As technology evolves and advances, organization leaders have a growing understanding that cybersecurity is a critical issue touching all aspects of business – including legal, operational and reputational risks. It is difficult, however, to balance business decisions with cybersecurity, and many executives face challenges with communicating effectively and managing cybersecurity risks across all areas of their organizations.
I recently spoke with Anthony Grieco, senior director and trust strategy officer of Cisco’s Security and Trust Organization and a member of the National Cyber Security Alliance’s (NCSA’s) Board of Directors, about how businesses can more effectively approach cyber risk.
MICHAEL KAISER: What are some of the common pitfalls that business executives face when it comes to managing cyber risk across the business?
ANTHONY GRIECO: Today’s business environment requires companies to respond quickly to the opportunities and challenges presented by new technologies. When it comes to managing cyber risk, companies need to first understand what role technology risks play in their business. It is critical to focus on the resilience of assets that are most relevant to their business. After all, an engineering company is not likely to be threatened by an attack that targets point-of-sale devices.
Additionally, with so many technologies available, many companies are buried under complexity. Cisco’s Annual Cybersecurity Report found that 65 percent of organizations use six to more than 50 security products. This mixed bag of products and lack of integration is actually diminishing security and protection efforts and leads to gaps in security effectiveness.
MK: What are the essential components of a cyber risk management strategy?
AG: First, get the company leadership on board. A cyber risk management strategy is unlikely to succeed if it is not a priority across the entire organization. Second, outline and implement a strategy for securely adding new technologies – whether it is a new finance application or connecting something to the network. Review the new solution versus the rest of the network and determine if it adds or eliminates any risk, and assess if its level of impact is acceptable. Finally, educate your employees on their role in the overall corporate cyber risk strategy. Employees could be viewed as an easy target for criminals, so consistently educating them on the threats facing the organization will help prevent some attacks.
MK: What does a culture of cybersecurity look like, why is it important and what has your organization been doing to foster this culture across the business?
AG: A corporate culture that truly embraces security will continually educate and communicate about cybersecurity. It isn’t simply a task for the IT security team; all levels of the organization must be involved. Employees will understand and be consistently educated on their role in the company’s cybersecurity posture – whether they work in the mail room or the boardroom. At Cisco, that’s exactly what we’re doing. We’re regularly educating all employees on their role in our cybersecurity on a general and job-specific level. Additionally, we utilize a secure product development process to ensure that security is baked in to our products from the outset, not bolted on as an afterthought.
MK: Not all threats are created equal for all business. What are the best ways to identify specific threats to a particular business?
AG: Companies should always remain cognizant of the threats impacting other organizations, but they should focus on the threats that are most relevant to their business. A critical step is to have visibility into the technologies on your network and to understand the risks associated with those solutions. With this visibility, business leaders can gain a better understanding of the threats that could impact their organization while IT security teams can monitor for specific risks.
MK: How can a business leader effectively communicate a cybersecurity strategy to the board? What about to the rest of the company?
AG: When it comes to communication, consistency and translating ‘cybersecurity jargon’ into business relevance is the key. Business leaders should be in regular communication with the board in terms the board understands– and not only in the wake of a breach. That way, when breaches make headlines, board members have the confidence that they were in compliance and their information was secure prior to the incident.
For the rest of the company, cybersecurity needs to be part of the organizational fabric. It should be woven into everything the company does. The C-suite should lead by example in adhering to security policies and processes. Employees should have access to consistent training so they understand the threats impacting their business, and their role in combating those threats. Make it real for them; help each employee see the role they play in the company’s cybersecurity.
MK: How does the Internet of Things (IoT) impact the threat environment? And how should IoT threats be evaluated?
AG: First, you must understand that IoT means a new “source” of threat from within your business. Early adopters of IoT in enterprises are the lines of business that are building the products and services that are now “internet connected,” or the facilities management group connecting lighting. As a result, visibility is critical to determining how IoT devices impact your company. Through experience, we learned that – regardless of whether we’re dealing with the cloud, mobility or any technology that connects to the network – we need visibility into the way technology interacts with our business. Too often, we’ve seen customers buy something and “plug it in” trusting that the device maker, cloud vendor or other outside party has ensured that it’s secure.
Traditionally, however, many IoT devices were built without considering security holistically. When those devices are added to the corporate network, they could be creating new risks for the company. With visibility, we can move from implicit trust (“We believe the vendor when they say the product is secure.”) to explicit trust (“We have asked all the questions, received the answers required to understand and even quantify how the risk factors may impact us and how to reduce the risk and are ready to move forward.”)
MK: What resources and/or tools do you recommend for organization leaders looking to strengthen their cybersecurity strategy and risk management?
AG: This is a topic that we are passionate about at Cisco. We recently wrote a whitepaper, “Cyber Resilience: Safeguarding the Digital Organization,” that can serve as a great resource.
NCSA’s infographic “Creating a Culture of Cybersecurity from the Break Room to the Boardroom” outlines the following steps organizations can take, making up the core of the National Institute of Standards and Technology (NIST) Cybersecurity Framework:
- Identify your digital “crown jewels”
- Build protections of your core assets
- Be able to detect if a cybersecurity incident is taking place
- Have a plan for responding
- Have a plan for recovering normal operations.
Check out the NIST Cybersecurity Framework for more advice.
Bringing executives together to engage in thoughtful dialogue and help inform them about effective strategic approaches to cybersecurity risk management and emerging threat trends, NCSA is partnering with Nasdaq, industry and nonprofit organizations to host the Nasdaq and NCSA Cybersecurity Summit March 13 at the Nasdaq MarketSite in Times Square.
We are excited to welcome Maureen Ohlhausen, acting chairman of the Federal Trade Commission (FTC), for a fireside chat on the FTC’s vision and approach to cybersecurity and what industry can expect under the Trump administration. Following Ohlhausen’s remarks, the event will feature two panel discussions – “Policy to Practice: Operationalizing a Strategic Approach to Cybersecurity Risk Management” and “Emerging Trends: Cybersecurity Threats in 2017.” The event will be livestreamed on the NCSA Facebook page, and we encourage you to follow the conversation on social media using the hashtag #CyberAware.
Cisco, CompTIA and LifeLock (a Symantec company) are Platinum sponsors, and Fasoo and Logical Operations are Silver sponsors for this inaugural 2017 summit series. The summit is also supported by the Business Council for International Understanding (BCIU), Business Executives for National Security (BENS) and the National Association of Corporate Directors (NACD).
We hope you will join us virtually to watch the Cybersecurity Summit, and visit staysafeonline.org for more business cybersecurity tips, resources and news.