As I write this article in April 2022, I can point to ostensibly positive changes in the way organizations are required to think about cybersecurity. There are several executive orders issued by the White House on cybersecurity. Multiple tracks are coming out of the Legislative and Executive branches of the federal government. The Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, the Federal Secure Cloud Improvement and Jobs Act, Strengthening American Cybersecurity Act), and the Security and Exchange’s Commission proposed “Cybersecurity Rules and Amendments for Registered Investment Advisers, Registered Investment Companies and BDCs” all require strengthened cybersecurity maturity.
This is of course happening against a backdrop of a war in Ukraine that has strong cyber ramifications for many organizations globally, a slate of statistics that continue to show cyber-related losses grow both in number and dollar value, and even the defense industry, which is considered cyber “mature”, is suffering from cyber events. Perhaps worse yet, many municipalities are throwing up their hands in desperation and saying we don’t even know where to start.
Besides the fact organizations, municipalities, and government agencies aren’t doing well enough, what else do they have in common? Two key themes:
- They are facing 21st century threats with a 20th century defense approach
- Cyber Leaders (Chief Information Security Officers) aren’t considered Business Leaders
The data on organizational response to cyber threats is depressing, and regardless of your source, how you choose to measure it, or your feelings about legislation, it all shows the same theme. The threat actors are winning, and it is profitable for them, and they are motivated. As our adversaries incorporate artificial intelligence, machine language, and quantum computing techniques most organizations asking if they need to spend money on encrypting everything or why can’t they keep using their legacy systems. In other words, do they really need foundational cybersecurity?
This brings us to leadership. If you have a Chief Information Security Officer (CISO), they most likely report to the Chief Information Officer. As part of the Cybersecurity & Infrastructure Security Agency’s Shields Up guidance to Corporate Leaders and CEOs, they call out the need to empower CISOs. “In nearly every organization, security improvements are weighed against cost and operational risks to the business. In this heightened threat environment, senior management should empower CISOs by including them in the decision-making process for risk to the company, and ensure that the entire organization understands that security investments are a top priority in the immediate term.”[1]
Most individuals don’t understand the complexity underlying the most mundane of tasks, such as turning on the kitchen light. You flip a switch, and the light comes on just as it has since the invention of electricity. Except in many homes today that action of “flipping the switch” means that the smart switch recorded an input (the “flip”) and sent a message to a cloud provider- “switch flipped” – and the cloud provider responds by directing the smart bulb to “turn the light on to X% brightness and Y color”. That is a very simplified version of what happens, but it conveys that there is no longer a binary state of power on or off, multiple parties are involved, and there is now a strong need for secure digital operations. The example was turning on a kitchen light, something most people just assume will always work. Running a business is inherently and vastly more complex with digital dependencies everywhere. As a CEO, if you don’t have a trusted, capable CISO on your leadership team you are missing critical inputs to your business decisions.
By investing in people, process, and technologies that work together to make a robust cyber defense for today’s threats you are also investing in a foundation that make it easier to protect against future threats. We know that the encryption that is considered strong today will fail quickly when quantum computers are used to break it. By embracing encryption today, you are lowering your risk of breaches and exposure, while building out the business process, employee experiences, and foundational cyber architecture to move to quantum proof encryption in the future.
Having a CISO reporting directly to the CEO tangibly demonstrates that the organization is committed to its governance, risk, and compliance efforts by treating active cybersecurity improvement as the bloodstream that animates and protects all its people, process, and technology decisions. By embracing cybersecurity leadership that incorporates this perspective and these practices into the culture of the organization, the organization will deliberately move in a beneficial and purposeful way to improve cybersecurity. As the leadership message is inculcated the organization, the organization gains additional resiliency.
While no amount of planning, technology, or luck can prevent an organization from being attacked – and some attacks will be successful – leadership can mature an organization to minimize the damage and put the organization quickly onto a path to recovery and reassure investors and customers that the organizational response to the incident by leadership is why they should want to continue and invest in their relationship with you. Leading an organization to cybersecurity is a deliberate process that primes the improvement of the entire organization.
About Stephen Gilmer
Stephen Gilmer, Certified Chief Information Security Officer (C|CISO), is a Managing Director in the Compliance, Risk & Resilience group at B. Riley Advisory Services with more than 30 years of experience as a cybersecurity expert and executive leader focused on securing companies’ most sensitive and valuable data and systems.
Stephen previously was in-house CISO at both a biotechnology startup and at two Fortune 10 aerospace, defense, and technology companies. In these roles, he designed and implemented sensitive data and IP security control programs; shaped policy at the national level and security framework formation; and proactively resolved complex investigation, audit, and regulatory oversight issues.
Mr. Gilmer has deep experience and firsthand knowledge of the challenges facing the Defense Industrial Base and defense contractors. He helped to shape how the original Cyber DFARS (252.204-7012) was required to be implemented and is now helping organizations become prepared to meet the Cybersecurity Maturity Model Certifications mandated by the DoD. Stephen has helped start-ups, Defense-only organizations, and multi-billion dollar mixed commercial / defense organizations with their CMMC preparations. His guidance has been across all levels of the organization – from the board strategy and legal and compliance support to IT technical guidance. B. Riley Advisory Services works with lenders, law firms, private equity sponsors and companies of all types.
[1]https://www.cisa.gov/shields-up