Every year the CEO of BlackRock, Larry Fink, writes a general letter to his fellow CEOs about the direction business is heading and the leadership model they should aspire to embody. BlackRock, under Fink’s leadership, manages around $6 trillion in assets. He is Wall Street. 2019’s letter is focused on purpose and profitability, about creating a corporate culture that aligns global-mindedness and business strategy. Fink is using his influence to better the world.
I am not Wall Street. I’m not even Bay Street, for that matter. I, Kevin Dawson, am the CEO of ISA – a Canadian organization with over 25 years of experience in technology and cybersecurity. I’m proud to be part of team ISA, and I’m proud of the security solutions and services we provide. So, I’m writing this letter of sorts to my C-Suite friends about a branch of corporate culture that Fink didn’t discuss. A practice that I, and the entire team at ISA, are passionate about – the culture of cybersecurity. Because to us, cybersecurity isn’t a “tech” thing, it’s a “culture” thing. Although ISA may not manage $6 trillion in assets, our team is helping to protect Canadian organizations from what will soon be $6 trillion a year in global cybercrime damages.
Here’s the problem
Back in 2017, at the Annual Berkshire Hathaway Shareholders’ Meeting renowned investor Warren Buffet said, “I don’t know that much about cyber, but I do think that’s the number one problem with mankind.” If Buffet is paying attention to issues of cybersecurity, a man who has built an empire by assessing business risk and opportunity, then everyone who is part of the C-Suite, and everyone who governs from a board seat, should be concerned too. Buffet echoed the sentiment again at the 2018 meeting when he said, “Cyber is uncharted territory. It’s going to get worse, not better.” Buffet hasn’t gotten where he is by being wrong. Don’t hate the messenger, but the reality is that cybercrime is growing exponentially. Estimates are that damages from cybercrimes will escalate from $3 trillion annually, as of 2015, to $6 trillion annually in 2021. This escalation will make cybercrime more lucrative than the combined trade of all illegal drugs globally, and equal to the dollar amount of assets that BlackRock manages.
As senior leadership in your organization, you are uniquely positioned to lead a coordinated, cross-company response to cybersecurity. You are situated to see across departments and gain a comprehensive, holistic view of the structure of the organization. You also have the authority to push collaboration within the organization. As company leaders, you are responsible for risk management, including ensuring that cybersecurity risks are managed, like any other risk to the company, using the strength of an established framework. In the digital economy with increased data regulations, cyber threats and security breaches can lead to disastrous consequences, including high-profile job losses and lawsuits. The gist of what I’m saying is a cybersecurity strategy doesn’t fall at the feet of the IT department, it falls on the shoulders of the executives.
This means a paradigm shift is needed inside of organizations. Cybersecurity can no longer be isolated to a technology problem that requires an IT solution – it’s bigger than that. Cybersecurity needs to be seen as a critical business interest.
I’ve seen it time and again, the most significant weakness in the majority of companies’ cybersecurity is not in the hardware or software, but in their processes and in their employees. The 2017-2018 Canadian Internet Registration Authority Survey of 1,985 Canadians who owned a “.ca” domain indicated that 85% of them had received a phishing email, 19% reported ransomware hits, and 32% reported that their users had revealed sensitive information unintentionally.
In the 2018 Canadian Cyber Threat Assessment, the Canadian Centre for Cyber Security predicted that cybercriminals would be the top cyber threat that Canadian businesses of all sizes would face in 2019. Cybercriminals target Canadian businesses for data about “customers, partners and suppliers, financial information and payment systems, and proprietary information.” The stolen data can be used by a competitor, sold, or held for ransom. The costs of lost information go beyond ransom payments. The real financial damages come as a result of a loss of reputation, diminished productivity, disruption to the operation, loss of intellectual property, and the cost of recovery. In 2018, the average cost to a Canadian organization per breach was $3,700,000.
Fortifying your company against cyber attacks means more than just patches and software upgrades. Instead, the company needs to make cybersecurity a company value. Senior executives need to guide their organizations to adopt a culture of cybersecurity. Good cybersecurity means gaining insight into your company’s cyber-presence, your strengths, and vulnerabilities. If you embrace these seven principles, Protect, Respond, Embrace, Detect, Integrate, Communicate, Train – then I PREDICT (see what I did there) a more cyber-secure future for your organization.
Protect: Keep all your data on the down-low
In this data-rich world, where information is seen as equally valuable to oil, it is becoming of increasing import to only take the critical data that you need, and just share the data that you absolutely must. The less you take, and give, the less data you have to be worried about securing. Your company needs to have flexible and adaptable approaches to data protection. With increases in data regulations and increased data protection policies globally, businesses need to ensure that if they’ve got data, then it’s well-protected or they can face significant fines.
Respond: Be rapid and precise
If large-scale breaches in the media have taught the C-Suite anything, it is that your organization’s response will shape how the public and your customers interpret the breach and your liability. That means your company really needs an incident response plan. Please do not leave yourincident response strategy until after an attack or a breach occurs. Incident response is a proactive process that starts well before the incident with planning, education, and fortification. If your organization hasn’t created an incident response strategy, then you are missing a critical component of your cybersecurity defence. When a breach occurs, it is a stressful time, so you need to have a plan, know who is executing which parts, and you need to practice. Incident response strategy is our specialty at ISA, and we’d love to help you create one.
Embrace: Build cybersecurity into your organization
By embrace, I don’t mean you have to hug your cybersecurity, but find a way to enter into a committed relationship with it. What I mean by embrace is to go beyond talking about increased cybersecurity, to actually affect the structure of the organization through the inclusion of cybersecurity, from mission statements to reporting lines and compensation packages. If you don’t explicitly build cybersecurity into your organization, you’re saying that you are not genuinely committed to the goal of creating a culture of cybersecurity. Governing boards should include one cybersecurity specialist who reports on issues of concern and evaluates business decisions through the security lens. The whole board should be involved in matters of cybersecurity, but at least one board member needs to have the technical background to help translate pressing issues into business terms. Another terrific idea is to create a cybersecurity council that consists of company leaders.
Detect: Early detection saves money and reputation
Efforts in detection go hand-in-hand with prevention and protection strategies. It’s just like early disease detection in healthcare. Rapid and accurate detection make a massive difference in the identification, containment, and treatment of diseases – the same is true of cyber-threats. Early detection can help with reducing catastrophe. As part of a robust cybersecurity strategy, detection efforts shouldn’t replace, but instead enhance, prevention and protection tools. It’s not a matter of if you’ll be attacked, but when. The odds aren’t in your favour when you consider that cybercriminals only have to be right once, and you have to be right all of the time. But, having detection tools isn’t enough either. Companies need to have trained cybersecurity professionals who can analyze Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) tools.
Integrate: Make cybersecurity a business policy
Cybersecurity is often deemed defensive, it needs to be seen as offensive. Calculating damages caused by a cybersecurity attack is easy. What is more difficult is to measure is the value of avoiding cyber attacks and breaches. It’s essential to measure cybersecurity’s value accurately and to change the perspective from preventing all attacks (which is impossible) to improving response times and better managing containment and eradication. This will alleviate pressure from your CISO and your CIO who are striving to do the impossible in preventing all attacks and instead support them as they aim to respond to attacks effectively.
Cybersecurity needs to be viewed as an ROI proposal. When considering ROI, it’s crucial for executives to understand that many cybersecurity tests cost little to execute but can provide valuable returns. For example, at ISA we offer vulnerability assessment, penetration testing, and threat risk assessment. Often, very inexpensive tests like these can significantly decrease the likelihood of a very costly attack. Without proper direction and the establishment of priorities, increased spending on cybersecurity won’t improve your organization’s results. To do this necessitates collaboration between executives and cybersecurity professionals, who can ascertain the correct and most beneficial risk management actions.
Communicate: Talk to each other (and us, at ISA)
This is simple. Do not “silo” cybersecurity as just an IT concern. Bring leaders and departments together to address cybersecurity issues company-wide. There is a shortage of skilled cybersecurity labour, if your company is short on the right people then call ISA and get the expertise that you require to keep your company safe.
Train: Look at internal, not just external risk agents
Thanks to the media, when we think of cybercrime, we think of strangers in dark, windowless rooms wearing black hoodies. The truth is, the most significant threats are usually found within the organization. Insider breaches are some of the costliest of all data breaches. According to IBM’s 2018 X-Force Threat Intelligence Index, two-thirds of total data records compromised in 2017 were the result of negligent insiders and insider threats are the cause of 60% of cyber attacks.
In 2015, Ponemon calculated that even the least effective anti-phishing education program produced a seven-fold return on investment, and the average-performing program resulted in a 37% return on investment. The Ponemon study also showed that the average retention rate of practical training was 75% and that the estimated long-term improvement gained from specific anti-phishing training programs was 48%. You need to develop effective employee training programs, so employees know how to identify phishing campaigns and maintain good cyber hygiene.
Final thoughts
Organizations deemed the most sophisticated concerning cybersecurity are the ones that make it a cultural, rather than a technological, matter. I see more and more organizations building corporate cultures of collaboration between the cybersecurity experts and the company executives and board, working to close the knowledge and communications gap.
As cybercriminals find more ways to attack and develop new malicious tools, company-wide defences will need to be increased. Ongoing employee education, detection efforts, and formal incident response plans can help your organization prepare for a breach. To alter your company’s culture into one that embraces cybersecurity, executives and board members need to see it as part of the risk management process, not just as a “tech” problem with a “tech” solution. Larry Fink uses his influence to encourage businesses to be more globally-minded. I’m using my (much more limited) influence to try and make the world more secure – one incident response plan at a time.