Why Forward-Thinking CEOs Require A Strategic Cybersecurity Plan
With the advent of developments like Blockchain, AI, and the Internet of Things, the business world has inextricably staked its claim in the online arena. This rapid growth in cloud-based technology has allowed businesses to build links outside the limits of brick and mortar, sharing data across disciplines and teaming seamlessly with stakeholders across geographic barriers. Knowledge is power, and businesses are valued by peers and public alike for their openness, accountability, and willingness to link arms with other parties.
In an environment where collaboration and transparency are the keywords of the day, how can businesses protect their most important assets? Gone are the days of putting your mind at ease by locking everything in filing cabinets behind vault doors. Be it financial records, personal data, or intellectual property – if it’s available on the cloud, it’s vulnerable to a new kind of attack.
The benefits of cloud computing are almost as varied as the risks. Proprietary information is vulnerable in every business, and a security breach can cause an organization’s credibility to implode. It’s not only large-scale corporations that have to be concerned; small businesses and start-ups tend to employ less sophisticated security measures, making them an easy target for cyber threats. Nobody is immune, and negligence might carry a hefty price tag.
Fiscal risks are an undisputed cost, with cybersecurity listed right after local tax liability in corporate risk evaluations – but data breaches have become a board issue, too.
“Today’s security climate is such that enterprises fear becoming victims of the next major cyber attack or cyber extortion,” said Sean Pike, IDC’s vice president of security products. “As a result, security has become heavily scrutinized by boards of directors demanding that security budgets are used wisely and solutions operate at peak efficiency.” In the wake of such scrutiny, CEO heads are rolling for their failure to take proactive measures against cyberattacks.
Target CEO Gregg Steinhafel was one of the first to be toppled from his perch in 2014. After 35 years with the company and six years in the captain’s chair, his downfall turned out to be little more than a failure to act. When retail giant Target was the victim of a massive data breach that resulted in the theft of 110 million customers’ personal information, Steinhafel and his CIO faced the axe. The systems they put in place for cybersecurity were ultimately ill-equipped to deal with the threat, and – as the ones who sign on the dotted line – the buck stopped with the executives.
Responsibilities of Board Members
It’s not enough to lump the issue of cybersecurity into the IT portfolio and never give it a second thought. In order to implement a dynamic strategy that tackles cybersecurity holistically, organizational leaders need to get involved and make cybersecurity part of the company culture from the top down. Executive committee, board members, steering committee, and chief information security officers all play a significant role in establishing good cybersecurity governance.
Harvard Cybersecurity course convenor Eric Rosenbach explains, “I want professionals to come away from this course prepared to take a strong leadership role in improving the cyber risk management within their own organizations. Based on my experience as a CISO and the leader of cyber issues at the Department of Defense, I want this course to help you answer the toughest questions: What are my organization’s most important assets and how can we mitigate the risk of attack to them? When a cyberattack occurs, how can we implement a response plan that minimizes operational, litigation, financial, and reputational risks?”
Cyber attacks must be considered a matter of when, not if, and businesses require a robust cybersecurity strategy to make them resilient against threats.
Hollywood has taught us to think of hackers as lone crusaders living in their mothers’ basements, armed with a laptop and a streak of anarchy. But cyber threats are more dynamic than that. Malevolent cyber attackers employ dynamic, sophisticated means to hack their chosen targets. They are often well-funded – data is big money – and they choose their tools carefully.
Hackers are human, dynamic, and creative – it’s not enough to install an out-the-box cyber security system to keep them out. Companies need cyber guardians who can beat the hackers at their own game: a cybersecurity analyst.
Cybersecurity analysts are a rapidly growing job market. US spending on cyber security for 2018 is projected at over $66 billion. A cybersecurity analyst’s job is to think several steps ahead of any cyber threat, and help CEOs make sure they’re getting the most out of their cybersecurity budget.
A cybersecurity analyst has three primary responsibilities:
1. Understand the technology infrastructure of their organization, and the weak spots unique to that setup.
Cyberanalysts identify an organization’s internal assets and systems that are vulnerable to attack. They develop an in-depth knowledge of how the network operates, and identify the key strategies a cyber intruder might use to attack the system.
2. Design and implement a mitigation strategy against attacks.
Cyberanalysts take their intimate knowledge of an organization and use it to design a plan of action to defend the systems, network, and data that might be vulnerable in the event of a cyber attack. This is no pre-packaged watchdog, but a tailor-made solution to complement the unique setup of a business.
“Everyone understands that you need good security people at the back end,” says Malcolm Marshall, Global Head of Cyber Security at KPMG. “But to design new products, embed new technologies and launch into new markets with a high level of confidence, you need good security people at the vanguard, working with designers and marketers. You need talented people who can make sure the customer experience is enjoyable rather than a security nightmare.”
3. Act as a rapid response when security incidents occur.
A cybersecurity breach is virtually inevitable, but there is a brief window of time between the initial invasion of the network and the eventual access to sensitive data. Cyber intruders cast a wide net, looking for vulnerabilities across a broad network, because all they need is one open door to enter a network. Once inside, they take their time getting to know the internal workings of the systems, figuring out how to manipulate your systems against you to extract valuable data. A cybersecurity analyst is there to watch for unusual behaviour on the network, recognise that an intruder is lurking there, and weed them out before they have a chance to infiltrate proprietary information.
For a cybersecurity analyst to be fully effective in these core responsibilities, they require an intimate knowledge of the systems they are employed to protect. This is why it’s not enough to outsource protection to a third party; you need a cyber watchdog who is committed to your systems, and yours alone.
The need for in-house cybersecurity officers is growing so fast, in fact, that the demand outstrips the supply. The Harvard VPAL Cybersecurity online short course is designed to equip aspiring cybersecurity analysts to meet the demands of a rapidly growing industry.
Course Convenor Eric Rosenbach “Professionals interested in cyber risk must understand key recent cyber attacks and apply lessons learned to management issues in their organizations. Therefore, throughout this course we will study and discuss case studies of recent real world cyber events, such as the hacks on Sony, Target and Yahoo.”
Forward-thinking executives who wish to understand the scope of the demands they face will find this course an excellent opportunity to educate themselves and the staff members they’ve tasked with the cybersecurity strategy of their business.
Are you ready to implement a holistic cybersecurity strategy?
Learn more about the Harvard VPAL Cybersecurity short course.
