COMMENTARY
The will to fight and the willingness to lead...Nothing matters outside those two precious things. It all starts here and the most important person is the Chief Executive Officer. The CEO must be willing to fight and defend your company. The burden of leadership is heavy and you are surrounded by many who stand at the ready. We must be willing to lead the fight to secure OUR kingdom. CEO- You drew the sword from the stone, but are you willing to use it?
Understanding the threat For most issues in business, warfare does not readily apply to business strategy. Cyber security is the exception. The gravity of digital vulnerabilities and sophistication of the cyber activities at the corporate level magnifies and resonates the risk across the US economy. There is a strategic political relationship between cyber insecurity and the American economy. Carl Von Clausewitz famously wrote, “War is politics by other means.” In the minds of most American business people there is a clear distinction between law, politics, business, crime, and war...that weltanshchauung or world view is not shared by other competing nation-states, their governments, military leaders, corporate leaders, criminal enterprises, and free agents. Our American world view juxtaposed against this global reality places our country, our economy, and your company at great risk. The ubiquitous presence of the internet has democratized on a global scale cyber victims and vulnerabilities by theft, economic violence, and mischief as the safety of oceans and the rule of law is transcended virtually to your company’s inner-most sanctum.
Cyber insecurity erodes the US government’s ability to control national security-related information and American corporation’s ability to protect customer/employee data, intellectual property, and data supporting key competitive advantages from an agile adversary hidden anywhere in the world. Cyber insecurity fuels the growth of dark web markets and increases the value of stolen data, tools, methods, and skills. The geopolitical nature of international commerce and the projection of national power principally through the national economy, not through military force, magnifies the ramifications of exploiting cyber insecurity and promoting instability within the American economy. The instability promoted and lucrative benefits gained are attractive to both nation-states and non-nation state actors. Perhaps at the operational level one might consider this surrogate cyber insurgency as the organized exploitation of vulnerable high value victims, during the chaotic looting of flat screens and beer in the storm. At the strategic level, it may be considered a multilateral Cold War without the need for massive military spending, fueled by very lucrative results, driving economic and national security interests, but without a thermonuclear deterrent.
Cyber insecurity represents the greatest existential threat to the United States of America in its history, because it is a hidden war insidiously extricating our wealth, security, and confidence without the visual carnage that immediately alarms leaders and the American public to action. The US economy has a unique combination of competitive advantages. American companies’ failure to secure their communications, information (PCI, PII, IP), protect their employees, and customers from exploitation fiercely undermines those competitive advantages and bleeds our economy to a death by millions of cuts. Success without significant consequence has infused Moore’s Law-like growth and sophistication within dark web markets, tools, resources, and methods for exploiting digital networks.
Far more threatening than crime...far more subtle than war...far more contrived than chaos...
Name your enemy. In November of 2005, I landed in Baghdad at Camp Victory. Two and half years into the war, and key leaders within the Department of Defense still refused to use the word, “insurgency” to describe the fight on the ground. In reality, an insurgency was bleeding our troops, our moral, and our national coffers dry. I found myself surrounded by 23,000 troops, contractors, and civilians with more General officers within the perimeter walls than led the entire Allied Forces during World War II. They seem to be counting down the days until insecurity and the insurgency became somebody else’s problem.
Within 45 minutes, I found myself pulled over by a 19 year old military policeman in a starched uniform and spit shine boots for speeding. The sounds of machine gun fire just outside the walls distracted me as I was told that driving 21 mph in a 15 mph zone on Camp Victory was forbidden. I should be more careful. Not sure whether, my stunned look of disbelief gave it away, but the Specialist asked, “Your new to Camp Victory, Sir?” At that moment, the gross mismanagement of priorities left me sickened, and I thought we might lose the war.
It was not until days after my arrival that General Peter Pace used the word insurgency in a press conference, much to the chagrin of the Defense establishment. He knew the fight on the ground was real, and naming our enemy gave us greater power to mobilize the fight. Naming your enemy is the first step in recognizing their threat and acknowledging your vulnerabilities. Technological superiority does not equal victory without the will to fight the enemy as he is, not as you wish him to be...and not as you wish to be, but as you are. Some will object to calling this a global cyber insurgency. “This is a group of people who don’t merit the word ‘insurgency,’ I think,” Secretary Rumsfeld said Tuesday (Nov 29, 2005) at a Pentagon news conference....“I think that you can have a legitimate insurgency in a country that has popular support and has a cohesiveness and has a legitimate gripe,” he said. “These people don’t have a legitimate gripe.” After the word slipped out the first time, General Pace looked sheepishly at Rumsfeld and quipped apologetically, “I have to use the word ‘insurgent’ because I can’t think of a better word right now.” (Source)
A Chinese hacking group penetrates the servers of a US biotechnology firm with a long standing history of developing pace makers, and steals all the product data for a proven legacy generation pacemaker that can be produced for $50.00 at scale for the emerging middle class in China and rapidly developing markets in Africa...circumventing millions of dollars and years in research and development costs...who wins and who loses? Then multiply this example by the 10’s of thousands of complex products and hundreds of thousands of more easily developed products...who wins and who loses? Like General Pace, I can’t think of a better description right now, but a global cyber insurgency is undermining the very foundation of our economy and your company.It is a deliberate and agile promotion of economic subversion through the exploitation of digital network insecurity by organized groups, state sponsored activities, independent persons/groups, and criminal elements who share a broad spectrum of common interests, motivations, and goals. Their common interests drive growth, innovation, and value in dark web markets, tools, methods, and skills. Their motivations, resources, and expanding markets fuel their effectiveness and neutralizes the value of your investment in a litany of expensive security products and services.
People Matter Most- The Coalition of the Willing In 2012, I stood listening to the malik or chief elder of an Afghan village articulate the complexity of his situation...his “challenges” were woven between ISAF Coalition Forces, corrupt politicians, corrupt police, the Afghan Army, Iranian influence, and the Taliban.... all the while feeling the constant pressure of village politics and needs, regional disputes, and 2,000 years of sordid history. Feeling the weight of the situation and the genuine angst of the chief elder, I looked up at my team mate with a blank stare, contemplating my approach. Nate smiled at me and said, “He just told you this is not in his job description.” It’s safe to say, most CEO’s did not sign up for an epic battle with daemons and cyber villains. As many Afghan villages found themselves embroiled in a conflict for which they had little direct interest, but all carried the burden of the conflict’s tremendous liabilities. There is no choice. We win this fight engaging those who lead, persuade them to consider their risks, liabilities, and interests to expand their job description, village by village, company, by company, CEO by CEO.
Once the reality sinks in, it’s time for the CEO to choose his or her team wisely. You will discover dedicated security professionals within your company who understand the fight, your vulnerabilities, your critical sense of urgency, and deeply thankful to have your leadership. You will find others whom will not “buy in”, crisis will be there only motivation, maybe. For those members who readily accept the challenge, it is their moment to make a difference. Your leadership is still needed with senior management across the company to reinforce their solutions....to remind them digital security secures commerce...there are always risks and opportunities to consider, assess, and choose. Whom you choose, empower, and entrust to effect the changes to build your organizational digital defenses, strength, and resilience throughout your digital domain is everything.
Understanding the Fight: What we call it may be somewhat academic...
What we do about it is called, L-E-A-D-E-R-S-H-I-P. CEO’s see the undulating terrain of their corporate markets, products, and competitors. Many are gifted with the insight in strategic positioning within their current markets to gain unfolding advantages in future trends. Carl Von Clausewitz described this gifting as a strategic intuition, or Coup D’oeil. As CEO’s learned the value of understanding the organization’s performance gained from the balance sheet and P&L during their careers, so must CEO’s broaden their understanding of key indicators revealing the state of their digital security. Understanding the fundamentals of the cyber terrain increases your competitive advantage, wolves prey on sheep, so the earlier you recognize the gravity, sophistication, and agility of the threat, the more quickly you can execute these:
10 Steps Towards a More Secure Company:
1) Mobilize your company to assess their true state of security and evangelize to all why it matters..drive the shift in your culture by leading by example.
2) Recognize the shortfalls in authority, responsibility, and accountability... and yes, resources which contributed to your current state (it matters).
3) Identify those leaders and followers who form the “Coalition of the Willing” and empower them with authority, responsibility, and accountability through lessons learned.
4) From a known state, identify specific digital security objectives, with real metrics and milestones.
5) Identify resources on-hand to meet your immediate needs and maximize their capabilities RIGHT NOW.
6) Identify, prioritize, and resource the gaps in terms of technology, training, processes, and leadership.
7) Reevaluate your objectives against your REAL priorities, and AVAILABLE resources. Think long-term.
8) Re-align people, processes, and technologies that undermine your digital security.
9) Develop new behaviors, processes, and adopt technologies that reinforce and actually contribute towards your revised goals.
10) Reward progress, agility, innovation, and outcomes.
CEO’s Five Cyber Steps forward:
1) Embrace digital security as a strategic imperative and seek to understand the fundamentals just like a balance sheet and P&L. This is the new normal and requires you to lead by example.
2) Hold your C-Level staff accountable for decisions, actions, policies, processes, and technology choices that undermine your company’s digital security.
3) Direct that you and your C-Level management team will be updated on security metrics that are meaningful, and gain insight to the sophistication, and the objectives of your attackers.
4) Drive your corporate culture through training, education, and professional development to embrace digital security as a way of life. Training investments should demonstrate VALUE by improved outcomes.
5) Continuous improvements... across the organization should be measurable, demand accountability against those metrics. People’s behavior, skills, and performance matter more than technology.
Always remember, securing your networks, information, and communications is an organizational fight.
Conclusion: The difficult path to strength and resilience... “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Sun Tzu (Source)
History is filled with abundant examples of the fall of empires who could not secure their new frontiers...the edge of the empire is where risk and opportunity collide to shed gold, blood, sweat, and tears. We ignore this insecurity and the marauders within this digital frontier at our peril and your company’s, and our Nation’s. No matter where you sit, stand, or lead within an organization, you have drawn the sword from the stone. All around you wait for someone, anyone to lead them from a place of angst to a place of security...the path to securing your company’s digital network, inner workings, and communications is difficult and thankless, but vital.
Answer the call to lead; choose to raise your sword and fight.