Why Cybersecurity Isn’t Only a Tech Problem | HBR IdeaCast | Podcast

00:27:37
https://www.youtube.com/watch?v=BjjjrNAM_Qk

Zusammenfassung

TLDRIn this episode of HBR IdeaCast, Alison Beard talks with Thomas Parenty and Jack Domet, cofounders of the cybersecurity firm Archefact Group, about the importance of managing cyber risks from a business perspective rather than just a technology standpoint. They argue that many companies are failing at cybersecurity because they see it as an IT responsibility rather than a critical business risk. The discussion highlights the need for companies to focus on their most important business activities and the potential cyber threats to these areas. The guests propose using a 'cyber threat narrative' to involve different business units in understanding and mitigating these risks. They also discuss how compliance-focused cybersecurity efforts may not necessarily equate to real protection against threats. Effective cybersecurity requires understanding and engagement from all levels of an organization to adapt to the evolving nature of cyber threats.

Mitbringsel

  • 🔐 Cybersecurity needs to be a business priority, not just an IT issue.
  • 🏢 Companies should focus on protecting critical business activities.
  • 🛡 Focusing solely on compliance does not ensure real security.
  • 🧩 Engage non-tech leaders by treating cyber risks as business risks.
  • 💥 Effective cybersecurity involves understanding potential business impacts.
  • 🔄 Organizations need to adapt continuously to cyber threats.
  • 🔍 Cyber threat narratives help identify what matters most to a business.
  • 🏗 Structural changes in companies could enhance cybersecurity focus.
  • 📈 Invest in internal capability to recognize and mitigate risks.
  • 🧑‍💻 Employees' understanding of cybersecurity must go beyond generic training.

Zeitleiste

  • 00:00:00 - 00:05:00

    Many leading companies have suffered cyber-attacks, disrupting business-critical activities and compromising customer data. Today's guests emphasize that cybersecurity should be a top priority for all leaders, not just IT. Companies should view cyber risks as significant business problems rather than just technical issues. Thomas Parenty and Jack Domet argue that companies must reassess their approach, treating cybersecurity as a business-wide concern.

  • 00:05:00 - 00:10:00

    Many companies invest heavily in cybersecurity but still fall victim to attacks because they don't prioritize their key business activities. The focus should be on how cyber-attacks could disrupt these activities. Compliance with standards without understanding actual business risks can lead to vulnerabilities. Cybersecurity should not be just a technical responsibility but should involve understanding the broader business context.

  • 00:10:00 - 00:15:00

    Companies often don't involve non-tech leaders in cybersecurity discussions, leading to a narrow focus. It’s crucial to view cyber risks as business risks. Initiating conversations with business owners to identify critical assets and activities helps understand potential cyber threats. Engaging non-technical leaders can change the perception that cybersecurity is too complex for them to understand and thus often disregarded.

  • 00:15:00 - 00:20:00

    An example of failure in cybersecurity strategy is when an Asian car manufacturer locked out partners, creating vulnerabilities as external partners were granted full access. Employees prioritize job completion over abstract cybersecurity concepts, often bypassing measures if they hinder work. Cybersecurity must balance protection with not interfering with productive work, emphasizing the need to tailor security according to specific workflows and potential risks.

  • 00:20:00 - 00:27:37

    Organizations are advised to understand their assets and environments to identify adversaries, focusing on internal capability to recognize risks. Cybersecurity needs to be dynamic, adapting to business changes such as mergers or new product launches. Companies need constant cybersecurity reviews during business changes, ensuring that this review process is integrated without hindering operations. Smaller companies should also focus on critical activities as a strategy against cyber risks.

Mehr anzeigen

Mind Map

Video-Fragen und Antworten

  • What companies have experienced cyberattacks recently?

    Some companies like Apple, JPMorgan Chase, Marriott, and British Airways have experienced cyberattacks in recent years.

  • Why is focusing only on technology not sufficient for cybersecurity?

    Focusing only on technology can be misleading as it may not prioritize protecting the most critical business activities. It's essential to address cyber risks as significant business problems.

  • What approach do the guests suggest for cybersecurity management?

    Thomas Parenty and Jack Domet suggest using a cyber threat narrative approach, involving interdisciplinary efforts and focusing on business-critical activities and risks.

  • What issue arises from cybersecurity teams focusing solely on compliance?

    Focusing solely on compliance can lead to a false sense of security and may result in ignoring actual business risks and cybersecurity threats.

  • How can organizations involve non-technical leaders in cybersecurity discussions?

    Non-technical leaders should be involved by changing the conversation to focus on cyber risks as business risks and not just technology issues.

  • What can happen if cybersecurity measures disrupt business operations?

    If cybersecurity measures disrupt business operations, employees may bypass these measures, leading to potential vulnerabilities.

  • Where should the responsibility for cybersecurity rest in a company?

    Responsibility should ideally rest with a leader whose interests align with the most significant business risks, potentially not just within IT or reporting directly to the CEO.

  • How should smaller businesses approach cybersecurity?

    Smaller businesses should focus on what business activities are critical, rather than just implementing known cybersecurity measures.

  • What is a cyber threat narrative?

    A cyber threat narrative is an approach that involves identifying business-critical activities and assessing how cyber threats could impact those activities.

  • What is the value of security awareness training?

    Security awareness training should focus more on the specific cybersecurity implications of employees' own work rather than just generic good practices.

Weitere Video-Zusammenfassungen anzeigen

Erhalten Sie sofortigen Zugang zu kostenlosen YouTube-Videozusammenfassungen, die von AI unterstützt werden!
Untertitel
en
Automatisches Blättern:
  • 00:00:00
    [MUSIC PLAYING]
  • 00:00:01
  • 00:00:10
    ALISON BEARD: Welcome to the HBR IdeaCast
  • 00:00:12
    from Harvard Business Review.
  • 00:00:13
    I'm Alison Beard.
  • 00:00:14
  • 00:00:22
    From Apple and JPMorgan Chase to Marriott and British Airways,
  • 00:00:25
    some of the most sophisticated companies in the world
  • 00:00:27
    have fallen victim to cyber attacks in recent years.
  • 00:00:31
    Business critical activities have been disrupted.
  • 00:00:33
    Customer data has been compromised.
  • 00:00:35
    And the threats continue.
  • 00:00:37
    So what can organizations do to prevent themselves
  • 00:00:40
    from becoming the next target?
  • 00:00:42
    By now, most accept that they need
  • 00:00:44
    to invest significant cash and resources
  • 00:00:46
    into cybersecurity capabilities.
  • 00:00:48
    But too often, this important job
  • 00:00:51
    is left to IT leaders rather than the full C-suite
  • 00:00:54
    and board.
  • 00:00:55
    Today's guests say that companies
  • 00:00:57
    need to take a much different approach with leaders
  • 00:01:00
    at the very top thinking about cyber risks
  • 00:01:02
    as not just a technology issue but a significant business
  • 00:01:06
    problem to be solved.
  • 00:01:07
    Thomas Parenty and Jack Domet are
  • 00:01:09
    cofounders of the cybersecurity firm Archefact Group
  • 00:01:12
    and coauthors of the HBR article,
  • 00:01:14
    "Sizing Up Your Cyber Risks" as well as the HBR press
  • 00:01:18
    book, A Leader's Guide To Cybersecurity.
  • 00:01:21
    Thomas and Jack, thanks so much for being here.
  • 00:01:23
    THOMAS PARENTY: We're so happy to have the opportunity
  • 00:01:25
    to talk with you today.
  • 00:01:26
    JACK DOMET: Thanks for having us.
  • 00:01:28
    [MUSIC PLAYING]
  • 00:01:30
  • 00:01:36
    ALISON BEARD: Presumably, a lot of these companies
  • 00:01:38
    that are hit take some precautions to protect
  • 00:01:41
    themselves.
  • 00:01:43
    So where are they going wrong?
  • 00:01:44
    THOMAS PARENTY: We have come to the realization
  • 00:01:47
    that, essentially, worldwide we're failing at cybersecurity
  • 00:01:50
    and that, in spite of all of the investment
  • 00:01:52
    and public attention, the number and impact of cyber attacks
  • 00:01:56
    is only rising.
  • 00:01:57
    In some sense, that's the reason that we're talking right now.
  • 00:02:00
    And you can think of our current cybersecurity situation
  • 00:02:04
    today as comparable to trench warfare in World War I.
  • 00:02:08
    The progress is negligible, and the casualties are high.
  • 00:02:12
    There are several reasons why the focus on cybersecurity
  • 00:02:17
    and cybersecurity technology ends up undercutting
  • 00:02:20
    its capacity to protect.
  • 00:02:22
    First, no company has all of the resources
  • 00:02:24
    to fix every cybersecurity issue.
  • 00:02:26
    And not all fixes are equally important.
  • 00:02:29
    It's only by starting with a company's most
  • 00:02:32
    critical business activities and how cyber attacks could disrupt
  • 00:02:36
    them that one can start to prioritize this whole process
  • 00:02:39
    of risk mitigation.
  • 00:02:41
    Unfortunately, there are many companies
  • 00:02:43
    who sort of skip this step of first thinking about what
  • 00:02:49
    are the most important business activities that could
  • 00:02:51
    be disrupted by a cyber attack.
  • 00:02:53
    And instead, they end up focusing
  • 00:02:57
    on individual technologies to fix individual problems
  • 00:03:01
    within their computer systems.
  • 00:03:05
    The focus on fixing these computer
  • 00:03:07
    vulnerabilities, it's seductively dangerous
  • 00:03:10
    because there is some value here.
  • 00:03:12
    However, a company can spend all of its resources,
  • 00:03:15
    significant resources, fixing these vulnerabilities
  • 00:03:18
    without ever addressing the fundamental issue, which
  • 00:03:22
    is protecting the business activities for which
  • 00:03:24
    the computers were procured.
  • 00:03:26
    ALISON BEARD: So you're basically
  • 00:03:27
    having the IT department say, well, we're compliant
  • 00:03:31
    and best practices for a lot of these systems when they're not
  • 00:03:35
    taking into account the most important business functions
  • 00:03:39
    that these systems are protecting.
  • 00:03:42
    THOMAS PARENTY: There are numerous examples of vendors,
  • 00:03:45
    including Target, who were compliant
  • 00:03:48
    with the relevant payment card security
  • 00:03:51
    standards at the very moment that they
  • 00:03:54
    were successfully hacked.
  • 00:03:57
    For certain companies, especially
  • 00:03:59
    those in highly regulated industries
  • 00:04:01
    such as financial services, they are
  • 00:04:04
    subject to so many different compliance requirements
  • 00:04:08
    that what effectively happens is they translate
  • 00:04:12
    in their minds being compliant with requirements as equivalent
  • 00:04:16
    to being adequately protected and ends up
  • 00:04:20
    actually diminishing the security of these companies as
  • 00:04:23
    opposed to achieving its goal of increasing protection.
  • 00:04:26
    ALISON BEARD: So, Jack, you're the management expert.
  • 00:04:29
    Why do organizations operate this way?
  • 00:04:34
    Why aren't they thinking more holistically
  • 00:04:36
    about business risks?
  • 00:04:38
    JACK DOMET: Well, part of that starts from the fact
  • 00:04:41
    that, since its very inception, cybersecurity has been--
  • 00:04:45
    it's come out of the technology department.
  • 00:04:48
    And it's been looked at in terms of an attack and defense
  • 00:04:52
    technology paradigm versus one that's
  • 00:04:55
    related to any other complex business risks
  • 00:04:57
    that a company might face.
  • 00:05:00
    Now, there's no question that, given
  • 00:05:02
    the neglect of cybersecurity over time
  • 00:05:04
    by most companies in the past, many companies do, in fact,
  • 00:05:08
    need to invest more.
  • 00:05:09
    But as Thomas mentioned, companies
  • 00:05:12
    like the ones in the financial services
  • 00:05:14
    space with really large cybersecurity budgets
  • 00:05:17
    don't nearly get the cyber protection benefit
  • 00:05:19
    that they should given the dollars that they spend.
  • 00:05:23
    And we have an example of one of our financial services clients
  • 00:05:26
    that spent about $3 million a year
  • 00:05:29
    on cyber threat intelligence.
  • 00:05:31
    But when we asked them for examples
  • 00:05:33
    as to where they actually changed
  • 00:05:35
    their cybersecurity protections or strategies
  • 00:05:38
    on the basis of this intelligence,
  • 00:05:39
    they were silent--
  • 00:05:41
    $3 million year after year without any actionable result.
  • 00:05:45
    ALISON BEARD: And in your experience,
  • 00:05:47
    is it hard to get nontech leaders to really understand
  • 00:05:52
    and get involved in these issues?
  • 00:05:54
    JACK DOMET: Well, many companies don't do it.
  • 00:05:56
    It isn't hard to get them engaged on the process
  • 00:05:59
    if you change the nature of the conversation,
  • 00:06:01
    if you change the starting point from which
  • 00:06:03
    these conversations begin.
  • 00:06:05
    And that really starts with looking at cyber risks
  • 00:06:09
    as a business risk that could come and occur
  • 00:06:12
    as a result of a cyber attack.
  • 00:06:14
    ALISON BEARD: So how do you kick off that kind of conversation
  • 00:06:16
    with senior leaders at a company and the senior tech people?
  • 00:06:21
    JACK DOMET: Well, it's an interdisciplinary process.
  • 00:06:23
    The approach that we take and that we introduce, actually,
  • 00:06:27
    in the article is called a cyber threat narrative
  • 00:06:29
    where we bring resources from across the organization
  • 00:06:33
    starting with a business owner, someone who's
  • 00:06:35
    running a business unit, someone who has responsibility for P&L,
  • 00:06:39
    to understand where are the business
  • 00:06:42
    risks in their organization.
  • 00:06:44
    What's actually important?
  • 00:06:45
    What assets are critical to their operations?
  • 00:06:48
    What activities do they do that provide competitive advantage
  • 00:06:51
    to them and their organization and their business unit?
  • 00:06:55
    Once those are identified, you're in a better position
  • 00:06:57
    to engage with other resources throughout the organization
  • 00:07:01
    to help quantify what those risks are
  • 00:07:04
    and bring in the IT department and your cybersecurity
  • 00:07:09
    resources to understand what the threat environment might be
  • 00:07:12
    that might affect those risks in some way
  • 00:07:14
    or make them to come about.
  • 00:07:15
    THOMAS PARENTY: One of the dynamics
  • 00:07:18
    that we are working to change is this perception
  • 00:07:23
    on the part of nontechnical business leaders
  • 00:07:26
    that the cybersecurity field is so complex, so impenetrable,
  • 00:07:30
    that they would never be able to understand it.
  • 00:07:33
    And so it just is logical to delegate that,
  • 00:07:36
    or we actually say, abrogate that responsibility
  • 00:07:40
    to either cybersecurity or IT staff.
  • 00:07:42
    Just as is true of every other business domain, what
  • 00:07:48
    you need to know about it depends on your role
  • 00:07:50
    and responsibilities.
  • 00:07:51
    And what boards of directors, senior executives, and managers
  • 00:07:55
    need to know about cybersecurity is significantly
  • 00:07:59
    different from that required by somebody
  • 00:08:02
    who is rolling up their sleeves and, if you will,
  • 00:08:06
    operating on the bits and bytes of a computer.
  • 00:08:09
    ALISON BEARD: Yeah.
  • 00:08:10
    Where have you seen a company that
  • 00:08:11
    hasn't been using that cyber threat narrative process go
  • 00:08:17
    really wrong and miss a big hole in their systems
  • 00:08:22
    and be attacked?
  • 00:08:23
    THOMAS PARENTY: One example that comes to mind
  • 00:08:25
    is an Asian automobile manufacturer
  • 00:08:28
    that we worked with a number of years ago.
  • 00:08:30
    And they had suffered a breach.
  • 00:08:31
    And in the aftermath of the breach,
  • 00:08:35
    the cybersecurity team was tasked with making us so secure
  • 00:08:39
    that this never happens again.
  • 00:08:41
    And so the cybersecurity team decided
  • 00:08:44
    to put the network used for the development of new automobiles
  • 00:08:48
    inside their corporate network because they thought,
  • 00:08:52
    ah, an attacker would need to go through two networks
  • 00:08:55
    in order to be able to then steal information.
  • 00:08:58
    In principle, that sounds like a wonderful idea
  • 00:09:01
    except there were colleagues from other partner companies
  • 00:09:05
    that work side by side with these automobile manufacturer
  • 00:09:09
    employees.
  • 00:09:09
    And they were now locked out.
  • 00:09:12
    And so the only way that they could get their work done
  • 00:09:15
    was to create fake employee accounts for all
  • 00:09:19
    of these external contractors.
  • 00:09:21
    And they did this knowing that this was perhaps not the best
  • 00:09:25
    thing from a cybersecurity perspective,
  • 00:09:27
    but it's what they needed to do in order to get their job done.
  • 00:09:31
    And so this illustrates a couple of points, one of which
  • 00:09:33
    is the cybersecurity people had no idea how
  • 00:09:37
    the company that they worked for actually designed cars.
  • 00:09:40
    And so they proposed security mechanisms
  • 00:09:42
    that both interfered with work and ended up
  • 00:09:45
    resulting in the company being more vulnerable because all
  • 00:09:49
    of these outsiders now had complete access
  • 00:09:52
    to the corporate intranet globally.
  • 00:09:54
    ALISON BEARD: Right.
  • 00:09:55
    THOMAS PARENTY: The other thing it points out
  • 00:09:56
    is that, when it comes to employees,
  • 00:10:00
    they are much more motivated by getting the job done for which
  • 00:10:03
    they are hired and paid than they
  • 00:10:06
    are about some abstract concept of cybersecurity.
  • 00:10:11
    And most companies would agree that employees
  • 00:10:13
    being resourceful to get their jobs done is a good thing.
  • 00:10:17
    However, in this particular case,
  • 00:10:19
    cybersecurity directly got into interfered with their work.
  • 00:10:24
    And so they saw no issue whatsoever
  • 00:10:27
    in going around those protections.
  • 00:10:29
    ALISON BEARD: Were they then attacked again?
  • 00:10:31
    THOMAS PARENTY: One of the sort of insidious things
  • 00:10:35
    about this particular situation is,
  • 00:10:37
    because all of these outsiders were now treated as insiders,
  • 00:10:43
    we have no idea what they did.
  • 00:10:46
    ALISON BEARD: I mean, this is a really important point
  • 00:10:48
    because we're told not to use open Wi-Fi at cafes
  • 00:10:53
    or ever give our password to anyone.
  • 00:10:56
    But there are times when you just think, no, I really
  • 00:10:58
    have to send that email out.
  • 00:10:59
    The work needs to get done.
  • 00:11:01
    So how should organizations walk that line
  • 00:11:04
    between putting in proper precautions,
  • 00:11:06
    but also ensuring that people still can be efficient?
  • 00:11:12
    THOMAS PARENTY: We've found that cybersecurity writ large
  • 00:11:16
    is full of platitudes that seem obvious and compelling
  • 00:11:20
    at first read.
  • 00:11:20
    But if you think about them more thoughtfully,
  • 00:11:23
    they're sometimes misinformed.
  • 00:11:25
    One example where this often comes into play
  • 00:11:28
    is a class of cyber attack called phishing.
  • 00:11:31
    People often open attachments because you read your email.
  • 00:11:36
    And occasionally, those attachments result
  • 00:11:39
    in malware being downloaded onto their computers.
  • 00:11:42
    And attackers have become savvier over time.
  • 00:11:45
    It's not just Nigerian princes who want you to give millions.
  • 00:11:49
    They'll do research specific about you
  • 00:11:53
    to your LinkedIn account, et cetera,
  • 00:11:54
    so they can deliver a very targeted attack.
  • 00:11:56
    Yet the common thing that cybersecurity departments
  • 00:12:01
    typically put into place is what's
  • 00:12:03
    called security awareness training to educate--
  • 00:12:06
    ALISON BEARD: I just completed mine.
  • 00:12:08
    THOMAS PARENTY: You just did, see?
  • 00:12:10
    We could then ask, what is the value
  • 00:12:12
    that you derived from taking this security training?
  • 00:12:16
    Don't answer that.
  • 00:12:19
    ALISON BEARD: I do think I'm more careful,
  • 00:12:20
    but I think the big thing is the problem isn't necessarily
  • 00:12:25
    stemming from a phishing and phishing attack.
  • 00:12:28
    THOMAS PARENTY: So one of the things that is important
  • 00:12:30
    to note-- and this is something that is illustrated both
  • 00:12:34
    by your security awareness training and also
  • 00:12:36
    by the example from the automobile company--
  • 00:12:39
    is that, while it is common for security training
  • 00:12:43
    to talk about generic good things
  • 00:12:46
    to do-- so if you're in a Wi-Fi hotspot,
  • 00:12:48
    use a VPN so that the person sipping a latte next to you
  • 00:12:52
    isn't also reading your email.
  • 00:12:54
    But what is missing is informing employees
  • 00:12:58
    about the cybersecurity implications of their own work.
  • 00:13:03
    ALISON BEARD: Right.
  • 00:13:04
    THOMAS PARENTY: And so this requires
  • 00:13:06
    actually going beyond a list of generic good things
  • 00:13:10
    to do to actually looking at how an employee
  • 00:13:15
    functions in their day to day work life and how the actions
  • 00:13:20
    they perform either discourage a cyber attack from being
  • 00:13:24
    successful or lay the groundwork for a cyber attack
  • 00:13:28
    on the critical business activity
  • 00:13:30
    that they are involved in from being effective.
  • 00:13:33
    ALISON BEARD: So I mean, every company is a technology company
  • 00:13:36
    now because we're all digital.
  • 00:13:37
    We might all even be using all the same systems,
  • 00:13:40
    but our cyber threat narratives will be very different
  • 00:13:43
    if we're an oil company versus a credit card company.
  • 00:13:46
    JACK DOMET: Even within a company,
  • 00:13:48
    where are your locations?
  • 00:13:50
    What are your different business units?
  • 00:13:51
    Each of these have different characteristics.
  • 00:13:53
    They vary widely.
  • 00:13:54
    And those might be the products and services that that business
  • 00:13:58
    unit does, or its location and the regulatory regime
  • 00:14:02
    and geopolitical environment that
  • 00:14:03
    lives within that location, or their supply
  • 00:14:06
    chain, or their customers, or their products and services, et
  • 00:14:09
    cetera.
  • 00:14:09
    All those things add together to drive a very different risk
  • 00:14:12
    profile.
  • 00:14:13
    ALISON BEARD: So you talk in the article
  • 00:14:15
    about imagining not only the threats,
  • 00:14:18
    but also who your adversaries are.
  • 00:14:20
    How do you do that sort of when what you're trying to do
  • 00:14:24
    is keep up with criminals who are constantly
  • 00:14:27
    trying to find new tools and strategies to get at you?
  • 00:14:31
    THOMAS PARENTY: So I would say that the strategies
  • 00:14:33
    that criminals or others use to attack you is one issue.
  • 00:14:40
    And it is certainly relevant for cybersecurity staff
  • 00:14:44
    to keep abreast of the latest techniques
  • 00:14:46
    that cyber adversaries might use.
  • 00:14:49
    However, in terms of identifying those cyber adversaries,
  • 00:14:53
    that is something that is, for the most part,
  • 00:14:56
    a very business-oriented activity that doesn't
  • 00:14:59
    require technical knowledge.
  • 00:15:01
    There are a couple of ways in which companies can
  • 00:15:04
    start to address that issue.
  • 00:15:05
    One of which is, what do they have that would
  • 00:15:08
    be of value to someone else?
  • 00:15:10
    That could be the design of a product.
  • 00:15:13
    It could be a collection of customers.
  • 00:15:15
    By identifying what a company has that could be a value,
  • 00:15:19
    that's one way of looking at it.
  • 00:15:21
    Another avenue that companies can take
  • 00:15:24
    is, is there anything about the business
  • 00:15:27
    that the company is in, the way in which it operates,
  • 00:15:31
    that might attract some sort of attacker?
  • 00:15:34
    With increasing discussions about climate change,
  • 00:15:37
    companies that are viewed as carbon negative
  • 00:15:43
    could attract this kind of attention.
  • 00:15:45
    Or if there was a case in which a company or an organization
  • 00:15:50
    was not being honest about certain of its business
  • 00:15:53
    practices, that could invite a cyber attacker.
  • 00:15:56
    In point of fact, that would be the situation
  • 00:15:59
    that my former employer, NSA, was in with respect
  • 00:16:03
    to Edward Snowden.
  • 00:16:04
    Depending on where a company operates,
  • 00:16:09
    the adversaries it might face in one area
  • 00:16:12
    could be very, very different from the adversaries
  • 00:16:15
    they could face in another part of their business,
  • 00:16:19
    in another part of the world.
  • 00:16:20
    ALISON BEARD: Right.
  • 00:16:21
    And I don't want to make it seem like you're
  • 00:16:24
    advertising your business.
  • 00:16:26
    But because these issues are so complicated and so different
  • 00:16:30
    from function to function and company
  • 00:16:31
    to company and geography to geography,
  • 00:16:34
    do organizations need to bring in outside help and expertise?
  • 00:16:37
    JACK DOMET: One of the things that we
  • 00:16:39
    talk about in the book is the importance of building
  • 00:16:42
    an internal capability to recognize
  • 00:16:44
    what really truly drives your cyber risk going forward.
  • 00:16:47
    And oftentimes, those are changes
  • 00:16:50
    in the way you do business because most of those new cyber
  • 00:16:52
    risks come less from a new type of technical attack.
  • 00:16:57
    It's actually that merger that you're about to go through,
  • 00:17:00
    or that new product that you're about to launch,
  • 00:17:02
    or that change to that internal application that you have.
  • 00:17:06
    Those are all things that change the way
  • 00:17:09
    that you're doing business.
  • 00:17:11
    And those changes have implications
  • 00:17:14
    as it relates to the risk that you face.
  • 00:17:17
    ALISON BEARD: So whether an attack is
  • 00:17:19
    simple or sophisticated, are you saying
  • 00:17:21
    that companies are able to prevent them
  • 00:17:24
    if they take the right steps?
  • 00:17:26
    THOMAS PARENTY: In all areas of risk,
  • 00:17:28
    whether it be financial risk, physical risk, or cyber risk,
  • 00:17:32
    there are no guarantees that what you do
  • 00:17:36
    will be sufficient to fend off the attack
  • 00:17:39
    that you actually face.
  • 00:17:40
    However, if you actually have focus
  • 00:17:44
    on knowing what is important to protect,
  • 00:17:48
    understanding the kinds of cyber attacks
  • 00:17:51
    that could compromise critical activities,
  • 00:17:55
    you are in a much, much better place
  • 00:17:58
    to defend yourself properly than if you take more of a shotgun
  • 00:18:03
    approach of, well, this is a general vulnerability.
  • 00:18:07
    And so I'm going to buy a box that takes care of that.
  • 00:18:11
    ALISON BEARD: How frequently do leaders
  • 00:18:13
    of a company or a function need to be reviewing and then
  • 00:18:18
    revising what their plan is?
  • 00:18:21
    JACK DOMET: I mean, it's an ongoing exercise, right?
  • 00:18:23
    I mean, it's not a one-off thing.
  • 00:18:25
    ALISON BEARD: Right.
  • 00:18:25
    JACK DOMET: This is something that's dynamic.
  • 00:18:27
    And so our point before in terms of where
  • 00:18:29
    to look for cyber risk, where to anticipate them,
  • 00:18:32
    it generally relates to changes that you're
  • 00:18:34
    making to your business, whether it's a new product that you're
  • 00:18:36
    launching, a new geography that you're getting into,
  • 00:18:40
    a new supply chain partner that you're working with.
  • 00:18:43
    All these point to changes in the way that you do business.
  • 00:18:46
    These introduce changes in technology because of the way
  • 00:18:49
    that we work today.
  • 00:18:50
    And those changes in the technology and the way
  • 00:18:52
    you do business invite you to do new things with your business
  • 00:18:57
    that drives new risks.
  • 00:18:58
    ALISON BEARD: Right.
  • 00:18:59
    THOMAS PARENTY: And so in some sense,
  • 00:19:00
    the one answer is that companies need
  • 00:19:04
    to incorporate into all of the processes used
  • 00:19:08
    for making change some type of cybersecurity review.
  • 00:19:14
    Now, this does not have to be and should not
  • 00:19:17
    be a terribly onerous and time consuming activity.
  • 00:19:21
    Because, one, that will get in the way of doing business.
  • 00:19:25
    And as we've discussed previously,
  • 00:19:27
    people will find a way around it.
  • 00:19:29
    But it is important to make sure that when
  • 00:19:32
    companies are undertaking the changes that will introduce
  • 00:19:35
    new cyber risk that they are at least paying attention to that.
  • 00:19:38
    ALISON BEARD: Are there ways that companies
  • 00:19:40
    should restructure themselves to make sure
  • 00:19:42
    that people at every level and in every part
  • 00:19:45
    of the organization are thinking about cybersecurity
  • 00:19:48
    in a more careful way?
  • 00:19:49
    JACK DOMET: Yeah.
  • 00:19:50
    I mean, it's about building-- well, there's
  • 00:19:52
    a few different things.
  • 00:19:55
    One area that we look at is building
  • 00:19:58
    an internal organizational capability
  • 00:20:00
    to deal with this change management process
  • 00:20:03
    that companies go through.
  • 00:20:05
    As Thomas was mentioning, we do need to have cyber security
  • 00:20:08
    reviews as you change your business just
  • 00:20:10
    like you look at other risks.
  • 00:20:12
    Another area where we think about organization and cyber
  • 00:20:17
    is where do you put the capability
  • 00:20:20
    for managing cybersecurity.
  • 00:20:23
    Many companies, including probably 2/3
  • 00:20:26
    of the Fortune 500, have what's called a Chief Information
  • 00:20:30
    Security Officer, commonly referred to as a CISO,
  • 00:20:34
    to have rolled up responsibility for dealing with cyber risk
  • 00:20:40
    and deciding what risks need to be managed
  • 00:20:42
    and what investments need to be made.
  • 00:20:45
    But there are some issues in terms of where
  • 00:20:47
    that CISO might report.
  • 00:20:49
    Oftentimes, because this has traditionally been a technology
  • 00:20:52
    issue, the CISO may report to a CIO, a Chief Information
  • 00:20:57
    Officer, who would be responsible for developing
  • 00:21:03
    software or deploying computer capabilities.
  • 00:21:06
    But the incentives for someone who's in charge of security
  • 00:21:10
    and the incentives for someone who's
  • 00:21:11
    in charge of building applications
  • 00:21:15
    are very, very different.
  • 00:21:16
    ALISON BEARD: Yeah.
  • 00:21:17
    So that person should maybe be reporting to the CEO instead?
  • 00:21:22
    JACK DOMET: The CEO, while it would
  • 00:21:25
    appear to be the best place for cybersecurity to report to,
  • 00:21:29
    actually is not.
  • 00:21:31
    Because one of the longstanding problems with cybersecurity
  • 00:21:35
    is that it has lived in a silo frequently within the IT
  • 00:21:39
    department.
  • 00:21:40
    But it lives someplace else that made
  • 00:21:42
    it very easy for other business leaders to ignore it
  • 00:21:47
    and say it's somebody else's problem.
  • 00:21:49
    And so if it reported to the CEO,
  • 00:21:53
    the natural conclusion would be, ah, it's taken care of.
  • 00:21:56
    After all, it reports to the CEO.
  • 00:21:58
    But a good CEO is successful because the people who
  • 00:22:02
    work for him get things done.
  • 00:22:05
    Based on our experience, when a company is looking
  • 00:22:09
    for a home for the cybersecurity organization,
  • 00:22:13
    they should first look at where their most significant cyber
  • 00:22:19
    risks reside as well as finding a corporate home where
  • 00:22:25
    the interests of the manager of cybersecurity
  • 00:22:29
    are completely aligned with the executive to whom he
  • 00:22:33
    or she reports.
  • 00:22:34
    ALISON BEARD: So we've been talking
  • 00:22:35
    about a lot of big companies.
  • 00:22:37
    How should smaller organizations deal with these threats?
  • 00:22:42
    On one hand, they're less likely to be targets.
  • 00:22:46
    But then on the other hand, they have less money
  • 00:22:48
    to invest and sort of fewer resources to throw at it.
  • 00:22:53
    THOMAS PARENTY: So our advice for companies of any size
  • 00:22:56
    is the same.
  • 00:22:57
    Focus on your company's most significant activities
  • 00:23:00
    and the business risks they face.
  • 00:23:02
    And then you can think about how a cyber attack could cause
  • 00:23:05
    these risks to materialize.
  • 00:23:07
    Several years ago, I was talking with an electrician who was
  • 00:23:10
    doing some work in my house.
  • 00:23:11
    And when he learned I worked in the cybersecurity field,
  • 00:23:14
    he told me he needed a firewall.
  • 00:23:16
    When I asked why, he replied that he thought his business
  • 00:23:19
    partner was cheating him.
  • 00:23:21
    I told him a firewall wouldn't help reduce his risk
  • 00:23:24
    because firewalls help protect against attacks originating
  • 00:23:28
    from the internet, not from the office where
  • 00:23:30
    both he and his partner sat.
  • 00:23:32
    ALISON BEARD: Right.
  • 00:23:32
    THOMAS PARENTY: That he immediately
  • 00:23:34
    jumped from a cyber risk, his partner misusing computers
  • 00:23:37
    to steal from him, to a technology fix
  • 00:23:39
    is common and, therefore, completely understandable.
  • 00:23:43
    That a firewall would come to mind also
  • 00:23:46
    make sense because firewalls are well-known,
  • 00:23:48
    if not well-understood.
  • 00:23:50
    ALISON BEARD: OK.
  • 00:23:50
    So let's say that the worst happens.
  • 00:23:53
    Either you haven't followed your advice
  • 00:23:55
    and you're hit with an attack, or you have tried your best.
  • 00:23:59
    And somehow the criminals have still gotten to you.
  • 00:24:02
    What are some of the best practices
  • 00:24:04
    for recovering from that?
  • 00:24:05
    THOMAS PARENTY: OK, so the first element
  • 00:24:08
    is that, while one should always focus on proactive measures,
  • 00:24:14
    one does need to take into account
  • 00:24:16
    that under some circumstances you
  • 00:24:19
    will have to respond to some sort of cyber breach.
  • 00:24:23
    And this is, again, a responsibility
  • 00:24:27
    that falls not just to cybersecurity staff,
  • 00:24:31
    but also to the leadership of a company.
  • 00:24:33
    A company needs to have the technical capabilities
  • 00:24:36
    to respond to the most likely forms of cyber attack
  • 00:24:42
    on their most critical business activities.
  • 00:24:45
    If you understand what those activities are and those
  • 00:24:47
    cyber threats, that is something you can prepare ahead of time.
  • 00:24:51
    From an executive perspective, they
  • 00:24:54
    need to be in a position to make decisions and publicly
  • 00:24:59
    engage in the aftermath of said cyber attack,
  • 00:25:03
    essentially to prethink the consequences
  • 00:25:08
    and prethink the decisions they will need to make, if you will,
  • 00:25:12
    in the clear light of day as opposed to in the fog of war.
  • 00:25:16
    ALISON BEARD: So if I'm a manager with no expertise
  • 00:25:19
    in these issues, where should I start to get more up to speed?
  • 00:25:25
    THOMAS PARENTY: It's something that what they can do
  • 00:25:28
    is simply have different discussions
  • 00:25:30
    with the cybersecurity people that they already
  • 00:25:32
    have in-house.
  • 00:25:34
    Again, start the conversation with,
  • 00:25:38
    here's a critical business activity.
  • 00:25:40
    These are the concerns I have as a nontechnical business
  • 00:25:44
    manager in terms of what could go wrong.
  • 00:25:47
    Now, talk to me, cybersecurity and IT people,
  • 00:25:51
    about, one, what are the systems that support this activity so I
  • 00:25:55
    know where you need to prioritize
  • 00:25:59
    the attention that you give.
  • 00:26:00
    And second, talk to me about how the cyber attacks
  • 00:26:04
    that you know and follow would be
  • 00:26:06
    able to compromise the systems supporting my business.
  • 00:26:10
    And what are the sorts of impact?
  • 00:26:13
    If you have this conversation from the perspective of talk
  • 00:26:18
    to me about how my business could be compromised instead
  • 00:26:22
    of telling me what vulnerabilities
  • 00:26:24
    need to be fixed with whatever priority,
  • 00:26:27
    then you'll get somewhere.
  • 00:26:29
    ALISON BEARD: Thank you all so much for talking with me today.
  • 00:26:32
    THOMAS PARENTY: It has been our pleasure.
  • 00:26:34
    JACK DOMET: Thanks for having us.
  • 00:26:35
    [MUSIC PLAYING]
  • 00:26:38
    ALISON BEARD: That's Thomas Parenty and Jack Domet,
  • 00:26:40
    cofounders of the cybersecurity firm Archefact Group.
  • 00:26:43
    They're also the coauthors of the HBR article
  • 00:26:45
    "Sizing Up Your Cyber Risks" and the HBR press book, A Leader's
  • 00:26:49
    Guide To Cybersecurity.
  • 00:26:50
  • 00:26:57
    This episode was produced by Mary Dooe.
  • 00:26:59
    We get technical help from Rob Eckhardt.
  • 00:27:01
    Adam Buchholz is our audio product manager.
  • 00:27:03
  • 00:27:07
    Thanks for listening to the HBR IdeaCast.
  • 00:27:10
    I'm Alison Beard.
  • 00:27:11
    [MUSIC PLAYING]
  • 00:27:14
Tags
  • Cybersecurity
  • Business Risks
  • Leadership
  • Compliance
  • Cyber Threat Narrative
  • IT Department
  • Cyber Attacks
  • Risk Management
  • Data Protection
  • Cyber Defence