Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Jason Polancich
Jason Polancich
Connect Directly
E-Mail vvv

Its Time to Treat Your Cyber Strategy Like a Business

How do we win against cybercrime? Take a cue from renowned former GE chief exec Jack Welch and start with a clearly-defined mission.

The backbone of our modern world is business. Building and sustaining a successful business is about more than good ideas. It’s about following core, time-tested principles and continuously adjusting as needed based on a variety of conditions.

Most businesses manage these principles at the highest levels of the organization and across the organization as a whole. At the same time, these principles are also applied to individual divisions of business operations such as sales, marketing, or finance departments that are considered “top-level” concerns.

Yet most businesses don’t today consider their cyber security operations as a top-level concern. They don’t yet apply the same management, core business principles, and focus that are applied elsewhere to what is quickly emerging as one of the most critical business operations in and of itself -- in how it affects the rest of the enterprise domains.

Almost every day now, cybercrime is exposing business risks across companies, across industry, and in businesses large and small:

  • Raw theft of dollars and cents
  • Damage to brand and reputation
  • Lost or stolen intellectual property 
  • Direct impact to customers 
  • Data breach and loss
  • Litigation from partner and customers 
  • And the list goes on

These sound very much like typical top-level business concerns to me. The crux of the matter is that in order for organizations to be competitive and successful, they must practice effective cyber security management.

Today, unfortunately, cyberdefense is treated mostly as a set of tactics -- hardware, software, and personnel all engaged in a technical exercise of pushing buttons and pulling levers -- which is a short-view approach. Long-term cyber resiliency is built on solid processes and strategy made possible by a formal and diligent data-collection and analysis function -- just as organizations treat threats to sales, financial, product development, or marketing strategies.

Arguably one of the most respected (and certainly recognized) business leaders of our time is Jack Welch, who helmed one of the most recognized brands in business through 40 years of market success and dominance by following core, time-tested principles of management, tactics, and strategy focused on winning over the long haul. Through his process, the value of General Electric rose 4,000% during his tenure.

Over his career, Welch published many books that are widely regarded as living business-management archetypes. Let’s apply a few of the myriad lessons from his latest book, Winning: The Ultimate Business How-To Book, to cyberbusiness management. The first place to start is defining your overall mission.

On mission: How do we intend to win against cybercrime?
Most industry leaders are grappling with cyberdefense, which isn’t easy and changes almost daily. Plus, for most leadership teams, it simply isn’t clear how cyber impacts key business areas. These issues are no excuse in Jack Welch’s world. For Jack, the mission begins and ends with senior leadership stepping up to define it and own it:

Setting the mission is top management’s responsibility. A mission cannot, and must not, be delegated to anyone except the people ultimately held accountable for it.

It all starts at the top with a clear, informed mission statement for how a business wins. For Jack, it’s a fairly simple and straightforward process:

  • Gather data.
  • Define who you are, simply and clearly, then state it for all to see.
  • Get everyone living and working by it immediately with positive, honest energy.

For most businesses, this is tough when it comes to the cyberdefense mission. It’s easier to understand defining your mission and who you are as a whole when you’re selling hamburgers or making aftermarket car parts. But how do you state how you’re going to win against cybercrime? Dig a little deeper and it’s not as different as you think.

For either the hamburger scenario or the car-parts plan, the mission statement is based on gathering key data about your business:

  • What do you provide, where, and to whom? How you do it?
  • What are your key differentiators?
  • Who is your competition and how do you compare/contrast?

All of these questions can be answered once you diligently and scrupulously begin collecting data. Your cybermission isn’t any different.

  • Who are you and what do you provide?
  • How is that product or service delivered?
  • What do you have that’s most attractive to cyber criminals?
  • What are your exposures and where?
  • What multiple parts of your business can be most impacted by cyberthreats?
  • How can these threats affect the company’s customers, your products, or your ideas and trade secrets?

The answers to these questions and more will bring into quick focus a profile of who you are as a cybertarget.

More importantly, these questions (and answers) help define at a high level how you can best defend yourself (i.e. win) by crystallizing for everyone what’s important. Armed with this info, you can rally the entire organization -- not just the information security team -- around a clear idea of how you overcome such difficulties. It helps everyone understand what’s vulnerable and what role all can play in making your business more secure -- even in areas you wouldn’t normally think of as cyber-related or vulnerable.

How many businesses have you seen outline a “how we win” cyber strategy clearly and openly for their employees? Personally, I never see it happen, but how important is this becoming? Gather the data, profile yourself, state your mission, and spread the word.

Jason Polancich is co-founder, app designer and digital marketing lead for Musubu.io. Polancich is also a linguist, software engineer, data scientist, and intelligence analyst. He originally founded HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/22/2020 | 3:17:15 AM
Re: Risk Management
What a wonderful article post you have done a great job such a brilliant information post i really impress this stuff i love it dear 

John Dutton Jacket
User Rank: Author
1/9/2015 | 10:08:12 AM
Re: Sample mission statement
So, a friend of mine has a business providing mobile medical portal applications for helathcare chains...Here's a paraphrase:

We strive to deliver the most convenient, private and secure ways to manage your personal health information on the most widely-used mobile devices available. We are committed to building and budgeting security into every thing we do, whether it be software development, data handling, our internal people processes and our customer relationships so that you, our customers, can be assured that every employee at _______ considers your security part of his or her job.


It continues to discuss forthrightness in cases of incidents, etc.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/9/2015 | 9:50:03 AM
Re: Sample mission statement
By including in a company's mission statement specifies on how, given what they offer, they will put their customers cyber safety in the foremost of their mission right alongside their core product delivery not only reflects the commitment of an organization to protect data, secure web apps, make safe transactions, be good stewards of your PII and more, it also tells the employees just how much it matters (assuming they back it up with real organizational commitment to cyber defense.)

Couldn't agree more. but I'd still like to see a cybersecurity mission statement boiled down to the essential 25 (50, 100?) words..
User Rank: Author
1/8/2015 | 5:56:34 PM
Technical Challenge
Based on this post it seems like in your experience, most businesses look at information security in the same way they look at maintance or even infrastructure. If I do/fix A then I will solve problem B. However, cyber security really isn't that simple is it? I think most leaders will be better off treating security as a desired but impossible state. The focus should shift towards damage control.

Limiting damage is a partnership between security, executive leadership and marketing. There are of course technical requirenments, but there is also a need for proper spin control. For instance, Sony having the FBI and FireEye claim that the attack was unique and could've breached 9 out of 10 companies (when we all know it was a standard attack) was good spin. Of course its true, but nothing about this attack was so unique that such a statement was used for any other reason than to let Sony off the hook. The key is to limit the damages and demonstrate pro-active responsibility. In that area there is still a gap to be filled.
User Rank: Author
1/8/2015 | 3:42:04 PM
Re: Sample mission statement
Well, cyber mission statements (or mission statements that weave in cybersecurity objectives) are, as I point out, largely nonexistent for most companies I have encountered. I am beginning to see folks assert their commitment to security and safety in some nascent companies who get it (and for whom security is part of the identity), but for the most part we're still dealing with the much larger cyber-related disease in corporate America we all know as "Ostrich Security."

That said, as we're seeing in retail and banking and even healthcare, daily cyber security concerns are actually becoming intertwined with a company's core offerings and products. These concerns are linked in real ways to the things that make the business fail or succeed. The point to make from this Part 1 (there's more in my second part of this post that expands on what's here around mission statement) is that cyber is become so pervasive a concern to organizations that is deserves to be elevated into the very core mission of the company itself alongside what makes them "them" as far as their products, services, delivery, discriminators and - most importantly - their employees go. There's a bank out there with the mission statement of becoming, and Im paraphrasing to protect the innocent, the most respected provider of financial transaction services. It would seem to me to make sense that "secure" and other words setting serious security objectives be rolled into that too to drive home for their customer and employees that "secure" is who they are.

For example, let's take the mission statement of a very well known national retail chain:

Guided by relentless focus on our five imperatives, we will constantly strive to implement the critical initiatives required to achieve our vision. In doing this, we will deliver operational excellence in every corner of the Company and meet or exceed our commitments to the many constituencies we serve. All of our long-term strategies and short-term actions will be molded by a set of core values that are shared by each and every associate.

I wont say who that is, but let's just say cybercrime is not their friend of late.

For the most part, it's high-level, vague and could apply to almost any organization, selling or offering almost anything. Do the leaders and employees take this kind of mission statement to heart? Does it make them more diligent or more responsible as far as the performance of their daily routines? Does it make them care about product or service delivery by imbuing their daily routine with any extra reflection on what make them better, different or, in the case if cyber security, more safe? Does it even drive to their employees any ideal in particular? Our sense of quality? I say no.

What I'm getting at here is that all companies in this day and age must begin to really appreciate the risks they face each day in this hyper-connoted world of constant cyber attack and cybercrime. By including in a company's mission statement specifies on how, given what they offer, they will put their customers cyber safety in the foremost of their mission right alongside their core product delivery not only reflects the commitment of an organization to protect data, secure web apps, make safe transactions, be good stewards of your PII and more, it also tells the employees just how much it matters (assuming they back it up with real organizational commitment to cyber defense). That it is a part of everything they do and, hopefully, it even seeps, in small ways, into their subconscious routine each and every day when carrying out their work.

One thing is clear today. Business leadership may not get it yet, but customers are starting to.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/8/2015 | 9:26:56 AM
Sample mission statement
Interesting idea, Jason. But I'd like to hear some real word examples of cybersecurity mission statements. Do you have any you can share?
User Rank: Ninja
1/8/2015 | 9:23:00 AM
Risk Management
So basically we just continue to work on risk management as we have always done.

Jack was great at leading people, lets just leave it at that.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.