As you all know better than me, compliance and audit executives spend plenty of time these days worrying about cybersecurity. So when I spent a few days last week on the road talking to compliance professionals, the subject came up quite a bit.
The first bit of good advice I heard came from an old law enforcement guy (all the old law enforcement professionals are guys) who is now an executive at one of the large GRC vendors with a thriving investigations practice. This guy had been working money-laundering investigations since the 1970s, for the FBI and state police and lord knows what other agencies. He has seen a lot. So I started to ask what he and his firm are doing to help companies with cybersecurity.
“Stop,” he said. “It’s not about cybersecurity or cyber-risk or cyber-attacks. It’s cyber-crime, and we need to remember that. We need to remember that there is an underlying crime happening in all of this.”
The guy then told a story. Once upon a time, a CFO spent his evening hours purchasing the services of some Ashley Madison-like website, although the particulars were something closer to an activity illegal in most states that aren’t Nevada. Hackers became aware of this, found his online transactions, and approached him with a threat: either leak confidential information about your company to us, or we will leak your philandering to your wife, your boss, and your local police.
We can all agree the above situation is a cybersecurity nightmare. But my guy’s point is correct: this was also extortion, nothing more. And extortion has been a problem companies have faced since long before cyber-space existed.
Whatever company employed this CFO, the compliance officer there should already have been prepared for this crime because from the company’s perspective, extortion is a problem of policy management and monitoring, not IT security. What was the policy about disclosing extortion attempts to the company? Did the company have guidelines on confidentiality? On what misconduct it would report to police and what it would keep private? (I don’t condone someone soliciting prostitutes or adulterous encounters online, but if a victim of extortion is confessing his or her sins to the boss, not all of that needs to be reported to police.) Did the company monitor key employees like the CFO for possible targeting by criminals?
You get the idea. “Cybersecurity is a process,” we are always quick to say, and the goal of that process is to prevent a crime. So if your starting point is to think about the underlying crime itself—and in most cases, that crime is either theft, extortion, or espionage—that brings you closer to understanding what your cybersecurity processes should be. You get a better sense of where your weaknesses are, what human elements are involved in those weaknesses, and how you might improve policies, processes, and controls to seal those weaknesses up.
‘Who should own cyber?’ To my thinking, that question makes as much sense as asking, ‘Who should own crime?’ No single executive should ‘own’ crime.
After my conversation with the old law enforcement guy, I attended a small gathering of compliance and risk officers in the utilities industry hosted by PwC. Cybersecurity got lots of attention there, too, and toward the end of the day one person tried to capture some of the strategic challenges by asking, “Who should own cyber?”
To my thinking, that question makes as much sense as asking, “Who owns crime?” No single executive is responsible for preventing crime at any large business. Sure, you might have a vice president of loss prevention who tries to police against shoplifting, or a director of corporate security who stops intruders from wandering around C-suite corridors. Depending on your business (retail, banking, pharmaceutical research), those people can be hugely important players in your efforts to reduce crime.
Still, the are only “point solutions” to the problem of crime, the human equivalent of anti-virus programs or network packet sniffers. They address specific types of crime, just like those software solutions do. But no self-respecting business would ever think that hiring a head of loss prevention or director of physical security solves all the company’s crime problems—you still have extortion, insider threats, sophisticated imposters, and the like. You need all employees on watch for all types of crime, with tone at the top and training and monitoring and all the other fun stuff. That’s what the process of battling crime in a corporation looks like.
A cybersecurity process should have the same basic structure. You might have an IT security director or a CISO, just like you have a vice president of loss prevention; you might have sophisticated software to detect hackers just like you have a reception desk and turnstiles at the front door. But you must also drill good security procedures into employees heads, and get them to think about cybersecurity the same way you get them to think about anti-corruption or correct corporate accounting. You need to assess your risk from cyber-criminals just like you assess your risks from “real” criminals.
That is how you get closer to a good cybersecurity process, even in today’s world, where cyber-criminals are as real as criminals can get.
Comment on this post on LinkedIn.