3. Collaborate and Communicate. Too often, we’re not communicating in terms that other people understand. Be sure your IT decision-makers speak English, not tech, and make sure they can be understood by everyone around them—up and down the leadership chain. That’s critical to companies because boards and management are talking past each other too often today. They’re not communicating in terms each can understand.
It’s also critical that teams are transparent and work across silos. A personal anecdote: The first meeting I had when I was starting up the Army’s cyber command was like a negotiation between North and South Korea. On one side of the table, were the people who did IT, on the other side were the people who did intelligence. They had their arms crossed looking at each other. I could feel the tension in the room and said, “Relax, I’m just trying see where we are, as we prepare to stand up to command.”
The IT people looked at me and said, “We’ve been responsible for defending these networks. And those intelligence people over there, if they gave us the intel we needed to have, we could defend these networks.” And the intelligence people looked at them and said, “If you had a need to know, I would tell you.” That was not a good place to start when it came to building better cybersecurity, where the first question you need to ask is, “Who else needs to know?” and information sharing is critical to success.
4. Know That Technology Is Always Changing. Far too often, you will hear IT people say, “I could have stopped it if I only had this.” But the reality is that resources are finite, and technology is always changing. It’s not an issue of not having the right technology. How do you mitigate the most significant risk? Given the technology you have, how can you leverage your people? How can you leverage your processes? What do they need to do differently? Because you can’t go buy every widget and gadget that you think is going to solve every problem.
“make sure your IT decision-makers speak English, not tech, and that they can be understood by everyone around them, up and down the leadership chain.”
There are so many products out there, and everybody is claiming to do something. Where to start? Do not buy anything until you have 100 percent visibility into your network. Anything you can’t see, expect that someone else can see it and use it as a point of entry and a point of vulnerability. Also, invest in capabilities that are part of an integrated, automated, real-time prevention platform.
5. Recognize that Threats Are People. The threat is not malware. It’s people. You have to know and think about what do you have that they want? What are the crown jewels of your organization that would be most valuable to a cybercriminal? And then you have to understand their capability and intent to threaten that information. Not everything is a threat to you. But what you need to address are threats that bring the most significant risk to what it is you value the most.
6. Compliance Isn’t Cybersecurity. In many organizations there’s still a false sense of security that compliance equals cybersecurity. Compliance does not equal cybersecurity. Compliance says that you are compliant on this particular thing that you’ve been told to do, and compliant at this particular moment in time. Too many companies are focused on compliance at the expense of mitigating and managing risk.
We bring that on ourselves because every time there’s an incident, somebody thinks about what happened. How can I prevent it? And then they try to think about what compliance measure can we put in place? This whack-a-mole approach of constantly chasing threats does not work, and an enterprise risk-management approach is required. You will always be managing risk. Everything brings some risk to your networks, data and systems. You will never eliminate all risks, but you can focus on what matters most to reduce risk while increasing resiliency to your business.
7. Monitor the Right Metrics. Given the amount of cybersecurity information available, monitoring the right metrics is no easy task. Each company must determine what’s important and the right metrics to assure the mission, not more metrics, is better. Consider distinguishing between leading and trailing indicators. From a cybersecurity standpoint, focus on the leading indicators, particularly as you work to anticipate how to mitigate risks against a constantly evolving threat landscape. Minimize your view of snapshots in time. While they may look good, it’s only a view at that time, compared to tracking trends and patterns. Metrics should be easy to understand, concise and relevant, while enabling discussion and decision making.
While each company is different, all consider metrics related to confidentiality of their information, integrity of their data and availability of their systems. Poor cybersecurity measures can impact all three.