8 December 2019

Why Cybersecurity Isn’t Only a Tech Problem

Thomas Parenty and Jack Domet, cofounders of the cybersecurity firm Archefact Group, say that most organizations are approaching cybersecurity all wrong. Whether they’re running small companies or working in multinational corporations, leaders have to think beyond their IT department and technology systems to instead focus on protecting their businesses’ most important assets from attack. They need to work across functions and geographies to identify key risks, imagine potential threats and adversaries, and develop a plan for combating them. Parenty and Domet are the authors of the HBR article “Sizing up your Cyber Risks,” as well as the HBR Press book A Leader’s Guide to Cybersecurity.

From Apple to Marriott to JPMorgan Chase to Marriott and British Airways, some of the most sophisticated companies in the world have fallen victim to cyberattacks in recent years. Business-critical activities have been disrupted, customers data has been compromised, and the threats continue. So, what can organizations do to prevent themselves to becoming the next target?

By now, most accept that they need to invest significant cash and resources into cybersecurity capabilities. But, too often, this important job is left to IT leaders rather than the full C-suite and board.

Today’s guests say that organizations need to take a much different approach – with leaders at the very top thinking about cyber risks as not just a technology issue but a significant business problem to be solved.

Thomas Parenty and Jack Domet are cofounders of the cybersecurity firm Archefact Group and coauthors of the HBR article “Sizing up your Cyber Risks,” as well as the HBR Press book A Leader’s Guide to Cybersecurity.

Thomas and Jack, thanks so much for being here.

THOMAS PARENTY: We’re so happy to have the opportunity to talk with you.

JACK DOMET: Thanks for having us.

ALISON BEARD: Presumably, a lot of these companies that are hit take some precautions to protect themselves. So where are they going wrong?

THOMAS PARENTY: We have come to the realization that essentially worldwide, we’re failing at cybersecurity and that in spite of all of the investment and public attention, the number and impact of cyber attacks is only rising. In some sense, that’s the reason that we’re talking right now.

And you can think of our current cybersecurity situation today as comparable to trench warfare in World War I. The progress is negligible, and the casualties are high.

There are several reasons why the focus on cybersecurity and cybersecurity technology ends up undercutting its capacity to protect. First, no company has all of the resources to fix every cybersecurity issue, and not all fixes are equally important. It’s only by starting with a company’s most critical business activities and how cyber attacks could disrupt them that one can start to prioritize this whole process of risk mitigation.

Unfortunately there are many companies who sort of skip the step of first thinking about what are the most important business activities that could be disrupted by a cyber attack, and instead they end up focusing on individual technologies to fix individual problems within their computer systems. The focus on fixing these computer vulnerabilities, it’s seductively dangerous, because there is some value here. However, a company can spend all of its resources, significant resources, fixing these vulnerabilities without ever addressing the fundamental issue, which is protecting the business activities for which the computers were procured.

ALISON BEARD: So you’re basically having the IT department say, well, we’re compliant in best practices for a lot of these systems, when they’re not taking into account sort of the most important business functions that these systems are protecting?

THOMAS PARENTY: There are numerous examples of vendors, including Target, who were compliant with the relevant payment card security standards at the very moment that they were successfully hacked. And for certain companies, especially those in highly regulated industries, such as financial services, they are subject to so many different compliance requirements that what effectively happens is, they translate in their minds being compliant with requirements as equivalent to being adequately protected. And ends up actually diminishing the security of these companies, as opposed to achieving its goal of increasing protection.

ALISON BEARD: So Jack, you’re the management expert. Why do organizations operate this way? Why aren’t they thinking more holistically about business risks?

JACK DOMET: Well, part of that starts from the fact that since its very inception, cybersecurity has been, it’s come out of the technology department. And it’s been looked at in terms of an attack and defense technology paradigm versus one that’s related to any other complex business risk that a company might face.

Now, there’s no question that given the neglect of cybersecurity over time by most companies in the past, many companies do in fact need to invest more. But as Thomas mentioned, companies like the ones in the financial services space, with really large cybersecurity budgets, don’t nearly get the cyber protection benefit that they should, given the dollars that they spend.

And we have an example of one of our financial services clients that spent about $3 million a year on cyber threat intelligence. But when we ask them for examples as to where they changed their cybersecurity protections or strategies on the basis of this intelligence, they were silent. $3 million, year after year, without any actual result.

ALISON BEARD: And in your experience, is it hard to get non-tech leaders to really understand and get involved in these issues?

JACK DOMET: Well many companies don’t do it, it isn’t hard to get them engaged on the process if you change the nature of the conversation, if you change the starting from which these conversations begin. And that really starts with looking at cyber risks as a business risk that could come and occur as a result of a cyber attack.

ALISON BEARD: So how do you kick off that kind of conversation with senior leaders at a company, and the senior tech people?

JACK DOMET: Well, it’s an interdisciplinary process. The approach that we take is, that we introduce, actually, in the article, is called a “cyberthreat narrative”, where we bring resources from across the organization, starting with a business owner, someone who’s running a business unit, someone who has responsibility for P&L, to understand where are the business risks in their organization? What’s actually important? What assets are critical to their operations? What activities do they do that provide competitive advantage to them and their organization and their business unit?

Once those are identified, you’re in a better position to engage with other resources throughout the organization to help quantify what those risks are, and bringing an IT department and your cybersecurity resources to understand what the threat environment might by that might affect those risks in some way or make them to come about.

THOMAS PARENTY: One of the dynamics that we are working to change is this perception on the part of non-technical business leaders that the cybersecurity field is so complex, so impenetrable that they would never be able to understand it, and so it just is logical to delegate that, or we should, we actually say abrogate that responsibility to either cybersecurity or IT staff.

Just as is true of every other business domain, what you need to know about it depends on your role and responsibilities. And what boards of directors, senior executives and managers need to know about cybersecurity is significantly different from that required by somebody who is rolling up their sleeves, and if you will, operating on the bits and bytes of a computer.

ALISON BEARD: Yeah. Where have you seen a company that hasn’t been using that cyber threat narrative process go really wrong and miss a big hole in their systems and be attacked?

THOMAS PARENTY: One example that comes to mind is an Asian automobile manufacturer that we worked with a number of years ago, and they had suffered a breach. And in the aftermath of the breach, the cybersecurity team was tasked with making us so secure that this never happens again. And so, the cybersecurity team decided to put the network used for the development of new automobiles inside their corporate network, because they thought, ah, at attacker would need to go through two networks in order to be able to then steal information.

In principle that sounds like a wonderful idea. Except that there were colleagues from other partner companies that work side by side with these automobile manufacturer employees, and they were now locked out. And so the only way that they could get their work done was to create fake employee accounts for all of these external contractors. And they did this knowing that, eh, this was perhaps not the best thing from a cybersecurity perspective, but it’s what they needed to do in order to get their job done.

And so this illustrates a couple of points, one of which is, the cybersecurity people had no idea how the companies that they worked for actually design cars, and so they proposed security mechanisms that both interfered with work and ended up resulting in the company being more vulnerable because all of these outsiders now had complete access to the corporate intranet globally.

The other thing it points out is that when it comes to employees, they are much more motivated by getting the job done for which they are hired and paid, than they are about some abstract concept of cybersecurity. And so the fact that the employees were motivated to get their work done, which they viewed as a good thing, and most companies would agree that employees being resourceful to get their jobs done is a good thing. However, in this particular case, cybersecurity directly got into, interfered with their work, and so they saw no issue whatsoever in going around those protections.

ALISON BEARD: Were they then attacked again?

THOMAS PARENTY: One of the sort of insidious things about this particular situation is, because all of these outsiders were now treated as insiders, we have no idea what they did.

ALISON BEARD: Great. I mean, this is a really important point, because we’re told not to, you know, use open wifi at cafes or ever give our password to anyone. But there are times when you just think, no, I really have to send that email out. The work needs to get done. So how should organizations walk that line between putting in proper precautions, but also ensuring that people still can be efficient?

JACK DOMET: You know, we’ve found that cybersecurity writ large is full of platitudes that seem obvious and compelling at first read, but if you think about them more thoughtfully, they’re sometimes misinformed.

One example where this often comes into play is in a class of cyberattack called phishing. People often open attachments, because you read your email. And occasionally those attachments result in malware being downloaded onto their computers. But you know, and attackers have become savvier over time. It’s not just Nigerian princes who want you to give millions. They will do research that’s specific about you, to your LinkedIn account, etc., so they can deliver a very targeted attack. Yet, the common thing that cybersecurity departments typically put into place is what’s called security awareness training to educate…

ALISON BEARD: I just completed mine.

JACK DOMET: You just did.

THOMAS PARENTY: We could then ask what is the value that you derived from taking this security training? Don’t answer that.

ALISON BEARD: I do think I’m more careful. But I think the big thing is, the problem isn’t necessarily starting from a phishing attack.

THOMAS PARENTY: So one of the things that is important to note, and this is something that is illustrated both by your security awareness training, and also by the example from the automobile company, is that while it is common for security training to talk about generic good things to do – so if you’re in a wifi hot spot, use a VPN so that the person sipping a latte next to you isn’t also reading your email.

But what is missing is, informing employees about the cybersecurity implications of their own work. And that is something that, only if you are able to tell employees about both the reason for cybersecurity precautions that take into account what they need to do, that you’ll be at a place where cybersecurity awareness training actually is relevant for the person.

And so this requires actually going beyond a list of generic good things to do, to actually looking at how an employee functions in their day to day work life, and how the actions they perform either discourage a cyber attack from being successful or lay the groundwork for a cyber attack on the critical business activity that they are involved in from being affective.

ALISON BEARD: So I mean, every company is a technology company now, because we’re all digital. We might all even be using all the same systems. But our cyber threat narratives will be very different if we’re an oil company, versus a credit card company.

JACK DOMET: Even within a company. Where are your locations? What are your different business units? Each of these have different characteristics. They vary widely. And those might be the products and services that that business unit does, or its location and the regulatory regime and geopolitical environment that lives within that location. Or the supply chain, or their customers or their products and services, etc. All those things add together to drive a very different risk profile.

ALISON BEARD: So you talk in the article about imagining not only the threats, but also who your adversaries are. How do you do that when what you’re trying to do is keep up with criminals who are constantly trying to find new tools and strategies to get at you?

THOMAS PARENTY: So, I would say that the strategies that criminals or others use to attack you is one issue, and it is certainly relevant for cybersecurity staff to keep abreast of the latest techniques that cyber adversaries might use. However, in terms of identifying those cyber adversaries, that is something that is for the most part a very business-oriented activity that doesn’t require technical knowledge.

There are a couple of ways in which companies can start to address that issue. One of which is, what do they have that would be of value to someone else? And that could be the design of a product. It could be a collection of customers. By identifying what a company has that could be of value, that’s one way of looking at it.

Another avenue that companies can take is, is there anything about the business that the company is in, the way in which it operates, that might attract some sort of attacker. With increasing discussions about climate change, companies that are viewed as carbon negative could attract this kind of attention, or if there was a case in which a company was not, or an organization was not being honest about certain of its business practices, that could invite a cyber attacker. And point of fact, that would be the situation that my former employer, NSA, was in with respect to Edward Snowden.

Depending on where a company operates, the adversaries it might face in one area could be very, very different from the adversaries they could face in another part of their business in another part of the world.

ALISON BEARD: Right. And I don’t want to make it seem like you’re advertising your business, but because these issues are so complicated and so different from function to function and company to company and geography to geography, do organizations need to bring in outside help and expertise?

JACK DOMET: One of the things that we talk about in the book is the importance of building an internal capability to recognize what really, truly drives your cyberrisk going forward. And often times those are changes in the way you do business, because most of those new cyberrisks come less from new type of technical attack. It’s actually that merger that you’re about to go through, or that new product that you’re about to launch, or that change to that internal application that you have. Those are all things that change the way that you’re doing business, and those changes have implications as it relates to the risk that you face.

ALISON BEARD: So whether the attack is simple or sophisticated, are you all saying that all of these attacks, are you all saying that all of these threats are, I’m going to restate this. OK, so whether an attack is simple or sophisticate, are you saying that companies are able to prevent them if they take the right steps?

THOMAS PARENTY: In all areas of risk, whether it be financial risk, physical risk, or cyberrisk, there are no guarantees that what you do will be sufficient to fend off the attack that you actually face. However, if you actually have focus on knowing what is important to protect, understanding the kinds of cyberattacks that could compromise critical activities, you are in a much, much better place to defend yourself properly than if you take more of a shotgun approach of, well, this is a general vulnerability, and so I’m going to buy a box that takes care of that.

ALISON BEARD: How frequently do leader of a company or a function need to be reviewing and then revising what their plan is?

JACK DOMET: It’s an ongoing exercise. Right? I mean, it’s not a one-off thing. This is something that’s dynamic. And to our point before in terms of where to look for cyberrisks, where to anticipate them, it generally relates to changes that you’re making to your business, whether it’s a new product that you’re launching, a new geography that you’re getting into, a new supply chain partner that you’re working with, all these point to changes in the way that you do business. These introduce changes in technology, because of the way we work today, and those changes in the technology and the way you do business invite you to do new things with your business that drives new risks.

THOMAS PARENTY: And so in some sense, one answer is that companies need to incorporate into all of the processes used for making change some type of cybersecurity review. Now, this does not have to be, and should not be a terribly onerous and time-consuming activity, because one that will get in the way of doing business, and as we’ve discussed previously, people will find a way around it. But it is important to make sure that when companies are undertaking the changes that will introduce new cyber risk, that they are at least paying attention to that.

ALISON BEARD: Are there ways that companies should restructure themselves to make sure that people at every level and in every part of the organization are thinking about cybersecurity in a more careful way?

JACK DOMET: Yeah, I mean, it’s about building – there’s a few different things. One area that we look at is building an internal organizational capability to deal with this change management process that companies go through.

As Thomas was mentioning, you need to have cybersecurity reviews as you change your business, just like you look at other risks when you’re making changes to your business. So you need to make sure you have the requisite organizational capability to deal with that going forward.

Another area where we think about organization and cyber is where you put that capability. Where do you put the capability for managing cybersecurity? Many companies, including probably two-thirds of the Fortune 500, have what’s called a chief information security officer, commonly referred to as a CISO, to have rolled up responsibility for dealing with cyberrisk and deciding what risks need to be managed and what investments need to be made.

But there are some issues in terms of where that CISO might report. Often times, because this has traditionally been a technology issue, the CISO may report to a CIO, a chief information officer, who would be responsible for developing software or deploying computer capabilities. But the incentives for someone who’s in charge of security, and incentives for someone who’s in charge of building applications they’re very different.

ALISON BEARD: Yeah. So that person should maybe be reporting to the CEO instead?

THOMAS PARENTY: The CEO, while it would appear to be the best place for cybersecurity to report to, actually is not, because one of the longstanding problems with cybersecurity is that it has lived in a silo, frequently within the IT department, but it lives someplace else that made it very easy for other business leaders to ignore it, and say, it’s somebody else’s problem.

And so if it reported to the CEO, the natural conclusion would be, ah, it’s taken care of after all. It reports to the CEO. But a good CEO is successful because the people who work for him get things done.

Based on our experience, when a company is looking for a home for the cybersecurity organization, they should first look at where their most significant cyber risks reside. As well as finding a corporate home where the interests of the manage of cybersecurity are completely aligned with the executive to whom he or she reports.

ALISON BEARD: So we’ve been talking about a lot of big companies. How should smaller organizations deal with these threats? You know, on one hand, they’re less likely to be targets. But then on the other hand, they have less money to invest and sort of fewer resources to throw at it.

THOMAS PARENTY: So our advice for companies of any size is the same. Focus on your company’s most significant activities and the business risks they face. And then you can think about how a cyber attack could cause these risks to materialize.

Several years ago I was talking with an electrician who was doing some work in my house. When he learned I worked in the cybersecurity field, he told me he needed a firewall. When I asked why, he replied that he thought his business partner was cheating him. I told him a firewall wouldn’t help reduce his risk because firewalls help protect against attacks originating from the Internet, not from the office where both he and his partner sat.


THOMAS PARENTY: That he immediately jumped from a cyberrisk, his partner misusing computers to steal from him, to a technology fix is common, and therefore completely understandable. That a firewall would come to mind also makes sense because firewalls are well-known, if not well understood.

ALISON BEARD: OK, so let’s say that the worst happens, you know, either you haven’t followed your advice, and you’re hit with an attack, or you have tried your best, and somehow the criminals have still gotten to you. What are some of the best practices for recovering from that?

THOMAS PARENTY: OK, so the first element is that while one should always focus on proactive measures, one does need to take into account that under some circumstances you will have to respond to some sort of cyberbreach. And this is again a responsibility that falls not just to cybersecurity staff, but also to the leadership of a company.

A company needs to have the technical capabilities to respond to the most likely forms of cyber attack on their most critical business activities. If you understand what those activities are in this cyber threats, that is something you can prepare ahead of time.

From an executive perspective, they need to be in a position to make decisions and publicly engage in the aftermath of said cyberattack. Essentially to prethink the consequences and prethink the decisions they will need to make, if you will, in the clear light of day, as opposed to in the fog of war.

ALISON BEARD: So if I’m a manager with no expertise in these issues, where should I start to get more up to speed?

THOMAS PARENTY: It’s something that what they can do is simply have different discussions with the cybersecurity people that they already have in house. Again, start the conversation with, here is a critical business activity. These are the concerns I have as a non-technical business manager in terms of what could go wrong. Now, talk to me, cybersecurity and IT people, about one, what are the systems that support this activity? So I know where you need to prioritize the attention that you give.

And second, talk to me about how the cyber attacks that you know and follow would be able to compromise the systems supporting my business, and what are the sorts of impact? If you have this conversation from the perspective of, talk to me about how my business could be compromised, instead of telling me what vulnerabilities need to be fixed with whatever priority, then you’ll get somewhere.

ALISON BEARD: Thank you all so much for talking with me today.

THOMAS PARENTY: It has been our pleasure.

JACK DOMET: Thanks for having us.

ALISON BEARD: That’s Thomas Parenty and Jack Domet, cofounders of the cybersecurity firm, Archifact Group. They’re also the coauthors of the HBR article, “Sizing Up Your Cyber Risks,” and the HBR Press book, A Leader’s Guide to Cybersecurity.

This episode was produced by Mary Dooe. We get technical help from Rob Eckhardt. Adam Buchholz is our audio product manager. Thanks for listening to the HBR IdeaCast. I’m Alison Beard.

No comments: