Tag Archive for: CEO

The Next Manhattan Project

Just participated in The White House Summit on Cybersecurity at Stanford.  The President and all the participants focused on the fact that cyber is the threat of the 21st century, that government alone can’t protect us, and that no company has the resources to completely protect themselves.  Recent history confirms this.  Thus to collaborate, to share, and to work together is our real only solution.  There was plenty of head nods to the Constitution and privacy.  Tony Earley, CEO of PG&E, said that we need to work together like we did on the Manhattan Project.  Now that is big thinking, and a big call to action.  I couldn’t agree more.

Changing how we think about cybersecurity

Almost since the birth of computer networking, engineers who build and manage computer systems have needed to figure out how to protect them from both intentional attack and unintentional damage. The deeply technical realities of securing computers and networks created a need for security specialists. Recently, the costs and other implications of attacks have created a seismic shift in how businesses must think about cybersecurity. Responsibility for cybersecurity has expanded from the IT engineer to the boardroom, and it’s not going back.

This past week, Cisco published its Annual Security Report. One of the key areas Cisco calls out is “Changing the View Toward Cybersecurity—From Users to the Corporate Boardroom.” The report highlights the increasing importance of security not only within the technical ranks, but also as part of an organization’s strategic oversight. In fact, according to Cisco, “Strategies include considering new approaches to help align people, processes, and technology, making security a topic at the corporate boardroom level, and adopting more sophisticated security controls…”

As I speak with executives and board members of major enterprises, I’m increasingly hearing the same thing: they agree that it’s time for them to understand how their assets are protected, how their security investments are used, and how their networks are being protected before, during and after attacks. Given the complexity of today’s networks, providing them with answers requires automation. Networks aren’t static because businesses are not static. Useful answers need continual assessment and at least daily reports –describing the changes in the enterprise’s risk profile, access paths, and threats.  When changes occur, the CEO must ask the question, “Is my network more protected today than yesterday?”

As Cisco’s report states, “The future of cybersecurity hinges on boardroom engagement today.” That engagement requires goals and standards, clear communication, succinct information, and continuous improvement in the face of ever-changing business requirements. Furthermore, the report makes clear the questions that the organization must be able to answer: “Boards also need to start asking tough questions about security controls: What controls do we have in place? How well have they been tested? Do we have a reporting process? How quickly can we detect and remediate the inevitable compromise? And perhaps, the most important question: What else should we know? CIOs need to be prepared to answer those questions from the board, in terms that are meaningful and understandable to board members, and also outline implications for the business of any proposed changes..

With RedSeal, you are able to answer those questions, and not merely in terms of the intended design, but in terms of the reality of your network today. Is your network RedSealed?

Staying on Top of Security

Wall Street values companies based on their performance over time.  That performance is measured in revenue growth and profit, but it is also measured by the reliability with which results can be predicted. Predictable results makes everyone happy.  Wall Street doesn’t like surprises, and neither does a CEO.  At some level, I suppose, the CEO’s job is to grow the business with as few moving parts as possible, eliminating potential surprises that could upset predictable results.

ray-staying-on-topThis becomes difficult when you realize that the very foundation of every modern business, the network, is full of moving parts and is anything but stable. Technology continues to evolve, new products are introduced, and companies are constantly changing their electronic infrastructure in hopes of improving operations and lowering costs.  This double whammy of new products and the desire to lower costs by changing the network brings complexity, potential vulnerabilities and unpredictability to the business. At the end of it all, one should always ask the question – are things getting better, or not?  Is my network improving or not?  And am I more secure or not? How can I know?

I recently met with the chief executive of a Fortune 20 company.  In our discussion I learned that this CEO gets a cyber report every Monday morning.  Not only does it include what attacks or threats his company witnessed, but it includes information on what is happening in the world as it applies to his business.  This sounds a lot like what the President of the United States gets in his daily briefings from the NSC!  I was totally surprised and delighted that he was taking security so seriously.

What does this mean for you, the CEO?  A cyber event is coming, whether you like it or not.  It doesn’t have to be scary or deadly.  Being prepared with a secure network is now the cost of doing business.  The sooner you start, the less impact it’ll have on your company when it happens to you.

Was It Something I Said?

I was in one of those small, interior conference rooms when it first happened. It was very hot outside, with an obvious threat of another day over 100°F and extreme humidity, as well. But, it felt even hotter in the room. I was there to provide insights to members of the network and security teams for a regional retailer, and only a few minutes into the training, it seemed like everything I said resulted in angry rebuttals. As a pretty easy-going guy, I couldn’t figure out how it was that I had offended the senior network engineer so completely. So, I asked her, “What has you so upset about this information?”

“Simple!” she hissed through clenched teeth pointing across the table, “They are going to just use this to beat me up!”

There, in a nutshell, is a fundamental problem with many IT organizations: different teams have different fundamental objectives and instead of working together and understanding the goals in a more holistic way, they end up in an adversarial relationship, something-i-saidfighting for resources and the favor of the CIO, CFO, and CEO.

It starts with the clear distinction between the role of network operations and security. The network team is responsible for making sure that packets get through. Their phone doesn’t ring as long as everyone gets access to what they need and there are no slowdowns. On the other hand, security is responsible for making sure that some packets do not arrive, protecting network assets from unauthorized access and from potential attacks of various kinds. As a result, the two teams often find themselves diametrically opposed to one another.

The solution to this rests with the CIO as typically the executive responsible for all aspects of the network infrastructure. As a result, the CIO is the place where these divergent objectives join to create a single strategy, and she is the one who can provide the context and vocabulary for unification.

How is this done in your organization? How have you seen it done, perhaps in organizations where it doesn’t work so well (since I’m sure your organization doesn’t have this issue!)? What do you need in order to make sure that the entire IT organization is aligned to the same goals?

We’re Living in Mud Huts

In the modern world, we depend on so many standards to protect us in our everyday lives – without even realizing it. For example, when we walk into a building we expect it will not fall down, even in an earthquake.  But before we walk in, we don’t demand to see the drawings, the engineering, or the credentials of the builder and inspectors.  We don’t even want to see the final certificate of occupancy: we just assume that the building has been constructed according to good, complete standards.

Regrettably, the networking world is not quite to this standard of design and implementation.  Yet, today we completely depend on the networks for business and assume that they are generally well architected, built well, and up to whatever standards of protection and compliance there are.  However, we continually read warnings about doing banking online on a public WiFi network, or change our passwords because people can steal them from company directories, and so on.  Yikes!

hut1You see, networks have been built by so many people over decades, largely without standards for design, inspection and operation, and have grown so large and complex, that basically it’s as if we were living in mud huts from 2000 BC.  Is that any way to conduct your critical business? In a mud hut, that is easily brought down, vulnerable to natural and man-made disasters, and not very comforting on the security front?

I wouldn’t live in a mud hut.  And I doubt you would either.  So, if your network is large, complex, and built by many people over a long period of time, there is a good chance that it may not be as secure as it should be for your business.  Ask your CISO what standards have been used in building your network.  PCI? FISMA? HIPAA? These are just a few, but they are a good start to addressing the needs of good and proper network architecture and design.  But these standards have to be repeatedly checked because the network in which they are implemented changes all the time.  In reality, there aren’t any great standards.  And until there are, and networks are rebuilt in accordance with them, every CEO needs to understand the risk of running his business out of a mud hut.

What Keeps CEOs Up at Night?

Post 3 – What keeps CEOs up at night?

As a CEO, getting a good night’s sleep is harder and harder these days.  We used to worry about competition, labor problems, regulatory issues, financing issues, sales and, if our company was public, our stock price.  In the 21st century there is a new worry – cyber threat.  Cyber attacks are real and they can be devastating.  Cyber threats come in all shapes, sizes, types, and intentions.  And they are, for the most part, completely automated.

ceo-night1Every business depends on its networks, and we have every indication that dependency is increasing at a dramatic pace.  These networks and the technology that makes them run are constantly changing.  They evolve to suit the needs of business, and they are improved in performance and security by new products.  Unfortunately, they are often built without a big view architecture in mind: “just make it work” is often the order of the day.

As CEO, knowing that these networks run more and more of your business, you should be asking your team – is it better today than yesterday?  Is it more secure today than yesterday?  What happened on our network yesterday?

Getting this data in a standard, understandable form is no small task.  Further, because things change often, the CEO needs to know the answer to this question often.  The geeks still build and operate the networks though the business people use them – kind of like cars and roads.  You don’t need to know how they are built, but you do need to know they are safe and reliable.  As CEO, you must care whether your network is safe and reliable and that you have a team in place that can do make it so.

Breaches Reach the Board Room

The discussion of cyber security is finding its way into the board room.  Everyone has read about a breach like the ones at Target, or Neiman Marcus, or Sony.  They also probably now have the word “Heartbleed” in their lexicon whereas six months ago most people would have thought this was a medical condition.  Directors surely must be thinking about whether this could happen to them and what they should do.  Just framing the discussion is often difficult because people simply have little or no background.  They need to know what is going on and what the risks to the company are.

The first interested director is probably the chair of the audit committee.  She or he should be active in asking key questions about security, processes, and what operationally is being done.  This is no different than asking if procedures for check signing are set up and being managed, or about how the shrinkage in retail or warehouse operations is being managed and monitored.  Cyber security has a complete parallel to these issues.

war-room-jpgOf course I can’t speak for every board of directors, but a couple of companies on whose boards I serve have a line item on the agenda – usually during the audit committee report – to discuss cyber.  Regrettably, the discussion usually lasts less than five minutes even though the headlines in the newspaper are full of corporate issues around being breached.  I can’t tell if it is a lack of appreciation of how serious the problem is, or if there is even a real problem.  I can’t tell if it is one of those “if I don’t ask, then I don’t have to know” problems.   Solving any problem first requires acknowledgement of the problem.  And the cyber attack problem is getting top billing in the news, just not in the board room.

Ask yourself, does the CEO get a report on cyber security, just like s/he gets a P&L or sales report?  Cyber is dynamic, and it’s a constantly changing front of action, just like sales.  Unfortunately, this is now part of every business and it takes away from business.  But I bet it’ll take much less away than a full breach.