As the largest data breach in history unfolded, most executives were both disappointed that it occurred to a great American brand like Target, and relieved that it missed them—for now.
The massive breach and its resulting fallout is a stark reminder to senior executives and boards of U.S. companies that they will remain vulnerable 24x7x365 until they strategically retool their security to effectively fight in today’s full-scale economic war. What we did yesterday in security is no longer relevant.
Every Company Targeted
It is estimated that U.S. companies quietly lose over $5 trillion in value each year to adversaries who take the stolen secrets and return as cheaper, direct competitors with identical trade secrets. Additionally, up to 80 percent of the value of today’s companies resides in their trade secrets and competitive advantage. Every company in every industry is the next potential big hit.
Our adversaries exploit our history of American innovation, openness, and our own laws of economic espionage to their advantage and to our massive, constant loss. In many cultures, economic espionage is mandatory, trained, and rewarded. In the United States, it is illegal, although we are playing in a global marketplace with our “eyes wide shut.”
Security: Not an IT Problem
Senior executives and boards can no longer view security solely as an IT problem. When breaches or attacks negatively affect your customers, profits, operations, and brand—the value you created—security is clearly a fundamental business problem that must be owned by all fiduciary guardians within an organization.
Senior leadership must act as the catalyst providing protection to the company’s value, its constituents, shareholders, and customers. To do this, they must become the driving force in implementing requisite risk management and needed security items at their disposal, in protecting their intellectual property and competitive advantage. This again is the fiduciary responsibility of the senior executives and directors of the company.
Every company must transform its mindset and develop a protective and proactive security strategy—with every employee, contractor and supplier. Consider it “reverse table stakes”—your employees, contractors, and suppliers are continuously pursued for spoils of economic warfare that a competitor or industrial nation-state can monetize to their advantage.
Weakest Link
By the time they go to lunch, your employees and suppliers have been stalked via several methods: smartphone, home Wi-Fi, public Wi-Fi, company email, personal email, social media … far too many exposure points to elaborate on here. Adversaries are intrepid and imaginative in exploiting your weakest links.
The foundation of a new archetype for security strategy must focus on the human element as well as the IT/cyber/physical/financial elements. In almost every cyberbreach, the human element facilitated the cyberbreach. In many cases, the cyberbreach is staged to cover up the actions of the insider.
The message here is that the human and cybercomponents are inextricably coupled. An effective cyberstrategy and security policy is grossly incomplete if the human element is not effectively addressed with a high degree of efficacy. This argument is poignantly stated: “Cyber is just the canary. Immediately addressing the human element is paramount,” said Eric Qualkenbush, former CIA director of central cover and current director of training and education at BlackOps Partners Corporation.
Policies of Several Kinds
A proactive cyberpolicy is critical. Keeping anti-virus software updated is a start, but only a start. All of the cyberprotection in the world can be nullified by a single insider, contractor, or supplier. This was the case in the recent breach at Target. An HVAC vendor’s credentials were reported compromised (the human element) and provided the pathway for unlawful and malevolent cyberaccess providing direct damage to the value premise of the company.
With the basis of a creative and persistent enemy, it becomes a fiduciary obligation to combine cyber/other security measures as above with requisite insurance/risk management programmatic efforts founded on a proactive pre-loss mitigation analysis and strategy.
“Cyber Insurance is in a constant state of evolution and in many cases is inadequate for the current state, hence a company must have a robust and dynamic loss prevention strategy interwoven into their risk management mantra,” said Erik Matson, former AIG regional president.
Most current security programs are antiquated and constructed for another time and opponent. By design, these policies have proven defective. It is easy for attackers to transcend most barriers. Conversely, a top-down, proactive, and offensive security program affords the best measure of advanced protection and pre-loss view required to effectively address threats of today.
Senior Executive Mantra
Senior executives and board members with fiduciary roles must take up the mantle to institute change in their companies. CIO’s and CISO’s must also be new-breed, proactive information security champions, each reporting directly to the CEO. They must operate from the same playbook with the same business rationale. Finding vulnerabilities must be rewarded. Every board meeting needs to make this an ongoing focus area to measure.
We have entered into a new era of pervasive technology and resulting exponential vulnerabilities. Senior executives and boards have no choice but to get in the game and drive the efforts to ensure their values and competitive advantage sustainability.
The return on investment for holistic security investment is your business survival.
Casey Fleming is chairman and CEO of BlackOps Partners Corporation blackopspartners.com