This is a commentary written by an independent author. The views expressed are those of the author and do not reflect the official policy or position of the Army Cyber Institute, the United States Military Academy, or the U.S. Defense Department.
Corporate cybersecurity requires a business leader to make the decisions, be personally invested, and lead the security work the same way as the business. The intent and guidance of the business leaders need to be visible. In reality, this is usually not the case. Business leaders rely on IT staff and security consultants to ”protect us from cyberattacks.” The risk is obvious – IT staff and consultants are not running the business, lack complete understanding of the strategy and direction, and therefore cannot prioritize the protection of the information assets.
Information security has a few foundational pieces. Information resources are classified according to their importance to the business, an acceptable level of risk is established for the company, and then security solutions are developed to mitigate risk to an adequate level. Parallel, these mitigation strategies are implemented with minimal disruption to the workflow and the business. The information security program ensures that information and functionality can be restored after an incident as part of the process.
These basic steps may sound like an elementary exercise that consultants can solve quickly. Still, the central question is risk appetite, the acceptance to take an understood risk, which can jeopardize the entire business if too high or too low. What is the wrong level of risk appetite? The business’ IT operations are prepared to take risks that the business management did not even dare to dream of or, conversely, the IT systems will slow down the business, stand in the way, and fail to prioritize due to risk aversion. The business leader can only control risk, which is central to information security. IT staff and consultants can be advisors, produce information, and sketch solutions, but the decision is business. What risk we are prepared to take cannot be an open issue and is left to arbitrary interpretation.
Just as the management has an influence and controls what is an acceptable risk when information security is structured, management is central when things go wrong. A business management team not involved in information security and gaining a conceptual understanding will be too slow to act in a crisis. Cyberattacks and data failures occur daily. The financial market, customers, government authorities, and owners rightly expect these damages to be dealt with quickly and efficiently. Confusion when a major cyber crisis occurs, by attack or mistake, undermines confidence in the business at a very high rate. A trust that has taken decades to build can be wiped out in hours. In the digital economy, trust is the same as revenue and long-term customer relationships. Business management that lacks an understanding of how cyber security is structured for their business, at a managerial level, has not made the intellectual journey of prioritizing and will not lead or have relevant influence in a crisis.
Managers have premium pay and are recruited because they have experience, insight, and character to navigate when a crisis hits and is challenging. If the business management cannot lead when the business is under major cyberattacks, then management has left it to the IT staff and consultants to lead the business.
In smaller and medium-sized business, the need for committed business management is reinforced because the threat of long-term damage from a cyberattack is more significant. A public company can absorb the damage, which smaller players often in niche industries cannot do similarly.
If business management can engage in sustainability and the climate threat, as many do with energy and interest, engaging in vulnerability and the cyber threat should not be that far to go. The survival of the business will always be a business decision.