Operations

1/7/2015
10:30 AM
Jason Polancich
Jason Polancich
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Its Time to Treat Your Cyber Strategy Like a Business

How do we win against cybercrime? Take a cue from renowned former GE chief exec Jack Welch and start with a clearly-defined mission.

The backbone of our modern world is business. Building and sustaining a successful business is about more than good ideas. It’s about following core, time-tested principles and continuously adjusting as needed based on a variety of conditions.

Most businesses manage these principles at the highest levels of the organization and across the organization as a whole. At the same time, these principles are also applied to individual divisions of business operations such as sales, marketing, or finance departments that are considered “top-level” concerns.

Yet most businesses don’t today consider their cyber security operations as a top-level concern. They don’t yet apply the same management, core business principles, and focus that are applied elsewhere to what is quickly emerging as one of the most critical business operations in and of itself -- in how it affects the rest of the enterprise domains.

Almost every day now, cybercrime is exposing business risks across companies, across industry, and in businesses large and small:

  • Raw theft of dollars and cents
  • Damage to brand and reputation
  • Lost or stolen intellectual property 
  • Direct impact to customers 
  • Data breach and loss
  • Litigation from partner and customers 
  • And the list goes on

These sound very much like typical top-level business concerns to me. The crux of the matter is that in order for organizations to be competitive and successful, they must practice effective cyber security management.

Today, unfortunately, cyberdefense is treated mostly as a set of tactics -- hardware, software, and personnel all engaged in a technical exercise of pushing buttons and pulling levers -- which is a short-view approach. Long-term cyber resiliency is built on solid processes and strategy made possible by a formal and diligent data-collection and analysis function -- just as organizations treat threats to sales, financial, product development, or marketing strategies.

Arguably one of the most respected (and certainly recognized) business leaders of our time is Jack Welch, who helmed one of the most recognized brands in business through 40 years of market success and dominance by following core, time-tested principles of management, tactics, and strategy focused on winning over the long haul. Through his process, the value of General Electric rose 4,000% during his tenure.

Over his career, Welch published many books that are widely regarded as living business-management archetypes. Let’s apply a few of the myriad lessons from his latest book, Winning: The Ultimate Business How-To Book, to cyberbusiness management. The first place to start is defining your overall mission.

On mission: How do we intend to win against cybercrime?
Most industry leaders are grappling with cyberdefense, which isn’t easy and changes almost daily. Plus, for most leadership teams, it simply isn’t clear how cyber impacts key business areas. These issues are no excuse in Jack Welch’s world. For Jack, the mission begins and ends with senior leadership stepping up to define it and own it:

Setting the mission is top management’s responsibility. A mission cannot, and must not, be delegated to anyone except the people ultimately held accountable for it.

It all starts at the top with a clear, informed mission statement for how a business wins. For Jack, it’s a fairly simple and straightforward process:

  • Gather data.
  • Define who you are, simply and clearly, then state it for all to see.
  • Get everyone living and working by it immediately with positive, honest energy.

For most businesses, this is tough when it comes to the cyberdefense mission. It’s easier to understand defining your mission and who you are as a whole when you’re selling hamburgers or making aftermarket car parts. But how do you state how you’re going to win against cybercrime? Dig a little deeper and it’s not as different as you think.

For either the hamburger scenario or the car-parts plan, the mission statement is based on gathering key data about your business:

  • What do you provide, where, and to whom? How you do it?
  • What are your key differentiators?
  • Who is your competition and how do you compare/contrast?

All of these questions can be answered once you diligently and scrupulously begin collecting data. Your cybermission isn’t any different.

  • Who are you and what do you provide?
  • How is that product or service delivered?
  • What do you have that’s most attractive to cyber criminals?
  • What are your exposures and where?
  • What multiple parts of your business can be most impacted by cyberthreats?
  • How can these threats affect the company’s customers, your products, or your ideas and trade secrets?

The answers to these questions and more will bring into quick focus a profile of who you are as a cybertarget.

More importantly, these questions (and answers) help define at a high level how you can best defend yourself (i.e. win) by crystallizing for everyone what’s important. Armed with this info, you can rally the entire organization -- not just the information security team -- around a clear idea of how you overcome such difficulties. It helps everyone understand what’s vulnerable and what role all can play in making your business more secure -- even in areas you wouldn’t normally think of as cyber-related or vulnerable.

How many businesses have you seen outline a “how we win” cyber strategy clearly and openly for their employees? Personally, I never see it happen, but how important is this becoming? Gather the data, profile yourself, state your mission, and spread the word.

Jason Polancich is co-founder, app designer and digital marketing lead for Musubu.io. Polancich is also a linguist, software engineer, data scientist, and intelligence analyst. He originally founded HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
1/9/2015 | 10:08:12 AM
Re: Sample mission statement
So, a friend of mine has a business providing mobile medical portal applications for helathcare chains...Here's a paraphrase:

We strive to deliver the most convenient, private and secure ways to manage your personal health information on the most widely-used mobile devices available. We are committed to building and budgeting security into every thing we do, whether it be software development, data handling, our internal people processes and our customer relationships so that you, our customers, can be assured that every employee at _______ considers your security part of his or her job.

 

It continues to discuss forthrightness in cases of incidents, etc.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/9/2015 | 9:50:03 AM
Re: Sample mission statement
By including in a company's mission statement specifies on how, given what they offer, they will put their customers cyber safety in the foremost of their mission right alongside their core product delivery not only reflects the commitment of an organization to protect data, secure web apps, make safe transactions, be good stewards of your PII and more, it also tells the employees just how much it matters (assuming they back it up with real organizational commitment to cyber defense.)


Couldn't agree more. but I'd still like to see a cybersecurity mission statement boiled down to the essential 25 (50, 100?) words..
PZav
50%
50%
PZav,
User Rank: Author
1/8/2015 | 5:56:34 PM
Technical Challenge
Based on this post it seems like in your experience, most businesses look at information security in the same way they look at maintance or even infrastructure. If I do/fix A then I will solve problem B. However, cyber security really isn't that simple is it? I think most leaders will be better off treating security as a desired but impossible state. The focus should shift towards damage control.

Limiting damage is a partnership between security, executive leadership and marketing. There are of course technical requirenments, but there is also a need for proper spin control. For instance, Sony having the FBI and FireEye claim that the attack was unique and could've breached 9 out of 10 companies (when we all know it was a standard attack) was good spin. Of course its true, but nothing about this attack was so unique that such a statement was used for any other reason than to let Sony off the hook. The key is to limit the damages and demonstrate pro-active responsibility. In that area there is still a gap to be filled.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
1/8/2015 | 3:42:04 PM
Re: Sample mission statement
Marilyn,
Well, cyber mission statements (or mission statements that weave in cybersecurity objectives) are, as I point out, largely nonexistent for most companies I have encountered. I am beginning to see folks assert their commitment to security and safety in some nascent companies who get it (and for whom security is part of the identity), but for the most part we're still dealing with the much larger cyber-related disease in corporate America we all know as "Ostrich Security."

That said, as we're seeing in retail and banking and even healthcare, daily cyber security concerns are actually becoming intertwined with a company's core offerings and products. These concerns are linked in real ways to the things that make the business fail or succeed. The point to make from this Part 1 (there's more in my second part of this post that expands on what's here around mission statement) is that cyber is become so pervasive a concern to organizations that is deserves to be elevated into the very core mission of the company itself alongside what makes them "them" as far as their products, services, delivery, discriminators and - most importantly - their employees go. There's a bank out there with the mission statement of becoming, and Im paraphrasing to protect the innocent, the most respected provider of financial transaction services. It would seem to me to make sense that "secure" and other words setting serious security objectives be rolled into that too to drive home for their customer and employees that "secure" is who they are.

For example, let's take the mission statement of a very well known national retail chain:

Guided by relentless focus on our five imperatives, we will constantly strive to implement the critical initiatives required to achieve our vision. In doing this, we will deliver operational excellence in every corner of the Company and meet or exceed our commitments to the many constituencies we serve. All of our long-term strategies and short-term actions will be molded by a set of core values that are shared by each and every associate.



I wont say who that is, but let's just say cybercrime is not their friend of late.

For the most part, it's high-level, vague and could apply to almost any organization, selling or offering almost anything. Do the leaders and employees take this kind of mission statement to heart? Does it make them more diligent or more responsible as far as the performance of their daily routines? Does it make them care about product or service delivery by imbuing their daily routine with any extra reflection on what make them better, different or, in the case if cyber security, more safe? Does it even drive to their employees any ideal in particular? Our sense of quality? I say no.

What I'm getting at here is that all companies in this day and age must begin to really appreciate the risks they face each day in this hyper-connoted world of constant cyber attack and cybercrime. By including in a company's mission statement specifies on how, given what they offer, they will put their customers cyber safety in the foremost of their mission right alongside their core product delivery not only reflects the commitment of an organization to protect data, secure web apps, make safe transactions, be good stewards of your PII and more, it also tells the employees just how much it matters (assuming they back it up with real organizational commitment to cyber defense). That it is a part of everything they do and, hopefully, it even seeps, in small ways, into their subconscious routine each and every day when carrying out their work.

One thing is clear today. Business leadership may not get it yet, but customers are starting to.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/8/2015 | 9:26:56 AM
Sample mission statement
Interesting idea, Jason. But I'd like to hear some real word examples of cybersecurity mission statements. Do you have any you can share?
SgS125
50%
50%
SgS125,
User Rank: Ninja
1/8/2015 | 9:23:00 AM
Risk Management
So basically we just continue to work on risk management as we have always done.

Jack was great at leading people, lets just leave it at that.
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.