The New Rules Of Cybersecurity

© AdobeStock
The man who built the U.S. Army’s cyber command says online threats are going get worse before they get better. But that doesn’t mean leaders are powerless. Here's how to protect your information and leave no data behind.

3. Collaborate and Communicate. Too often, we’re not communicating in terms that other people understand. Be sure your IT decision-makers speak English, not tech, and make sure they can be understood by everyone around them—up and down the leadership chain. That’s critical to companies because boards and management are talking past each other too often today. They’re not communicating in terms each can understand.

It’s also critical that teams are transparent and work across silos. A personal anecdote: The first meeting I had when I was starting up the Army’s cyber command was like a negotiation between North and South Korea. On one side of the table, were the people who did IT, on the other side were the people who did intelligence. They had their arms crossed looking at each other. I could feel the tension in the room and said, “Relax, I’m just trying see where we are, as we prepare to stand up to command.”

The IT people looked at me and said, “We’ve been responsible for defending these networks. And those intelligence people over there, if they gave us the intel we needed to have, we could defend these networks.” And the intelligence people looked at them and said, “If you had a need to know, I would tell you.” That was not a good place to start when it came to building better cybersecurity, where the first question you need to ask is, “Who else needs to know?” and information sharing is critical to success.

4. Know That Technology Is Always Changing. Far too often, you will hear IT people say, “I could have stopped it if I only had this.” But the reality is that resources are finite, and technology is always changing. It’s not an issue of not having the right technology. How do you mitigate the most significant risk? Given the technology you have, how can you leverage your people? How can you leverage your processes? What do they need to do differently? Because you can’t go buy every widget and gadget that you think is going to solve every problem.

“make sure your IT decision-makers speak English, not tech, and that they can be understood by everyone around them, up and down the leadership chain.”

There are so many products out there, and everybody is claiming to do something. Where to start? Do not buy anything until you have 100 percent visibility into your network. Anything you can’t see, expect that someone else can see it and use it as a point of entry and a point of vulnerability. Also, invest in capabilities that are part of an integrated, automated, real-time prevention platform.

5. Recognize that Threats Are People. The threat is not malware. It’s people. You have to know and think about what do you have that they want? What are the crown jewels of your organization that would be most valuable to a cybercriminal? And then you have to understand their capability and intent to threaten that information. Not everything is a threat to you. But what you need to address are threats that bring the most significant risk to what it is you value the most.

6. Compliance Isn’t Cybersecurity. In many organizations there’s still a false sense of security that compliance equals cybersecurity. Compliance does not equal cybersecurity. Compliance says that you are compliant on this particular thing that you’ve been told to do, and compliant at this particular moment in time. Too many companies are focused on compliance at the expense of mitigating and managing risk.

We bring that on ourselves because every time there’s an incident, somebody thinks about what happened. How can I prevent it? And then they try to think about what compliance measure can we put in place? This whack-a-mole approach of constantly chasing threats does not work, and an enterprise risk-management approach is required. You will always be managing risk. Everything brings some risk to your networks, data and systems. You will never eliminate all risks, but you can focus on what matters most to reduce risk while increasing resiliency to your business.

7. Monitor the Right Metrics. Given the amount of cybersecurity information available, monitoring the right metrics is no easy task. Each company must determine what’s important and the right metrics to assure the mission, not more metrics, is better. Consider distinguishing between leading and trailing indicators. From a cybersecurity standpoint, focus on the leading indicators, particularly as you work to anticipate how to mitigate risks against a constantly evolving threat landscape. Minimize your view of snapshots in time. While they may look good, it’s only a view at that time, compared to tracking trends and patterns. Metrics should be easy to understand, concise and relevant, while enabling discussion and decision making.

While each company is different, all consider metrics related to confidentiality of their information, integrity of their data and availability of their systems. Poor cybersecurity measures can impact all three.


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.