The backbone of our modern world is business. Building and sustaining a successful business is about more than good ideas. It’s about following core, time-tested principles and continuously adjusting as needed based on a variety of conditions.
Most businesses manage these principles at the highest levels of the organization and across the organization as a whole. At the same time, these principles are also applied to individual divisions of business operations such as sales, marketing, or finance departments that are considered “top-level” concerns.
Yet most businesses don’t today consider their cyber security operations as a top-level concern. They don’t yet apply the same management, core business principles, and focus that are applied elsewhere to what is quickly emerging as one of the most critical business operations in and of itself -- in how it affects the rest of the enterprise domains.
Almost every day now, cybercrime is exposing business risks across companies, across industry, and in businesses large and small:
- Raw theft of dollars and cents
- Damage to brand and reputation
- Lost or stolen intellectual property
- Direct impact to customers
- Data breach and loss
- Litigation from partner and customers
- And the list goes on
These sound very much like typical top-level business concerns to me. The crux of the matter is that in order for organizations to be competitive and successful, they must practice effective cyber security management.
Today, unfortunately, cyberdefense is treated mostly as a set of tactics -- hardware, software, and personnel all engaged in a technical exercise of pushing buttons and pulling levers -- which is a short-view approach. Long-term cyber resiliency is built on solid processes and strategy made possible by a formal and diligent data-collection and analysis function -- just as organizations treat threats to sales, financial, product development, or marketing strategies.
Arguably one of the most respected (and certainly recognized) business leaders of our time is Jack Welch, who helmed one of the most recognized brands in business through 40 years of market success and dominance by following core, time-tested principles of management, tactics, and strategy focused on winning over the long haul. Through his process, the value of General Electric rose 4,000% during his tenure.
Over his career, Welch published many books that are widely regarded as living business-management archetypes. Let’s apply a few of the myriad lessons from his latest book, Winning: The Ultimate Business How-To Book, to cyberbusiness management. The first place to start is defining your overall mission.
On mission: How do we intend to win against cybercrime?
Most industry leaders are grappling with cyberdefense, which isn’t easy and changes almost daily. Plus, for most leadership teams, it simply isn’t clear how cyber impacts key business areas. These issues are no excuse in Jack Welch’s world. For Jack, the mission begins and ends with senior leadership stepping up to define it and own it:
Setting the mission is top management’s responsibility. A mission cannot, and must not, be delegated to anyone except the people ultimately held accountable for it.
It all starts at the top with a clear, informed mission statement for how a business wins. For Jack, it’s a fairly simple and straightforward process:
- Gather data.
- Define who you are, simply and clearly, then state it for all to see.
- Get everyone living and working by it immediately with positive, honest energy.
For most businesses, this is tough when it comes to the cyberdefense mission. It’s easier to understand defining your mission and who you are as a whole when you’re selling hamburgers or making aftermarket car parts. But how do you state how you’re going to win against cybercrime? Dig a little deeper and it’s not as different as you think.
For either the hamburger scenario or the car-parts plan, the mission statement is based on gathering key data about your business:
- What do you provide, where, and to whom? How you do it?
- What are your key differentiators?
- Who is your competition and how do you compare/contrast?
All of these questions can be answered once you diligently and scrupulously begin collecting data. Your cybermission isn’t any different.
- Who are you and what do you provide?
- How is that product or service delivered?
- What do you have that’s most attractive to cyber criminals?
- What are your exposures and where?
- What multiple parts of your business can be most impacted by cyberthreats?
- How can these threats affect the company’s customers, your products, or your ideas and trade secrets?
The answers to these questions and more will bring into quick focus a profile of who you are as a cybertarget.
More importantly, these questions (and answers) help define at a high level how you can best defend yourself (i.e. win) by crystallizing for everyone what’s important. Armed with this info, you can rally the entire organization -- not just the information security team -- around a clear idea of how you overcome such difficulties. It helps everyone understand what’s vulnerable and what role all can play in making your business more secure -- even in areas you wouldn’t normally think of as cyber-related or vulnerable.
How many businesses have you seen outline a “how we win” cyber strategy clearly and openly for their employees? Personally, I never see it happen, but how important is this becoming? Gather the data, profile yourself, state your mission, and spread the word.