A Question of When, not If

Breached!  This is the new watchword in the executive office suite these days.  Ever since Brian Krebs revealed to the world that Target had been breached, every company is on notice.   While the primary role of the CEO is revenue and growth, there are a host of other activities that support revenue and growth.  Namely, the company’s employees and its data infrastructure are critically important for every company.  But what about the network?

Having been an investor in network infrastructure for a couple of decades, I know chances are very high that your company’s network has been built over decades, by scores of people of varying skill levels.  Chances are your network is very complex, beyond what any person or team can truly understand.  Chances are your network runs your business more than you really appreciate, and without it your business would stop.  It’s just as important as your manufacturing and supply chain, or your service centers, or your employees.  The network is a strategic asset of the corporation.

tweezersThis was brought home in a powerful way when I recently attended a cyber security meeting in London.  In addition to briefings with a number of industry analysts, this meeting also included a panel discussion with about 15 CISOs from various industries like finance, not-for-profit, publishing, media, banking, and manufacturing.  To a person these CISOs said two things.  First, their greatest need was skilled personal to run their networks.  Second, their senior management was asking questions about not “if” they were breached but what they would do “when” they were breached.  This shift in attitude, driven by all the news in recent years about breaches at large, household-name companies, was an “ah ha” moment for me.

Your company will be breached, or you will fall victim to some other network crime.  As CEO, you must prepare yourself for these events.  A lot can be done to prevent most breaches, and to be prepared when one inevitably does happen.  It starts by knowing just how your network is built and operated.  As trite a statement as it is, the truth of the matter is this:  If you don’t know how your network is built, how can you possibly secure it?

Have you asked your CISO what the plan of action is when a cyber attack is successful?  Does your board understand the liability of a successful attack?  Regrettably, it is a matter of when, not if.