00:00:00
[MUSIC PLAYING]
00:00:01
00:00:10
ALISON BEARD: Welcome
to the HBR IdeaCast
00:00:12
from Harvard Business Review.
00:00:13
I'm Alison Beard.
00:00:14
00:00:22
From Apple and JPMorgan Chase
to Marriott and British Airways,
00:00:25
some of the most sophisticated
companies in the world
00:00:27
have fallen victim to cyber
attacks in recent years.
00:00:31
Business critical activities
have been disrupted.
00:00:33
Customer data has
been compromised.
00:00:35
And the threats continue.
00:00:37
So what can organizations
do to prevent themselves
00:00:40
from becoming the next target?
00:00:42
By now, most accept
that they need
00:00:44
to invest significant
cash and resources
00:00:46
into cybersecurity capabilities.
00:00:48
But too often,
this important job
00:00:51
is left to IT leaders
rather than the full C-suite
00:00:54
and board.
00:00:55
Today's guests
say that companies
00:00:57
need to take a much different
approach with leaders
00:01:00
at the very top thinking
about cyber risks
00:01:02
as not just a technology issue
but a significant business
00:01:06
problem to be solved.
00:01:07
Thomas Parenty
and Jack Domet are
00:01:09
cofounders of the cybersecurity
firm Archefact Group
00:01:12
and coauthors of
the HBR article,
00:01:14
"Sizing Up Your Cyber Risks"
as well as the HBR press
00:01:18
book, A Leader's Guide
To Cybersecurity.
00:01:21
Thomas and Jack, thanks
so much for being here.
00:01:23
THOMAS PARENTY: We're so
happy to have the opportunity
00:01:25
to talk with you today.
00:01:26
JACK DOMET: Thanks
for having us.
00:01:28
[MUSIC PLAYING]
00:01:30
00:01:36
ALISON BEARD: Presumably,
a lot of these companies
00:01:38
that are hit take some
precautions to protect
00:01:41
themselves.
00:01:43
So where are they going wrong?
00:01:44
THOMAS PARENTY: We have
come to the realization
00:01:47
that, essentially, worldwide
we're failing at cybersecurity
00:01:50
and that, in spite of
all of the investment
00:01:52
and public attention, the number
and impact of cyber attacks
00:01:56
is only rising.
00:01:57
In some sense, that's the reason
that we're talking right now.
00:02:00
And you can think of our
current cybersecurity situation
00:02:04
today as comparable to trench
warfare in World War I.
00:02:08
The progress is negligible,
and the casualties are high.
00:02:12
There are several reasons why
the focus on cybersecurity
00:02:17
and cybersecurity technology
ends up undercutting
00:02:20
its capacity to protect.
00:02:22
First, no company has
all of the resources
00:02:24
to fix every
cybersecurity issue.
00:02:26
And not all fixes are
equally important.
00:02:29
It's only by starting
with a company's most
00:02:32
critical business activities and
how cyber attacks could disrupt
00:02:36
them that one can start to
prioritize this whole process
00:02:39
of risk mitigation.
00:02:41
Unfortunately, there
are many companies
00:02:43
who sort of skip this step
of first thinking about what
00:02:49
are the most important
business activities that could
00:02:51
be disrupted by a cyber attack.
00:02:53
And instead, they
end up focusing
00:02:57
on individual technologies
to fix individual problems
00:03:01
within their computer systems.
00:03:05
The focus on fixing
these computer
00:03:07
vulnerabilities, it's
seductively dangerous
00:03:10
because there is
some value here.
00:03:12
However, a company can
spend all of its resources,
00:03:15
significant resources,
fixing these vulnerabilities
00:03:18
without ever addressing the
fundamental issue, which
00:03:22
is protecting the business
activities for which
00:03:24
the computers were procured.
00:03:26
ALISON BEARD: So
you're basically
00:03:27
having the IT department
say, well, we're compliant
00:03:31
and best practices for a lot of
these systems when they're not
00:03:35
taking into account the most
important business functions
00:03:39
that these systems
are protecting.
00:03:42
THOMAS PARENTY: There are
numerous examples of vendors,
00:03:45
including Target,
who were compliant
00:03:48
with the relevant
payment card security
00:03:51
standards at the
very moment that they
00:03:54
were successfully hacked.
00:03:57
For certain
companies, especially
00:03:59
those in highly
regulated industries
00:04:01
such as financial
services, they are
00:04:04
subject to so many different
compliance requirements
00:04:08
that what effectively
happens is they translate
00:04:12
in their minds being compliant
with requirements as equivalent
00:04:16
to being adequately
protected and ends up
00:04:20
actually diminishing the
security of these companies as
00:04:23
opposed to achieving its goal
of increasing protection.
00:04:26
ALISON BEARD: So, Jack,
you're the management expert.
00:04:29
Why do organizations
operate this way?
00:04:34
Why aren't they thinking
more holistically
00:04:36
about business risks?
00:04:38
JACK DOMET: Well, part of
that starts from the fact
00:04:41
that, since its very inception,
cybersecurity has been--
00:04:45
it's come out of the
technology department.
00:04:48
And it's been looked at in
terms of an attack and defense
00:04:52
technology paradigm
versus one that's
00:04:55
related to any other
complex business risks
00:04:57
that a company might face.
00:05:00
Now, there's no
question that, given
00:05:02
the neglect of
cybersecurity over time
00:05:04
by most companies in the past,
many companies do, in fact,
00:05:08
need to invest more.
00:05:09
But as Thomas
mentioned, companies
00:05:12
like the ones in the
financial services
00:05:14
space with really large
cybersecurity budgets
00:05:17
don't nearly get the
cyber protection benefit
00:05:19
that they should given the
dollars that they spend.
00:05:23
And we have an example of one of
our financial services clients
00:05:26
that spent about
$3 million a year
00:05:29
on cyber threat intelligence.
00:05:31
But when we asked
them for examples
00:05:33
as to where they
actually changed
00:05:35
their cybersecurity
protections or strategies
00:05:38
on the basis of
this intelligence,
00:05:39
they were silent--
00:05:41
$3 million year after year
without any actionable result.
00:05:45
ALISON BEARD: And
in your experience,
00:05:47
is it hard to get nontech
leaders to really understand
00:05:52
and get involved
in these issues?
00:05:54
JACK DOMET: Well, many
companies don't do it.
00:05:56
It isn't hard to get them
engaged on the process
00:05:59
if you change the nature
of the conversation,
00:06:01
if you change the
starting point from which
00:06:03
these conversations begin.
00:06:05
And that really starts
with looking at cyber risks
00:06:09
as a business risk that
could come and occur
00:06:12
as a result of a cyber attack.
00:06:14
ALISON BEARD: So how do you kick
off that kind of conversation
00:06:16
with senior leaders at a company
and the senior tech people?
00:06:21
JACK DOMET: Well, it's an
interdisciplinary process.
00:06:23
The approach that we take and
that we introduce, actually,
00:06:27
in the article is called
a cyber threat narrative
00:06:29
where we bring resources
from across the organization
00:06:33
starting with a business
owner, someone who's
00:06:35
running a business unit, someone
who has responsibility for P&L,
00:06:39
to understand where
are the business
00:06:42
risks in their organization.
00:06:44
What's actually important?
00:06:45
What assets are critical
to their operations?
00:06:48
What activities do they do that
provide competitive advantage
00:06:51
to them and their organization
and their business unit?
00:06:55
Once those are identified,
you're in a better position
00:06:57
to engage with other resources
throughout the organization
00:07:01
to help quantify
what those risks are
00:07:04
and bring in the IT department
and your cybersecurity
00:07:09
resources to understand what
the threat environment might be
00:07:12
that might affect
those risks in some way
00:07:14
or make them to come about.
00:07:15
THOMAS PARENTY:
One of the dynamics
00:07:18
that we are working to
change is this perception
00:07:23
on the part of nontechnical
business leaders
00:07:26
that the cybersecurity field
is so complex, so impenetrable,
00:07:30
that they would never be
able to understand it.
00:07:33
And so it just is
logical to delegate that,
00:07:36
or we actually say,
abrogate that responsibility
00:07:40
to either cybersecurity
or IT staff.
00:07:42
Just as is true of every
other business domain, what
00:07:48
you need to know about
it depends on your role
00:07:50
and responsibilities.
00:07:51
And what boards of directors,
senior executives, and managers
00:07:55
need to know about
cybersecurity is significantly
00:07:59
different from that
required by somebody
00:08:02
who is rolling up their
sleeves and, if you will,
00:08:06
operating on the bits
and bytes of a computer.
00:08:09
ALISON BEARD: Yeah.
00:08:10
Where have you
seen a company that
00:08:11
hasn't been using that cyber
threat narrative process go
00:08:17
really wrong and miss a
big hole in their systems
00:08:22
and be attacked?
00:08:23
THOMAS PARENTY: One
example that comes to mind
00:08:25
is an Asian automobile
manufacturer
00:08:28
that we worked with a
number of years ago.
00:08:30
And they had suffered a breach.
00:08:31
And in the aftermath
of the breach,
00:08:35
the cybersecurity team was
tasked with making us so secure
00:08:39
that this never happens again.
00:08:41
And so the cybersecurity
team decided
00:08:44
to put the network used for the
development of new automobiles
00:08:48
inside their corporate
network because they thought,
00:08:52
ah, an attacker would need
to go through two networks
00:08:55
in order to be able to
then steal information.
00:08:58
In principle, that sounds
like a wonderful idea
00:09:01
except there were colleagues
from other partner companies
00:09:05
that work side by side with
these automobile manufacturer
00:09:09
employees.
00:09:09
And they were now locked out.
00:09:12
And so the only way that they
could get their work done
00:09:15
was to create fake
employee accounts for all
00:09:19
of these external contractors.
00:09:21
And they did this knowing that
this was perhaps not the best
00:09:25
thing from a
cybersecurity perspective,
00:09:27
but it's what they needed to do
in order to get their job done.
00:09:31
And so this illustrates a
couple of points, one of which
00:09:33
is the cybersecurity
people had no idea how
00:09:37
the company that they worked
for actually designed cars.
00:09:40
And so they proposed
security mechanisms
00:09:42
that both interfered
with work and ended up
00:09:45
resulting in the company being
more vulnerable because all
00:09:49
of these outsiders now
had complete access
00:09:52
to the corporate
intranet globally.
00:09:54
ALISON BEARD: Right.
00:09:55
THOMAS PARENTY: The
other thing it points out
00:09:56
is that, when it
comes to employees,
00:10:00
they are much more motivated by
getting the job done for which
00:10:03
they are hired
and paid than they
00:10:06
are about some abstract
concept of cybersecurity.
00:10:11
And most companies would
agree that employees
00:10:13
being resourceful to get their
jobs done is a good thing.
00:10:17
However, in this
particular case,
00:10:19
cybersecurity directly got into
interfered with their work.
00:10:24
And so they saw no
issue whatsoever
00:10:27
in going around
those protections.
00:10:29
ALISON BEARD: Were they
then attacked again?
00:10:31
THOMAS PARENTY: One of the
sort of insidious things
00:10:35
about this particular
situation is,
00:10:37
because all of these outsiders
were now treated as insiders,
00:10:43
we have no idea what they did.
00:10:46
ALISON BEARD: I mean, this
is a really important point
00:10:48
because we're told not to
use open Wi-Fi at cafes
00:10:53
or ever give our
password to anyone.
00:10:56
But there are times when
you just think, no, I really
00:10:58
have to send that email out.
00:10:59
The work needs to get done.
00:11:01
So how should organizations
walk that line
00:11:04
between putting in
proper precautions,
00:11:06
but also ensuring that people
still can be efficient?
00:11:12
THOMAS PARENTY: We've found
that cybersecurity writ large
00:11:16
is full of platitudes that
seem obvious and compelling
00:11:20
at first read.
00:11:20
But if you think about
them more thoughtfully,
00:11:23
they're sometimes misinformed.
00:11:25
One example where this
often comes into play
00:11:28
is a class of cyber
attack called phishing.
00:11:31
People often open attachments
because you read your email.
00:11:36
And occasionally, those
attachments result
00:11:39
in malware being downloaded
onto their computers.
00:11:42
And attackers have
become savvier over time.
00:11:45
It's not just Nigerian princes
who want you to give millions.
00:11:49
They'll do research
specific about you
00:11:53
to your LinkedIn
account, et cetera,
00:11:54
so they can deliver a
very targeted attack.
00:11:56
Yet the common thing that
cybersecurity departments
00:12:01
typically put into
place is what's
00:12:03
called security awareness
training to educate--
00:12:06
ALISON BEARD: I
just completed mine.
00:12:08
THOMAS PARENTY:
You just did, see?
00:12:10
We could then ask,
what is the value
00:12:12
that you derived from taking
this security training?
00:12:16
Don't answer that.
00:12:19
ALISON BEARD: I do
think I'm more careful,
00:12:20
but I think the big thing is
the problem isn't necessarily
00:12:25
stemming from a phishing
and phishing attack.
00:12:28
THOMAS PARENTY: So one of
the things that is important
00:12:30
to note-- and this is something
that is illustrated both
00:12:34
by your security awareness
training and also
00:12:36
by the example from the
automobile company--
00:12:39
is that, while it is common
for security training
00:12:43
to talk about
generic good things
00:12:46
to do-- so if you're
in a Wi-Fi hotspot,
00:12:48
use a VPN so that the person
sipping a latte next to you
00:12:52
isn't also reading your email.
00:12:54
But what is missing
is informing employees
00:12:58
about the cybersecurity
implications of their own work.
00:13:03
ALISON BEARD: Right.
00:13:04
THOMAS PARENTY: And
so this requires
00:13:06
actually going beyond a
list of generic good things
00:13:10
to do to actually looking
at how an employee
00:13:15
functions in their day to day
work life and how the actions
00:13:20
they perform either discourage
a cyber attack from being
00:13:24
successful or lay the
groundwork for a cyber attack
00:13:28
on the critical
business activity
00:13:30
that they are involved
in from being effective.
00:13:33
ALISON BEARD: So I mean, every
company is a technology company
00:13:36
now because we're all digital.
00:13:37
We might all even be using
all the same systems,
00:13:40
but our cyber threat narratives
will be very different
00:13:43
if we're an oil company
versus a credit card company.
00:13:46
JACK DOMET: Even
within a company,
00:13:48
where are your locations?
00:13:50
What are your different
business units?
00:13:51
Each of these have
different characteristics.
00:13:53
They vary widely.
00:13:54
And those might be the products
and services that that business
00:13:58
unit does, or its location
and the regulatory regime
00:14:02
and geopolitical
environment that
00:14:03
lives within that
location, or their supply
00:14:06
chain, or their customers, or
their products and services, et
00:14:09
cetera.
00:14:09
All those things add together
to drive a very different risk
00:14:12
profile.
00:14:13
ALISON BEARD: So you
talk in the article
00:14:15
about imagining not
only the threats,
00:14:18
but also who your
adversaries are.
00:14:20
How do you do that sort of
when what you're trying to do
00:14:24
is keep up with criminals
who are constantly
00:14:27
trying to find new tools and
strategies to get at you?
00:14:31
THOMAS PARENTY: So I would
say that the strategies
00:14:33
that criminals or others use
to attack you is one issue.
00:14:40
And it is certainly relevant
for cybersecurity staff
00:14:44
to keep abreast of
the latest techniques
00:14:46
that cyber
adversaries might use.
00:14:49
However, in terms of identifying
those cyber adversaries,
00:14:53
that is something that
is, for the most part,
00:14:56
a very business-oriented
activity that doesn't
00:14:59
require technical knowledge.
00:15:01
There are a couple of ways
in which companies can
00:15:04
start to address that issue.
00:15:05
One of which is, what
do they have that would
00:15:08
be of value to someone else?
00:15:10
That could be the
design of a product.
00:15:13
It could be a
collection of customers.
00:15:15
By identifying what a company
has that could be a value,
00:15:19
that's one way of looking at it.
00:15:21
Another avenue that
companies can take
00:15:24
is, is there anything
about the business
00:15:27
that the company is in, the
way in which it operates,
00:15:31
that might attract
some sort of attacker?
00:15:34
With increasing discussions
about climate change,
00:15:37
companies that are
viewed as carbon negative
00:15:43
could attract this
kind of attention.
00:15:45
Or if there was a case in which
a company or an organization
00:15:50
was not being honest about
certain of its business
00:15:53
practices, that could
invite a cyber attacker.
00:15:56
In point of fact, that
would be the situation
00:15:59
that my former employer,
NSA, was in with respect
00:16:03
to Edward Snowden.
00:16:04
Depending on where
a company operates,
00:16:09
the adversaries it
might face in one area
00:16:12
could be very, very different
from the adversaries
00:16:15
they could face in another
part of their business,
00:16:19
in another part of the world.
00:16:20
ALISON BEARD: Right.
00:16:21
And I don't want to
make it seem like you're
00:16:24
advertising your business.
00:16:26
But because these issues are
so complicated and so different
00:16:30
from function to
function and company
00:16:31
to company and
geography to geography,
00:16:34
do organizations need to bring
in outside help and expertise?
00:16:37
JACK DOMET: One of
the things that we
00:16:39
talk about in the book is
the importance of building
00:16:42
an internal capability
to recognize
00:16:44
what really truly drives your
cyber risk going forward.
00:16:47
And oftentimes,
those are changes
00:16:50
in the way you do business
because most of those new cyber
00:16:52
risks come less from a new
type of technical attack.
00:16:57
It's actually that merger that
you're about to go through,
00:17:00
or that new product that
you're about to launch,
00:17:02
or that change to that internal
application that you have.
00:17:06
Those are all things
that change the way
00:17:09
that you're doing business.
00:17:11
And those changes
have implications
00:17:14
as it relates to the
risk that you face.
00:17:17
ALISON BEARD: So
whether an attack is
00:17:19
simple or sophisticated,
are you saying
00:17:21
that companies are
able to prevent them
00:17:24
if they take the right steps?
00:17:26
THOMAS PARENTY: In
all areas of risk,
00:17:28
whether it be financial risk,
physical risk, or cyber risk,
00:17:32
there are no guarantees
that what you do
00:17:36
will be sufficient to
fend off the attack
00:17:39
that you actually face.
00:17:40
However, if you
actually have focus
00:17:44
on knowing what is
important to protect,
00:17:48
understanding the
kinds of cyber attacks
00:17:51
that could compromise
critical activities,
00:17:55
you are in a much,
much better place
00:17:58
to defend yourself properly than
if you take more of a shotgun
00:18:03
approach of, well, this is
a general vulnerability.
00:18:07
And so I'm going to buy a
box that takes care of that.
00:18:11
ALISON BEARD: How
frequently do leaders
00:18:13
of a company or a function
need to be reviewing and then
00:18:18
revising what their plan is?
00:18:21
JACK DOMET: I mean, it's
an ongoing exercise, right?
00:18:23
I mean, it's not
a one-off thing.
00:18:25
ALISON BEARD: Right.
00:18:25
JACK DOMET: This is
something that's dynamic.
00:18:27
And so our point before
in terms of where
00:18:29
to look for cyber risk,
where to anticipate them,
00:18:32
it generally relates
to changes that you're
00:18:34
making to your business, whether
it's a new product that you're
00:18:36
launching, a new geography
that you're getting into,
00:18:40
a new supply chain partner
that you're working with.
00:18:43
All these point to changes in
the way that you do business.
00:18:46
These introduce changes in
technology because of the way
00:18:49
that we work today.
00:18:50
And those changes in the
technology and the way
00:18:52
you do business invite you to
do new things with your business
00:18:57
that drives new risks.
00:18:58
ALISON BEARD: Right.
00:18:59
THOMAS PARENTY: And
so in some sense,
00:19:00
the one answer is
that companies need
00:19:04
to incorporate into all
of the processes used
00:19:08
for making change some type
of cybersecurity review.
00:19:14
Now, this does not have
to be and should not
00:19:17
be a terribly onerous and
time consuming activity.
00:19:21
Because, one, that will get
in the way of doing business.
00:19:25
And as we've
discussed previously,
00:19:27
people will find
a way around it.
00:19:29
But it is important
to make sure that when
00:19:32
companies are undertaking the
changes that will introduce
00:19:35
new cyber risk that they are at
least paying attention to that.
00:19:38
ALISON BEARD: Are there
ways that companies
00:19:40
should restructure
themselves to make sure
00:19:42
that people at every
level and in every part
00:19:45
of the organization are
thinking about cybersecurity
00:19:48
in a more careful way?
00:19:49
JACK DOMET: Yeah.
00:19:50
I mean, it's about
building-- well, there's
00:19:52
a few different things.
00:19:55
One area that we
look at is building
00:19:58
an internal
organizational capability
00:20:00
to deal with this change
management process
00:20:03
that companies go through.
00:20:05
As Thomas was mentioning, we
do need to have cyber security
00:20:08
reviews as you change
your business just
00:20:10
like you look at other risks.
00:20:12
Another area where we think
about organization and cyber
00:20:17
is where do you
put the capability
00:20:20
for managing cybersecurity.
00:20:23
Many companies,
including probably 2/3
00:20:26
of the Fortune 500, have what's
called a Chief Information
00:20:30
Security Officer, commonly
referred to as a CISO,
00:20:34
to have rolled up responsibility
for dealing with cyber risk
00:20:40
and deciding what risks
need to be managed
00:20:42
and what investments
need to be made.
00:20:45
But there are some
issues in terms of where
00:20:47
that CISO might report.
00:20:49
Oftentimes, because this has
traditionally been a technology
00:20:52
issue, the CISO may report
to a CIO, a Chief Information
00:20:57
Officer, who would be
responsible for developing
00:21:03
software or deploying
computer capabilities.
00:21:06
But the incentives for someone
who's in charge of security
00:21:10
and the incentives
for someone who's
00:21:11
in charge of
building applications
00:21:15
are very, very different.
00:21:16
ALISON BEARD: Yeah.
00:21:17
So that person should maybe be
reporting to the CEO instead?
00:21:22
JACK DOMET: The
CEO, while it would
00:21:25
appear to be the best place
for cybersecurity to report to,
00:21:29
actually is not.
00:21:31
Because one of the longstanding
problems with cybersecurity
00:21:35
is that it has lived in a
silo frequently within the IT
00:21:39
department.
00:21:40
But it lives someplace
else that made
00:21:42
it very easy for other
business leaders to ignore it
00:21:47
and say it's somebody
else's problem.
00:21:49
And so if it
reported to the CEO,
00:21:53
the natural conclusion would
be, ah, it's taken care of.
00:21:56
After all, it
reports to the CEO.
00:21:58
But a good CEO is successful
because the people who
00:22:02
work for him get things done.
00:22:05
Based on our experience,
when a company is looking
00:22:09
for a home for the
cybersecurity organization,
00:22:13
they should first look at where
their most significant cyber
00:22:19
risks reside as well as
finding a corporate home where
00:22:25
the interests of the
manager of cybersecurity
00:22:29
are completely aligned with
the executive to whom he
00:22:33
or she reports.
00:22:34
ALISON BEARD: So
we've been talking
00:22:35
about a lot of big companies.
00:22:37
How should smaller organizations
deal with these threats?
00:22:42
On one hand, they're less
likely to be targets.
00:22:46
But then on the other
hand, they have less money
00:22:48
to invest and sort of fewer
resources to throw at it.
00:22:53
THOMAS PARENTY: So our advice
for companies of any size
00:22:56
is the same.
00:22:57
Focus on your company's
most significant activities
00:23:00
and the business
risks they face.
00:23:02
And then you can think about
how a cyber attack could cause
00:23:05
these risks to materialize.
00:23:07
Several years ago, I was talking
with an electrician who was
00:23:10
doing some work in my house.
00:23:11
And when he learned I worked
in the cybersecurity field,
00:23:14
he told me he needed a firewall.
00:23:16
When I asked why, he replied
that he thought his business
00:23:19
partner was cheating him.
00:23:21
I told him a firewall
wouldn't help reduce his risk
00:23:24
because firewalls help protect
against attacks originating
00:23:28
from the internet, not
from the office where
00:23:30
both he and his partner sat.
00:23:32
ALISON BEARD: Right.
00:23:32
THOMAS PARENTY:
That he immediately
00:23:34
jumped from a cyber risk, his
partner misusing computers
00:23:37
to steal from him,
to a technology fix
00:23:39
is common and, therefore,
completely understandable.
00:23:43
That a firewall would
come to mind also
00:23:46
make sense because
firewalls are well-known,
00:23:48
if not well-understood.
00:23:50
ALISON BEARD: OK.
00:23:50
So let's say that
the worst happens.
00:23:53
Either you haven't
followed your advice
00:23:55
and you're hit with an attack,
or you have tried your best.
00:23:59
And somehow the criminals
have still gotten to you.
00:24:02
What are some of
the best practices
00:24:04
for recovering from that?
00:24:05
THOMAS PARENTY: OK,
so the first element
00:24:08
is that, while one should always
focus on proactive measures,
00:24:14
one does need to
take into account
00:24:16
that under some
circumstances you
00:24:19
will have to respond to
some sort of cyber breach.
00:24:23
And this is, again,
a responsibility
00:24:27
that falls not just to
cybersecurity staff,
00:24:31
but also to the
leadership of a company.
00:24:33
A company needs to have
the technical capabilities
00:24:36
to respond to the most
likely forms of cyber attack
00:24:42
on their most critical
business activities.
00:24:45
If you understand what those
activities are and those
00:24:47
cyber threats, that is something
you can prepare ahead of time.
00:24:51
From an executive
perspective, they
00:24:54
need to be in a position to
make decisions and publicly
00:24:59
engage in the aftermath
of said cyber attack,
00:25:03
essentially to prethink
the consequences
00:25:08
and prethink the decisions they
will need to make, if you will,
00:25:12
in the clear light of day as
opposed to in the fog of war.
00:25:16
ALISON BEARD: So if I'm a
manager with no expertise
00:25:19
in these issues, where should I
start to get more up to speed?
00:25:25
THOMAS PARENTY: It's something
that what they can do
00:25:28
is simply have
different discussions
00:25:30
with the cybersecurity
people that they already
00:25:32
have in-house.
00:25:34
Again, start the
conversation with,
00:25:38
here's a critical
business activity.
00:25:40
These are the concerns I have
as a nontechnical business
00:25:44
manager in terms of
what could go wrong.
00:25:47
Now, talk to me,
cybersecurity and IT people,
00:25:51
about, one, what are the systems
that support this activity so I
00:25:55
know where you
need to prioritize
00:25:59
the attention that you give.
00:26:00
And second, talk to me
about how the cyber attacks
00:26:04
that you know and
follow would be
00:26:06
able to compromise the systems
supporting my business.
00:26:10
And what are the
sorts of impact?
00:26:13
If you have this conversation
from the perspective of talk
00:26:18
to me about how my business
could be compromised instead
00:26:22
of telling me what
vulnerabilities
00:26:24
need to be fixed with
whatever priority,
00:26:27
then you'll get somewhere.
00:26:29
ALISON BEARD: Thank you all so
much for talking with me today.
00:26:32
THOMAS PARENTY: It
has been our pleasure.
00:26:34
JACK DOMET: Thanks
for having us.
00:26:35
[MUSIC PLAYING]
00:26:38
ALISON BEARD: That's Thomas
Parenty and Jack Domet,
00:26:40
cofounders of the cybersecurity
firm Archefact Group.
00:26:43
They're also the coauthors
of the HBR article
00:26:45
"Sizing Up Your Cyber Risks" and
the HBR press book, A Leader's
00:26:49
Guide To Cybersecurity.
00:26:50
00:26:57
This episode was
produced by Mary Dooe.
00:26:59
We get technical help
from Rob Eckhardt.
00:27:01
Adam Buchholz is our
audio product manager.
00:27:03
00:27:07
Thanks for listening
to the HBR IdeaCast.
00:27:10
I'm Alison Beard.
00:27:11
[MUSIC PLAYING]
00:27:14
