnerabilities and best practices as the threats evolve.
Cyber-aware employees then become your best line of defense and a critical component of your organization’s cyber resiliency. You have to assume compromise; it’s not if, but when.
What role does company culture play in creating a more secure organization?
As with every part of your business, culture is key. It provides the solid foundation of compliance, collaboration and communication required to ensure the resilience of your organization.
You may invest millions of dollars in employee cybersecurity education, but for it to truly pay dividends, you must have a culture of community and shared risk across the organization – it needs to be part of the organizational DNA.
It’s getting every employee to recognize that cybersecurity is no longer just an IT problem. Everyone has a role to play.
It’s driving home why it is so important to practice good cyber hygiene. Where it becomes second nature to take the extra step or extra minute to check something out, even though it might initially seem inconvenient. To have the discipline to avoid shortcuts and pitfalls like opening email PDFs and zip files from people you don’t know; using those free thumb drives you found at a conference; and having the same password or pattern across multiple websites.
For me, trust and accountability are the key values and behaviors you want to reinforce. It’s trusting that employees will do the right thing once they have the right training. It’s creating an environment where employees feel empowered to raise their hands if something doesn’t seem right. And it’s holding teammates accountable when rules are intentionally broken.
That’s how you gain and maintain the cyber-trust of coworkers, customers and partners.
How has your personal leadership style evolved over the years?
As I’ve progressed in my career from engineering, to program management to managing the business, I’ve had to become adept at knowing when to lead from the edge and when to lead from the core. Essentially, strong leaders need to be able to lead from the “edge” – knowing when to be strategic, embrace change, think creatively and seek input from others. But they also need to know when to lead at the “core” – making operational decisions based on known expertise, and emphasizing consistency and performance. I have to give credit to Lee Hecht Harrison for articulating the concept, especially as it relates to the importance of adapting these styles. The current marketplace is dynamic and leaders need the agility to go back and forth between edge (strategic) and core (operational) − adjusting their styles to fit the situation.
Essentially, strong leaders need to know when to lead from the “edge” – when to be strategic, embrace change, think creatively and seek input from others. But they also need to be able to lead at the “core” – making operational decisions based on known expertise, and emphasizing consistency and performance.
What’s the best piece of leadership advice that you would like to share with peer CEOs?
When it comes to cybersecurity, the best advice I can give is to surround yourself with a great team. The threats and opportunities are evolving so rapidly that it’s a challenge for any one person to keep up with it. It should keep you up at night.
But with the right team, you’ll have the expertise in place to provide for a cyber-resilient and cybersecure organization. You want leaders and subject matter experts who are inquisitive and not complacent. They’ll tell it like it is; give you an honest assessment of the cyber challenges, risks and opportunities; not what you want to hear.
And it goes back to culture. You want an environment where people feel empowered to sound an alarm to leadership. You want issues elevated quickly. Since the sooner you know about something, the sooner you can get down to solving the problem.
He’s No. 118 on Chief Executive and RHR International’s CEO1000 Tracker, a ranking of the top 1,000 public/private companies
Headquarters: Waltham MA
Education: University of California,Rutgers The State University of New Jersey, Bachelor’s Degree Electrical Engineering
First joined company: 1983
Prior to joining Raytheon: U.S. Air Force
Named CEO: 2014
Read more: Dennis Muilenburg’s Moment