Written by: Eric Hal Schwartz, WordSmith at EHS, LLC Produced by: LeadersNest™
Photography by: Michael Conan Wolcott Featured:
No company board can afford to ignore cybersecurity. The answer to the question of how to achieve digital security is far from definitively answered, but, at a roundtable of CEOs and CTOs at Iron Mountain Data Center in Manassas, Virginia, some broad guiding principles could be discerned.
Moderated by Terrence Mills, CEO of Moonshot North America and Ai.io, the panel included Bob Gourley, CTO of Crucial Point, Chris Ertz, solutions architect of Xgility, Jonathan Rivers, CTO of 3Pillar Global, Suresh Gursahaney, CEO of MicroAutomation, LaJuanna Russell, president of Business Management Associates, Ramon Barquin, CEO of Barquin International, Jeff Bathurst, director of SC&H Group’s IT Advisory Services, Al Parvar, chief enterprise architect for Aurotech, Bryson Bort, CEO of SCYTHE, AJ Jaghori, CEO of Solebrity, and Fran Craig, CEO of Unanet.
While the debate about the details rages on in boardrooms of every size business around the world, companies would be wise to consider the best ways to integrate thinking about cybersecurity into their boardrooms.
Breaches are Inevitable
Hackers, whether freelance, part of a criminal syndicate, or acting on behalf of a hostile government, are endlessly sieging businesses, governments, and other organizations. They may be slapdash or sophisticated, but eventually, one or more will succeed in getting illicit access to data. When a board is thinking about cybersecurity, that facet has to have a place in any scenario they consider.
“A very important starting point is there is nothing that is unhackable, there is no scenario that you cannot present that I cannot come up with a way to hack it, to access it but it’s worth starting with what do boards understand and what our business is,” Bryson Bort said. ”Modern business today is no longer indistinguishable from technology. You cannot have a business without technology. And as a result of that, security is no longer just a cost but now an absolutely necessity for mission assurance.”
Because cybersecurity is a flawed necessity, any board that wants to assure customers, shareholders, and policymakers that they are secure has to think in the long-term. Improving security is a large part of it, but not the only one. What happens after a breach? How does a company deal with what may seem like a huge organizational and public relations crisis? Boards that don’t address those questions are keeping their head in the sand according to the panel of experts.
“[It’s] not if but when,” Jeff Bathurst said. And we talk [with organizations] about legal representation and we talk about PR and communications, we talk about the technical response and helping them formulate a plan so that the organization is prepared for when that event occurs. There is a large gap across many organizations that we’re seeing that just don’t have these things in place and it’s imperative that the preparation be done because you do not want to figure it out when it’s going on.”
Caring Starts at the Top
A company’s priorities are set by its leaders. That’s true for every aspect of a business, and cybersecurity is no exception. But, even if some or most of a board agrees that cybersecurity and related issues are important, that doesn’t mean a company will genuinely invest resources in addressing the dangers.
“One factor that you can assess right away [to] understand if that organization has any hope of being secure and that is does the CEO care? If the CEO doesn’t care at all, they have just about no hope,”explained Bob Gourley, whose company has performed many assessments of corporate cybersecurity readiness.
Cybersecurity readiness takes a lot of effort and energy, and if those at the top make it clear they’re going to be involved, those critical updated policies and improved technical tools are much more likely to get the focus they need from the company as a whole.
“At the board level and at the CEO level, I think it would be awesome if they thought of disaster recovery as IP,” LaJuanna Russell said. “Then it becomes a value, and then every CEO is going to think of it, but I don’t think that most of us are raised as CEOs to think of it that way if that’s not our business.”
Include Tech People on Board
Convincing a board that they should be willing to dive into investing in cybersecurity is critical, but building up that foundation, and charting a path to address it aren’t easy. A board can hire consultants or an internal team to address it, but the best way is to have someone with that knowledge on the board itself.
“In this day and age, you cannot have a knowledgeable technologist not be a member of your executive team,” Jonathan Rivers said. “Until you actually have that good representation on the executive suite, you’re going to be throwing your money at Accenture and Deloitte and not actually knowing why you’re making those decisions.”
Of course, that representation can’t be just anyone. They have to be able to communicate with the people actually handling cybersecurity while at the same time explaining what is going on to the other members of the board who have other specialties and grasp the business side but not the technical end.
“The challenge with having a technologist on the board is not that I have this person who speaks tech but somebody that’s technical that can speak business because that’s the missing gap,” said Bryson Bort, CEO of SCYTHE. “We have too many nerds who talk nerd and not enough nerds who talk business, so why is tech repeatedly surprised that nobody on the board takes them seriously when they’re not able to put it in the appropriate terms to match that competitive advantage that the board is trying to seek?”
No matter the industry or size, every company’s board needs to be aware and on top of cybersecurity. The mark of success will be a board that has strategies and plans to not only fend off attacks, but to deal with the consequences of a successful one. The boards willing to include relevant expertise in their membership and with day-to-day leadership that cares about the subject will endure the endless fight against hackers and data thieves, and position themselves as leaders in the years to come as the battle for data security evolves.