Understanding and mitigating cyber risk has become an essential skill for business leaders - but how well-versed are they at managing risk in the information age? Have they succeeded in embedding a cyber-culture across their organisations?
“Although some top executives continue to view cybersecurity as a second-tier priority, business leaders are doing increasingly well in developing a basic technical understanding of cyber risk and recognizing the importance of robust cyber risk management,” says Eric Rosenbach who leads Harvard VPAL’s online course, Cybersecurity: Managing Risk in the Information Age
“However, they are struggling to influence others in their organization to embrace cybersecurity as an embedded part of operations and a consideration in strategic decisions.”
Rosenbach, a former Chief of Staff at The Pentagon and now Co-Director, Belfer Center for Science and International Affairs at Harvard Kennedy School, stressed that business leaders must build robust cyber risk management strategies and not rely on a simple checklist of prevention measures.
“They must also empower those leading cybersecurity within their organizations to have power and influence, through formal authority (their place in the organizational structure) and a clear mandate from the top,” he says.
As a former Pentagon Chief of Staff [July 2015-January 2017], Rosenbach is familiar with the challenge of building an effective cybersecurity culture.
He says: “We had to be simultaneously very secure and mindful of risk while ensuring we could operate smoothly and in a timely manner. The balance will look different for every organization. The goal for leaders should be to deliberately choose a level of risk appropriate for their organization. Too often, the choice is made by default instead of with intention.”
Rosenbach says building a strong culture involves showing why and how cybersecurity is essential to an organization’s mission. He outlines five key principles in his forthcoming book, Embedded Endurance, a cyber-risk leadership guide geared towards non-experts: transparency; accountability, appropriate system knowledge, compliance with policy and procedure, and formal communication channels.
An effective cybersecurity strategy is also vital to accompany a positive culture.
“While many organizations have a cybersecurity plan, few have a comprehensive strategy,” says Rosenbach. “The gaps include emphasizing prevention at the expense of resilience, forgetting the importance of legal obligations and industry standards, failing to foster collective action towards cybersecurity from all departments, and neglecting to devise an incident response process for when the inevitable breach occurs.”
Rosenbach urges business leaders to accept that cyber breaches ARE inevitable and seek an effective balance between broad risk mitigation and preparedness for incident response.
“It is impossible to eliminate risk. In the current cyber risk landscape, attacks are inevitable,” he says. “Therefore, cybersecurity strategies must include both risk mitigation measures and incident response.
“To strike the appropriate balance requires leaders to understand all the risks their organization faces (based on its sector and assets), prioritize which assets to protect based on their criticality to the organization’s mission, and determine the level of risk they are comfortable with taking.”
Identifying your most valuable digital assets is crucial, Rosenbach argues: “Failing to protect the most valuable digital assets poses great risk to an organization, including financial, operational, reputational, and legal risk.
“Countless examples of cyberattacks from the past demonstrate the vast damage attacks can cause along all four of these dimensions. In the case of a hospital, for example, a cyberattack could lead to needing to close emergency rooms and cancel patient appointments. This was what happened to the NHS when it was infected by the WannaCry ransomware in 2017.”
Rosenbach thinks there are always lessons to learn from cyber attacks. The 2017 Equifax hack, he says,“demonstrated the importance of accountable leadership”. CEO Richard Smith tried and failed to shift the blame for the hack to a fellow executive, but ultimately faced pressure related to the hack and retired.
“Operationally, cybersecurity requires all senior leaders to be invested, but accountability must sit at the top with the CEO,” says Rosenbach. “If the most powerful person in an organization is not leading the charge and taking ownership for incidents, it will not be perceived as a top priority.”
The December 2020 attack on US software company SolarWinds exemplified how hackers can target organizations indirectly through their vendors and suppliers, says Rosenbach. He also notes the attack went undetected for months, saying: “This highlights an important lesson: organizations cannot rely on ‘front door’ preventive security measures alone, but must also embed measures of detection, neutralization, and recovery into their cyber risk strategies.”
So how does Rosenbach assess the response of business leaders to the challenges presented by mass remote working in the last year? He says while attackers have been using Covid-19 messages to lure their targets, and exploit the pandemic for gain, the shift to remote work also presents opportunities.
Rosenbach explains: “With the shift to remote work, which in some form will likely outlive the pandemic, conversations about cybersecurity have been brought to the forefront. A report by PwC found 96% of executives surveyed will revise their cybersecurity strategy due to Covid-19 and 50% are more likely to consider cybersecurity in every business decision (twice as high as the previous year). This suggests the time is ripe for leaders to re-imagine how they approach, prioritize, and communicate cybersecurity within their organizations.”
He concludes: “Leaders will never be ‘done’ when it comes to cybersecurity, as cyber risk is a dynamic and evolving challenge. However, by assessing key vulnerabilities and determining likely attackers, embedding prevention and resilience measures into their strategies, and building a culture in which every employee believes he/she has a role to play, organizations can equip themselves to handle new threats.”
Cybersecurity: Managing Risk in the Information Age is an online Harvard VPAL course suitable for business leaders, executives and other professionals wishing to gain an up-to-date overview and understanding of cybersecurity and risk.