Think cybersecurity is an IT responsibility? Think again
If your business does anything electronically, anything — has a website, uses email, places or receives orders, serves clients via electronic services, manufactures or builds something, banks or pays vendors online — you face cybersecurity risk. Cybersecurity incidents often come from unexpected places, blindsiding organizations and hobbling service delivery and operations. If your business deals with personally identifiable information (PII), has intellectual property (IP), customer or credit card data, or is bound by the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), or the myriad state privacy rules, the risks and potential penalties (not to mention headaches) multiply.
In short, cybersecurity risk has a real impact on your business’s bottom line. But when I talk to executives about cybersecurity, what I hear alarms me. It often goes like this: “When I ask my IT folks about our preparedness, they assure me they’ve got cybersecurity under control, so I trust we’re covered.”
Reaching beyond IT
Even the strongest IT team can only control what it knows. It’s what IT doesn’t know or control that creates the real risk for a business. While you as a leader understand the business holistically, it’s unlikely IT has the same grasp. Said another way, your IT team might not understand the complete gamut of the business’s cybersecurity needs.
Cybersecurity is a business issue, not an IT issue. When you look at the physical security of your office or plant, is that an IT issue? How you execute wire transfers and carry out other essential business processes, is that an IT issue? What about outsourced business systems controlled by business unit leaders or compliance with regulations or state laws? Are these IT issues?
How could IT possibly know about — or take responsibility for — those things? It can’t. Yet, in today’s connected, cloud-based, digitized environment, every single area of your business requires cybersecurity. Cybersecurity isn’t solely an IT responsibility, and executives can’t assume their IT department or their IT vendors maintain the health of cybersecurity for the organization.
Cybersecurity isn’t solely an IT responsibility, and executives can’t assume their IT department or their IT vendors maintain the health of cybersecurity for the organization.
It’s not what you’re doing that makes you a target — it’s what you’re not doing
For the most part, hackers aren’t “targeting” you. They’re “scouring” the internet for systems with known vulnerabilities, “spraying” the internet with predictable passwords for common applications to gain access to loosely controlled cloud-based systems, or “deceiving” individuals naïve enough to fall for their social diversions (email, texting, or voice phishing). Initially, they don’t care who you are; they only care that your guard is down and you can’t detect that they’re infiltrating your business’s lines of defense. It’s what you’re not paying attention to or addressing that creates the footholds necessary for hackers to infiltrate and abuse.
The most common cyberthreats are ransomware, malware, and password attacks — all of which are most often the result of social engineering campaigns. Hackers get information about you or your employees from your website, or personal and business postings on social media like LinkedIn, Twitter, and Facebook. Then, they use that information to initiate communications, and undertake phishing, texting, or phone campaigns to subvert the technical controls IT has in place. And, if the organization hasn’t updated its business process controls, your attackers will find ways to subvert those as well.
Once inside, they may find IP, customer PII, competitive data, or other sensitive information about your organization, or they might not find anything and instead use ransomware to lock up your systems and force payment before you can regain access. Or, they get inside your systems and patiently watch. They learn how to execute wire transfers or set up new employees, and then they imitate your processes to move money out of the business.
Information access and security: A balancing act
As a leader, are you making business decisions based on an appropriate assessment of risk? Strategically, are you properly planning for cybersecurity spending? From my conversations with executives, my guess would, unfortunately, have to be “No.”
Let’s think about this logically: if you ask IT about cybersecurity, and your team assures you it’s covered, why would you invest more into network segmentation, multifactor authentication, or online and offline backup solutions? Why consider a security information and event management (SIEM) solution, incident response and forensic retainers, and other technology solutions? Why look into redesigning processes or reviewing personnel? Dare I say it: likely, you currently aren’t. As a result, like most organizations, you might be planning for and addressing cybersecurity Band-Aid style: as you comprehend a threat and realize the dollar value of its effect. Guess who benefits?
Hackers thrive on these business failures and assumptions about cybersecurity and the imbalance they create. IT departments assume they have cybersecurity covered, and executives assume IT has it taken care of. But in a healthy environment, the primary goals and objectives of IT and cybersecurity actually exist in contradiction to one another — creating natural harmony through push-pull. The primary goal of IT is to ensure the user’s work efficiency and the customer’s experience by enabling seamless access to systems, data, and applications; while the primary goal of cybersecurity is to create checks and balances, slowing work efficiency and access to systems, data, and applications.
But in a healthy environment, the primary goals and objectives of IT and cybersecurity actually exist in contradiction to one another — creating natural harmony through push-pull.
Responsible cybersecurity planning and budgeting
None of this is meant to blame our IT teams. When leaders don’t consider or make strong business decisions around cybersecurity, businesses lose money, and that’s not IT’s fault. As an executive, you must have an independent and holistic perspective of what’s happening in your business.
When leaders don’t consider or make strong business decisions around cybersecurity, businesses lose money, and that’s not IT’s fault.
It takes educated, receptive business leaders throughout the organization coordinating with both IT and cybersecurity experts to responsibly plan, budget, and drive purchasing decisions for cybersecurity. Leaders must understand cybersecurity risks and needs across the business, and there must be a cyber push-pull behind every strategic and tactical decision.
What does this look like in practice? As a start, the budgeting process for cybersecurity needs to be considered at the business level, not just at the IT level. It requires a top-down approach, with identified controls pushed down throughout the organization and a business framework to hold it all together.
You already have a full plate — we understand. But cybersecurity needs to be a priority for the C-suite, not only for IT. Developing a holistic cybersecurity strategy, budget, and plan doesn’t have to be time-intensive or overwhelming. Start by engaging your trusted cybersecurity experts, IT, and cybersecurity director (if you have one) and assessing your specific cybersecurity risks. Remember that hackers love it when you and your team make assumptions. Don’t play into their hands.