Understanding the Past and Present Global Business and Management Environment
Abstract
The objective of this chapter is to provide the reader with a basic understanding and philosophy of cyber security within the business environment, including how to communicate with management in “their language.”
Keywords
Business manager; Cyber security office; Cyber security program; InfoSec program; Regular employees; Three C’s; Turf battles
Chapter Objective
The objective of this chapter is to provide the reader with a basic understanding and philosophy of cyber security within the business environment, including how to communicate with management in “their language.”
As we transition from the Information Age to the Knowledge Age, successful organizations are the ones that actively manage their information environment.1
This combines old and new aspects of this environment, as it is important to know the past as well as the present, as that combination of knowledge of today’s environment is where the cyber security officer works, lives, and plays. The past provides a look down the road traveled and helps explain the logic used to get to the present. Furthermore, it provides the foundation on which the cyber security officer can project and plan a cyber security program that will meet the current and future needs of the business and the expectations of management.
The Changing Business and Government Environments
Businesses and the societies in which they operate need stability to prosper. Prosperity brings jobs, reduces crimes, and leads to more security for all. Security brings more stability. You can’t have one without the other.
Many of the changes in the world environment are the basis for the rapid shifts in the way we do business, both nationally and internationally. Businesses can, and do, adapt to these changes quite rapidly. However, in government agencies, these changes come more slowly and sometimes threaten the agencies’ very existence. For example, a day may come in the not too distant future when the post offices of the world will be unnecessary. E-mails may take the place of letters even for the poorest people of the world, as they will have access to Internet networks. As for packages, commercial firms such as DHL, FedEx, and UPS have already been providing that service for some time. Even contracts these days are electronically signed and there is no need to mail hard copies. However, to be legal, they must be secured to stand up in court.
Clear examples of these changes are the “global marketplace,” business-to-business networks, electronic commerce, electronic business, and the like.
Massive, growing networks such as the Internet, national information infrastructures (NIIs), and global information infrastructures (GIIs) are adopted, and must continually be adapted, by businesses if they are to maintain a competitive advantage—or at least compete—in today’s marketplace. As a cyber security officer, you must find ways to facilitate such growth in a secure and yet invisible manner. That is a challenge for all of us in the profession.
As a cyber security officer, if you try to slow down business and global communications, you will be run over by “progress” and will soon be updating your resume. Business comes first, and if you do not provide a professional cyber security service that supports and enhances the business, what good are you? After all, business is about profits—and remember, you are a “parasite” on the profits of most companies, since your function is identified as an overhead cost.
There is some business, for example, with government agencies, for which the cyber security function is a direct charge to the contract. The problem is that one must meticulously keep track of time spent on the contract work, as charging to a contract when not working on that specific contract results in a fraud against the government, which in turn could lead to being investigated, never to work in the profession again. Why? Because you may be in jail.
As an overhead cost, you do not have direct, hands-on experience in building your company’s widgets, for example. Yeah, yeah, yeah, we all have tried to explain that without cyber security and us, as professional cyber security officers, companies can lose their business and their competitive edge through loss of trade secret information, etc. However, the bottom line is that it appears that most of today’s business executives are in it for the short term, not the long term. Their concern is the “bottom line” for the next quarter to one year. They can easily terminate a cyber security program and take their chances by having auditors audit for compliance with laws and policies and recommend cyber security policies that information technology people can write. Then they can just buy insurance to cover any potential losses and, by the way, the business of buying such insurance is supposedly booming.
So, as today’s cyber security officer, you must do a better job of making yourself part of the “company team” and finding ways to provide value-added and integral services to the company.
In the private sector, telecommunications businesses have become Internet providers as well as leading the drive into mobile communications from laptops, to cell phones, to tablets—and soon wearable devices from watches to other wrist-band gadgets to clothing. As we look into the future, we see more and more people making use of the long-distance voice telephone capabilities of the Internet, at very little additional cost. Then there are the enhanced versions using Skype and FaceTime, for example. The day has arrived when we no longer need a separate telephone in the home or office, except maybe in rural areas. It is becoming a thing of the past.
Speaking of Internet service providers (ISPs), let us take a moment to look at this new business born out of the Internet and see how well it is supporting cyber security and cyber security standards.2
First a little history of how we got to where we are: The Internet was born in the 1960s and arose out of projects sponsored by the Advanced Research Project Agency in the United States. It was originally a project to facilitate the sharing of computer resources and enhance military communications. As the Internet was maturing, there were conflicts between the “haves,” who had the use of the Internet, and the “have-nots,” who did not. The haves were computer scientists, engineers, and some others. They argued that the Internet should not be made available to the public. Well, they lost that battle, especially after the business sector found out what a lucrative marketing and public relations tool the Internet could be for reaching potential customers, suppliers, etc. Thus, the ISPs were born.
From that time until now, the Internet has rapidly grown from an experimental research project and tool of the U.S. government and universities to the tool of everyone in the world with a computer. It is the premier global communications medium. With the subsequent development of search engines and, of course, the World Wide Web (Web), the sharing of information has never been easier.
There are many, many ISPs operating and connected all around the globe. We all should know by now that our e-mails don’t go point to point, but hop around the Internet, where they can be gleaned by all those with the resources to read other people’s mail and steal information to commit crimes such as identity theft or collect competitive intelligence information, etc.
So, what’s the point? The point is that there still are ISPs all over the world with few regulations and few, if any, global cyber security standards. Happily, this is gradually changing. So, some ISPs may do an admirable job of protecting our information passing through their systems while others may do little or nothing. Furthermore, as we learn more and more about Netspionage (computer-enabled business and government spying), we learn more and more about how our privacy and our information are open to others to read, capture, change, and otherwise misuse.
In addition, with such “oldies but goodies” programs as SORM in Russia, Internet monitoring in China and elsewhere, global Echelon, and the U.S. FBI’s Carnivore (still Carnivore no matter how often they change the name to make it more “politically correct” or to try to “hide” it from the public), we might as well take our most personal information, tattoo it on our bodies, and run naked in the streets for all to see. Although that may be a slight exaggeration, the point is we have no concept of how well ISPs, or any network connected to your corporation’s networks, are protecting our information.
Now, we are quickly expanding into the world of instant communications through such things as Skype, Twitter, Facebook, and the like. After all, the more rapidly our world changes, the more rapidly we want to react and we want everything—now! Of course there are perhaps hundreds, if not thousands, of examples of ISPs being penetrated or misused, as well as corporate Web sites and their networks. They are in the news on a regular basis and also our networks are constantly under attack from multiple sources—from teenagers to terrorists to competitors to organized criminals.
Understanding the Business Environment
A cyber security program and its supporting organization are not the reason that a business or government agency exists. In the case of a business, the company usually provides a service or a product. The business has certain information or systems networks that are vital to performing its service and producing its product. The purpose of a cyber security program, therefore, is to provide service and support to the business.
To meet the needs of its customers, both internal and external to the company, it is imperative for the cyber security officer to understand the company and the company’s business. This includes the following:
• History
• Products
• Business environment
• Competition
• Long-range plans
• Short-range plans
• Cost of business
• Product value
These are some of the most important parts of a business. Remember, in general, the cyber security program is not a product to be sold in the global marketplace unless that is the business of the corporation; it does not bring in revenue. In fact, cyber security is a cost to the business—unless you can prove that the cyber security program is a value-added service that financially supports the business, assisting in bringing in revenue.
Your cyber security program should, as much as possible, be seamlessly integrated into the systems and processes of at least the core business and all systems connected to that core business.
In this globally competitive economy, there is increasing competition for market shares in the worldwide marketplace. It is important for the cyber security officer to understand this competition and what can be done by the cyber security officer through the cyber security program to enhance business, increasing such things as profits, market shares, and income.
Kenichi Ohmae, in his book, The Mind of the Strategist,3 discusses product/service differentiation in the form of “the strategic three C’s”: the corporation, the customers, and the competition. Corporations and competitors are differentiated by costs. Customers differentiate between the corporation and the competitors by value.
Customers will buy a product that they want (consider of value), if it is a quality product at the right price. Therefore, it is important that the cyber security program add value to the product, and do so at the lowest cost, in order for the business to remain competitive in the marketplace. So, treat the cyber security program as a product that adds value and minimizes costs. Since it is your product, market it and sell it!
Fast, accurate, and complete information provides the opportunity to gain a competitive advantage—assuming of course that the information is correctly acted upon in time to provide that advantage. The responsibility of the cyber security officer is to support this process by assisting in storing, processing, transmitting, and displaying that fast, accurate, and complete information in a secure manner. This support is necessary to assist in providing the company competitive advantage opportunities.
These opportunities to take advantage of information were summarized by Colonel John R. Boyd, U.S. Air Force, as a strategy based on the “OODA loop” (observe–orient–decide–act). Although put forth some time ago, the points made are still valid. The idea is to look at it from the viewpoint that whoever can be the quickest to move through this loop can gain a competitive advantage. Information has always been time dependent and probably is more so today than ever before. That is why it is crucial to be able to have a tighter (using less time) OODA loop than one’s adversaries, whether they be a nation-state, a business, or an individual.
In addition, this advantage is created because the competitor becomes more confused and uncertain over events, and that may influence the competitor’s judgment and decisions. In Patterns of Conflict,4 Boyd concluded that operating inside an opponent’s OODA loop generates uncertainty, doubt, mistrust, confusion, disorder, fear, panic, and chaos.
Case Study
In his book Following the Equator,5 Mark Twain wrote about how one can take advantage if one has information before the competitor and knows how to act on that information. At the time of Twain’s world travels, sharks populated the harbor of Sydney, Australia. The government paid a bounty on sharks. A young man was down on his luck and walking around the harbor when he met an old man who was a shark fisher, who had not caught a shark all night. The old man asked the young man to try his luck. The young man caught a very large shark. As was the custom, the shark was disemboweled, as sometimes one found something of value. As it happened this young man did.
The young man went to the house of the richest wool broker in Sydney and told him to buy the entire wool crop deliverable in 60days. They formed a partnership based on what the young man found in the shark. It seems that the shark had eaten a German sailor in the Thames River. In the belly of the shark were found not only his remains, some buttons, and a memorandum book discussing the German’s returning home to fight in the war, but also a copy of the London Times that had been printed only 10days before. At that time, news from London came by ship that took about 50days. However, sharks traveled faster than the ships of that time. The Times stated that France had declared war on Germany, and wool prices had gone up 14% and were still rising. No other Australian wool brokers or wool producers would know that wool prices were skyrocketing for at least 50days. By then the young man and his partner the wool broker would own all the wool, purchased at the “normal lower price,” and could ship it to Europe for a very handsome profit.
This case study is an example of how accurate information received and acted upon within the competitor’s OODA loop can give one a tremendous advantage in business. So, the old saying “information is power” is probably more true today than ever before, again provided that:
• The information is accurate,
• It is acted upon correctly, and
• It is acted upon before it is acted upon by your competitor.
Management Responsibilities and Communicating with Management
One of the biggest mistakes made by cyber security officers is to assume that they “own” the systems and information. The cyber security officer must remember that the owners of the business, whether it be private ownership or public ownership through the stockholders, make the decisions as to how the business is run. The stockholders do it through the elected members of the company’s board of directors, who are the risk takers. Their responsibilities include making decisions relative to company risks.
As a cyber security officer, you are there because the management believes you have the expertise they need to protect the business’s information systems and the company’s information.
All too often, the cyber security officer gets into the “tail wagging the dog” situation in which the cyber security officer can’t understand why management does not provide the cyber security officer with the support that is needed or wanted. The cyber security officer must keep in mind that if management did not provide at least some support, the company would not employ the cyber security officer!
When decisions are made to process, store, display, or transmit information that goes against the desires of the cyber security officer, many cyber security officers take that personally. Remember, it is not your information! It belongs to the business owners.
Of course, depending on your responsibilities and the authority delegated to you by management, you will probably be responsible for making the majority of decisions that involve cyber security. However, even with that responsibility and authority, the cyber security officer must gain the support and concurrence of others within the company. You were hired to safeguard these valuable systems, networks, information, etc., with the goal of doing so at the lowest cost based on the threats, vulnerabilities, and risks to these systems. You determine that by doing formal risk analyses.
When a cyber security decision must be made and that decision is outside the purview of the cyber security officer, the cyber security officer must elevate the final decision to a higher level of management. Although each company’s culture and policies will dictate when and how that process will be implemented, the cyber security officer should be sure to provide complete staff work on which the management can base the required decision. In other words, the person making the decision must be provided with all the necessary information on which to base the decision. If that information is not provided to upper management, the wrong decision could be made, which may jeopardize the protection of the company’s information and/or systems or may cause the company to incur unnecessary costs.
If you have done your homework—if you have assessed the risks to the information and systems, the protection alternatives, the costs involved, and the benefits involved, and you are in a position to make your recommendations accordingly—then you have done your job.
Before you bring a problem and decision to management, you, the cyber security officer, should be sure that you have addressed the problem by providing management with clear, concise information, using nontechnical language, on which they can base their decision. The following, as a minimum, should be included in that process:
• Identification of the problem
• Possible problem solutions, including cost and benefits
• Recommended solution to the problem, and why
• Identification of who should fix the problem (it may not be a cyber security issue, or it may be one outside your authority)
• Consequences of no decision (no action/no decision is always an option, and sometimes the right one)
Whether it is the responsibility of the cyber security officer to fix the problem or not, the cyber security officer should follow up. Once the problem is fixed, it is always good to contact the other personnel who were at the meeting at which the problem was discussed and the decision made, and advise them either verbally or in writing when the corrective action is completed or the project is closed out.
An excellent gesture would be to send a letter of appreciation to those involved in fixing the problem, with appropriate copies to management. This is especially important if others fixed the problem outside your organization, or if staff outside your organization assisted you in fixing the problem.
It is the responsibility of the business management to make the final decision, unless of course they abdicate that responsibility to you. They, in turn, are held accountable to the owners of the business.
Remember that managers are usually authorized to make decisions related to accepting cyber security-associated risks for only the organizations under their authority. They should not be allowed by the business to make decisions that affect the entire company. If that appears to be occurring, you are obligated to ensure that the manager as well as upper management knows that information. This is of course a sensitive matter and must be handled that way.
A word of caution: Some managers will abdicate their management responsibility to the cyber security officer. As the cyber security officer, you may be flattered by such a gesture, but beware! You may also be getting set up to take the blame for the consequences. These consequences may be due to a decision that you may not have recommended—in fact, it may be a case in which you were in total disagreement with management as to the correct course of action to be taken.
The responsibility of business management is a serious one. Under current laws in many nation-states, managers can be held personally responsible, and possibly liable, for any poor decisions that affect the value of the business. So, your responsibility as a service and support information security (InfoSec) professional is to give management the best advice you can. When their decision is made, do your job by supporting that decision and by ensuring that the information and systems are protected based on that decision.
“JPMorgan spending $250 million on cyber security and going to double it to $500 million in the coming years.”6
There may be times when, in the opinion of the cyber security officer, management makes the wrong decision relative to protection of information. The cyber security officer then has several additional choices:
• Meet with the decision-maker in private to try to convince that person of the consequences of the decision and why it may not be right,
• Appeal the decision to the next level of management,
• Quit the job, or
• Quit the company.
Another word of caution is needed here. Whether the decision is right or wrong, the cyber security officer should document that decision process. The documentation should answer the typical security/investigative questions of who, how, where, when, why, and what.
This is important, not from the standpoint of just another bureaucratic process, but to have a history of all actions taken that are related to cyber security. Thus, when similar instances occur a year or more after the last decision, it can be used as a precedent. This not only helps in making subsequent decisions based on similar instances, but also helps ensure consistency in the application of InfoSec. Inconsistent InfoSec decisions lead to confusion, which leads to not following sound InfoSec policy and causes increased costs to the business. This process follows the process used by the legal community, in which case law is used to argue a current illegal issue. Precedence is a logical process to follow—assuming that the decisions previously made were the correct ones, of course.
If it is subsequently shown that the last decision had unexpected, adverse consequences, then it will help the decision-maker not to make the same mistake again—one would hope. People come and go, but a good historical file will ensure consistency and keep you from having to rely on the memories of people involved—assuming they are even still employed by the company.
For example, assume that a major decision had to be made concerning cyber security, and the decision was determined to be that of management. You, as the cyber security officer, should do the following:
• Lead the effort to resolve the issue,
• Request a meeting,
• Ensure all the applicable personnel are invited, and
• Brief those at the meeting on the situation as stated above.
If you as the cyber security officer are to keep minutes of the meeting, the minutes should include:
• Why the meeting was held,
• When the meeting was held,
• Where the meeting was held,
• Who was at the meeting,
• What information was presented and discussed,
• What the decision was,
• How management made their decision, and
• Who made the decision.
Someone in management should sign the minutes of the meeting showing the results of the meeting—preferably the person who made the final decision. You will find that such decisions are usually verbal, and most managers do not want to sign any document that will place them at risk. So, how do you deal with such issues? There are several methods that can be used, all of which may cause your position as the cyber security officer to be questioned: “not a team player,” “you don’t understand the big picture,” or “you are not a business person, so you don’t understand the situation.” By the way, having an MBA may help in winning this argument.
Even though you have the best interest of the company at heart and it is the basis for your recommendation, and even though you consider yourself a dedicated and loyal employee, in the eyes of some in management you’re not a team player. In other words, you are not on their team.
You will soon find that the position of the cyber security officer is sometimes a risky one. Even if you do the best professional job that can be done or has been done in the history of the cyber security officer profession, office politics must be considered. Such non-cyber security situations will often cause many more problems than the cyber security officer will face in dealing with InfoSec issues, hackers, and the like.
If the you do not know about such things as “turf battles” and “protecting rice bowls,” the local bookstore is the place to go. There, you will find numerous books that will explain how to work and survive in the “jungle” of office politics. You may know cyber security, but if you do not know office politics, you may not survive—even with the best cyber security program ever developed. Always remember: “It’s a jungle out there!”
Why is it that way? There are many reasons, but for cyber security officers the primary reason is that you make people do things that they do not consider part of their job. And if they do not follow the cyber security policies and procedures, they could face disciplinary action. So, you, like corporate security personnel and auditors, are not always popular.
Obviously, as the cyber security officer, you want to eliminate or at least minimize that type of image—the “cop” image. It is hard work, but you must constantly try to overcome the negativism that people tack onto the cyber security officer and cyber security. Some ways of countering that negative image can be found throughout this book.
Many business meetings require that minutes be taken. If so, and if you are not responsible for taking the minutes, obtain a copy and ensure that your recommendations are noted in them, as well as who made what decisions. This is the best method of documenting what went on in the meeting.
If the minutes do not adequately describe what has taken place—if, for example, they lack details of what was presented, the potential risks, or who made the final decision (all crucial pieces of information)—then annotate the minutes. Attach any of your briefing charts, sign and date the minutes, then place them in a file in case you want to use them as a reference at a later date.
Another method that can be used, but is more confrontational, is to send a memo to the manager who made the decision in which you document the cyber security options, costs, benefits, and associated risks. You then conclude with a sentence that states, for example, “After assessing the risks I have concluded that the best course of action is option 2.” Leave room for a date and the signature block of the manager you want to sign the document.
The document should be worded professionally and should be as nonintimidating to the manager as possible. Even so, in most cases, you may find that you won’t get a signed copy returned to you if you send it in the company mail.
You should hand carry this document to the manager and discuss it with that person. Imagine yourself in the manager’s position. When you put your signature on such a document, there can be no mistake. You made the decision. If something goes wrong, that letter may document the fact that in retrospect it was a poor decision. No manager—no one—ever wants to be put in that position. Remember that the manager does not have to sign the cyber security document. In fact, no matter how it is presented, you will find most managers will find some way not to sign the document if there is the slightest chance of being second-guessed later. In today’s environment of “touchy-feely don’t-hold-me-responsible” management, today’s cyber security officers are more challenged than ever before to get management to own up to their decisions.
Asking a manager to sign such a document, especially if you have voiced disagreement about the decision, should be a last resort. It should be done only if you feel so strongly about the decision that you are willing to put any possible raise or promotion, or even your employment, on the line. So, you’d better be right, and you’d better strongly believe that it is worth it. Also, as the cyber security officer, you must do this as a cyber security officer professional, a person of integrity and principles.
Even so, you may end up being right, but also right out of a job. Well, no one said that being a cyber security officer professional is easy.
Creating a Competitive Advantage through a Cyber Security Program
To ensure that the cyber security program supports the company’s business services and products, the cyber security officer must think of methods, philosophies, and processes that will help the company in gaining a competitive advantage. Such methods and philosophies should include a team approach. That is, have the company employees and especially management support your cyber security program.
To help in that endeavor, you should strive to insert, in appropriate company policy documents, policies that can help support your efforts. The following are some examples that may be useful in incorporating into company policy documents support for your cyber security program and your quest to assist the company in gaining a competitive advantage through cyber security:
• Managers will ensure a compliant cyber security program within their organization.
• Managers will develop our customers’ trust that their sensitive information will be effectively protected while under our control.
• Managers will employ cost-effective cyber security systems and strive to help keep the price of our company’s services and products as low as possible relative to our competitors.
• Managers will help keep the company’s overhead down through effective loss prevention and assets protection processes.
• Managers will minimize the adverse impact of our cyber security controls on the efficiency of the company’s operational functions by working with the cyber security staff to find the most cost-effective ways of protecting our information assets.
• Managers will proactively find ways to securely and efficiently provide the company’s services and products.
The Cyber Security Officer as a Business Manager
The role of the cyber security officer in managing a cyber security program is somewhat different from the role of the cyber security officer as a manager of the company.
All company managers have some role to play that applies regardless of the manager’s area of responsibility. This also applies to the cyber security officers in management positions. The following items should be considered for implementation by the cyber security officer as a manager within the company:
• Comply with all company policies and procedures, including the intent of those policies and procedures.
• Take no action that will give the appearance of violating applicable company policies, procedures, or ethical standards.
• Implement applicable management control systems within the cyber security organization to ensure the efficient use of resources and effective operations.
• Identify business practices, ethics, and security violations/infractions; conduct inquiries; assess potential damage; direct and take corrective action.
• Communicate with other departments to provide and receive information and guidance for mutual benefit.
• Plan, organize, direct, coordinate, control, report, assess, and refine business activities to achieve quality, cost, schedule, and performance objectives, while retaining responsibility for the results.
• Exercise due diligence to prevent fraud, waste, or abuse.
• Establish and maintain a self-audit process to identify problem areas and take corrective action to eliminate deficiencies.
These items, if made part of the cyber security officer’s philosophy and goals, will not only benefit the company, but also assist the cyber security officer in professionally meeting the cyber security duties and responsibilities as a valued member of the company’s management team. Remember that the cyber security program is a company program. That means you need help from everyone in the company to ensure its success.
Service, Support, and a Business Orientation
In any business, the cyber security officer must strive to balance the required “user friendly” systems demands of management and users with those of cyber security. After all, cyber security, unless it can be proven to be “value added,” thus at least paying for itself, is a parasite on profits or, at the least, has an adverse impact on budgets. This will be a factor to consider as you, the cyber security officer, establish the company’s cyber security processes, programs, plans, projects, budgets, etc.
Remember that the cyber security program must be service and support oriented. This is of vital importance. The cyber security officer must understand that the cyber security program, if it becomes too costly or outdated or does not meet the service and support needs of the business or government agency, will be discarded or ignored. Each of these possibilities will eventually lead to the dismissal of the cyber security officer.
The dismissal of any cyber security officer affects all cyber security officers. The cyber security officer profession is thus damaged, as is our professional credibility and our opportunities to protect vital information for our internal and external customers. It is difficult enough, even in today’s environment, to “sell” a cyber security program. It makes our jobs as cyber security officers harder when one of us fails. The failure of a cyber security officer could be a lesson learned for all cyber security officers. Learn not only from your own failures, but also from those of others.
The word of a cyber security officer’s dismissal and failures does get around within the industry and government agencies, making it much more difficult for the cyber security officer’s replacement to develop a professional InfoSec program. You may be that replacement.
As the cyber security officer, you must constantly update your cyber security program and its processes. You must continuously look at changes in society and technology, plan for those changes, and be prepared to address cyber security ramifications of the installation of new technology into the business before it is installed. You must implement cyber security measures before someone can take advantage of a system vulnerability.
So far, cyber security officers for the most part have been in a reactive mode, with little time to be proactive and put cyber security defenses in place before they are needed! How to do that will be discussed in the following chapters.
Business Managers and Cyber security
Some cyber security officers may want to talk “techie” to keep business managers in the dark about the “mysteries” of cyber security. They think that it will make the cyber security officer invaluable to the corporation and, therefore, always needed. That is illogical and also works against the cyber security officer. The more the managers and all employees understand about the concepts and philosophies of cyber security, the more they will understand cyber security officer decisions—and also the more supportive they will be.
Corporate management’s knowledge may also challenge a cyber security officer, causing him or her to rethink some decisions and the logic that led to them. That’s good, except for those cyber security officers who do not want to excel and accept such a challenge—in other words, the lazy and unprofessional people in cyber security officer positions. However, in the long run, such criticisms and recommendations are good for the corporation. Why? Because it means that management is actually looking at cyber security and becoming, as they should, a part of the cyber security team.
As a cyber security officer, you should know that the more input you get and the more interested corporate management and employees are in cyber security, the better your cyber security program will become, and the better it will meet the needs of the corporation. It is true that you will probably spend more time in discussions with corporate management, but that is really a good thing. In the long run, your job, if you do it right, will actually be easier.
It should come as no surprise to company managers that they are responsible for the protection of company assets. In today’s information-dependent and information-based companies, it should also come as no surprise that these assets include information. These are facts of business life today and are probably concurred with by 99.9% of the company managers that one could survey. I would say 100%, except that there are always some managers (many of us have met them in our careers) who just don’t seem to get it. So, let’s allot the 0.1% to those managers that just don’t get it.
So, if most company managers agree with that premise, why do so many either battle to negate information and information systems protection (cyber security) instead of supporting cyber security? Maybe they don’t care for anything beyond their paychecks and bonuses. It seems today that there are many of those. It is ironic, but it seems in many companies around the world today that the truly company-loyal people are mostly the “regular employees” and not the managers. Employees are out there working hard and doing their best to help the company succeed. They have a loyalty—though somewhat less than in earlier years—to the company that it seems most of today’s managers do not.
Today’s managers either are so self-centered that they care only about their careers—you see, managers have “careers,” while employees have “jobs”—or are ignorant as to their responsibilities. Let us assume ignorance is their problem. Perhaps they have been promoted into management but no one has ever explained their assets protection responsibilities. That may be because their boss did not know—it was not explained to him or her. Maybe it is because the managers try to avoid that responsibility by hiring someone to provide cyber security. Thus the problem is delegated to someone else. Therefore, when things go wrong, it is not the company manager’s fault; it is the fault of those hired to protect the assets.
Then what can be done about it? Whatever the reason, it is up to the company managers to know their responsibilities and the cyber security professionals to politely remind them of those responsibilities. As the saying goes, “You can delegate authority but not abdicate your responsibilities.”
If you are a company manager reading this, other than a security professional of some kind, congratulations! You are one of the few who are interested in cyber security. May your career rise above the stars. For you others out there, it is assumed you have some responsibility for cyber security or cyber security-related tasks such as fraud prevention or other asset protection. If so, you should provide your company managers information that politely and professionally explains to them that they have some very basic and direct cyber security responsibilities. Lay out those responsibilities to them as part of some awareness e-mail, on an internal company Web page or newsletter—whatever communication form works best in your environment.
The first things that company managers should be made aware (or reminded) of is that they do have a responsibility for protecting company assets—and some of the most important of those assets are sensitive information and information systems within their organization.
Company managers should understand the basics of cyber security. It is not rocket science. It is common sense. They should know that the purpose of cyber security is to do the following:
• Minimize the probability of a successful attack on the company’s information,
• Minimize the damage if an attack occurs, and
• Provide a method to quickly recover in the event of a successful attack.
The three basic principles that are the foundation of cyber security are:
• Access control,
• Individual accountability, and
• Audit trails.
These are rather basic and should be easy enough for company managers not versed in cyber security to understand. Once managers understand the cyber security purpose and the three basic principles, the cyber security professional must be able to explain the concepts in detail and how they apply to the individual company managers. Obviously, there is not sufficient space in this entire book to adequately cover that topic. Furthermore, I hope that, as a cyber security officer responsible for protecting these valuable assets within your company, you do understand these concepts and can easily explain them to company managers. If not, failure to clearly communicate and gain support for your program may be your downfall.
What Company Managers Should Ask of Their Cyber Security Professionals
Company managers should also be sufficiently knowledgeable to ask intelligent questions about cyber security-related matters, and ideally the company cyber security officer can answer them. Some questions company managers should ask, and some possible answers that the InfoSec can give and then explain in more detail, include the following:
• Question: How do you know you are actually under attack and not the victim of misconfigured systems? Answer: You may not know until it is too late; you may never know; you may know, but can’t stop it.
• Question: What are the warning signs of potential or actual attacks? Answer: There may not be any.
• Question: Is it possible to know of pending attacks? Answer: Yes. No. Maybe—depending on conditions.
• Question: What can you do to set up an “imminent” attack warning system? Answer: Base it on history, on the latest techniques identified in CERTs, on target visibility, on your defenses, on your countermeasures, on your use of technology, and on vendor products.
• Question: What is the basis of deploying intrusion detection to assist in countering the attacks? Answer: What is normal activity? What is abnormal? One can compare activity against known attack methods and establish countermeasures, and one must have, as a minimum, a cyber security policy, procedures, and awareness program.
• Question: What must be considered when deploying the intrusion detection system and processes? Answer: Any available tools should be adapted to your unique environment. The intrusion detection process must be always secure, operating, and “foolproof.” It must detect all anomalies and misuse, must have audit-based systems for history, must have real-time monitoring and warnings, and must take immediate action based on each unique attack. Also, one must know what to do if attacked.
• Question: Any other things to consider? Answer: Audit entry ports, especially to critical areas; prioritize processes, shut down others; isolate the problem; and establish alternate routing paths.
What Cyber Security Professionals Should Do
If the company managers are able to ask such questions and understand the answers and the details provided, the cyber security officer professional has gone a long way to help protect their information and systems from attacks and external fraud. The cyber security officer has also gone a long way in gaining some basic, active support from company managers.
As part of the above, to be successful, the cyber security officer professional should do at least the following:
• Collect information on attacks from all available sources;
• Develop and maintain a threat tool kit containing strategies, tactics, tools, and methodologies used to attack systems;
• Continuously maintain a current tool kit and methodologies that can threaten systems through attack methods;
• Model the capabilities of the potential intruders against real-time attacks;
• Collect information related to the corporation’s information systems’ vulnerabilities;
• Establish systems simulating intruder attacks using threat tools in a simulations and testing environment; and
• Establish defenses accordingly.
Questions to Consider
Based on what you have read, consider the following questions and how you would reply to them7:
• Do you understand the company for which you have cyber security responsibility—its history; what products and services it produces; its environment, culture, competition, and business plans; the impact of the cyber security program on profits; and the like?
• Are you absolutely clear as to what management expects of you?
• Are you absolutely clear that management understands your cyber security program?
• Is management clear as to what you expect from them, such as support?
• Do you have good communication channels with management?
• Are there managers who are against your cyber security program, and if so, do you avoid them or try to understand their position and work with them?
• If you do not work with them, why not?
• Do you understand your business management responsibilities?
• Are you trying to make the cyber security program a value-added function?
• If so, are you succeeding, and how do you know?
• Does management also think the cyber security program is a value-added program, and if so, how do you know?
Summary
As we are now well on our way into the twenty-first century, a cyber security officer faces many more challenges than existed only a decade ago. The environment is faster, more technical, and much more challenging. The twenty-first-century cyber security officer must understand the global marketplace and the company’s business environment much more than was necessary only a decade or so ago:
• Cyber security officers must understand their company’s business, including its history, products, competition, plans, costs, and product value.
• Cyber security officers must understand business, management, and how to communicate with management in management’s language—not in “computerese”!
• Cyber security officers must document major cyber security decisions to provide a historical file that can be used in the future when considering similar situations.
• Cyber security officers must also think and act as business managers of the company.
• Cyber security officers must be service and support oriented.
• Cyber security officers must understand today’s NII and GII and where the corporation’s networks are connected to that system—weakest point and all that.
• Cyber security officers must understand the threats, vulnerabilities, and risks associated with the corporation’s systems
• Cyber security officers must know where the systems are and where they are connected inside and outside the corporation.
Company managers must understand their assets protection responsibilities. That is especially important today, when information protection and crime prevention should be a major responsibility of every company manager. For it is only with that understanding, support, and action that companies can respond to attacks against them from competitors, nation-states, and techno-spies.