In a previous blog, we discussed Commander’s Intent for CEOs and introduced 10 questions CEOs should be asking their teams.
In this blog series, I am going to take a deeper dive into each question and break them down one at a time. We will discuss why CEOs should care about each question and the type of answers teams should be providing.
This week we tackle the question:
How does our posture compare to organizations in the same vertical?
This is sometimes a difficult question for security teams to answer. Sometimes, this is due to the security culture (i.e. not sharing information with other teams, distrust of competition, etc). Some of this is due to corporate culture. I have consulted with teams in certain cities that flat out refuse to talk to each other. I understand wholeheartedly that organizations need to keep information such as business metrics and strategies secret from competitors. It’s one of the reasons cybersecurity programs exist. That being said, you, as the CEO, can help set a tone in your organization that sharing actually benefits your organization.
You should allow your team to go to events with the purpose of collaborating with their peers on this issue. No single team can know everything and, if they aren’t spending anytime collaborating with peers, they may be running the program inefficiently. Trust that your team has the best interest of cybersecurity at heart. Trust that we understand what to share and what not to share. I have met with peers at direct competitors in the past and we have built great relationships that have been maintained long after leaving our old organizations. All of that collective wisdom is then applied to the next program or the next consulting effort. We have to share more and having a CEO who understands that will go a long way and will have a direct impact to the security of your organization.
If security teams and leadership teams are involved in the community outside of the organization (which they should be), they should be able to get a sense of what other programs with similar business models and risks are doing to minimize exposure. I can’t speak for every city but in San Diego, a good friend has been managing an ongoing CISO round-table discussion. These meetings facilitate discussions around what is working in programs and what isn’t. We share technology information such as what products work and which ones don’t. Operations and process of the security programs are discussed among a vetted group of peers who trust each other and pull together to help share information and tactics to help mature other programs.
Additionally, cyber insurance is demanding a higher bar for controls than ever before. In most cases, if you aren’t at least doing the same as an organization with a similar risk model, you probably won’t get coverage, or the premiums will be through the roof.
This is also the case if a court case results from a data loss or breach. Do 9 out of 10 competitors require user names and strong passwords but your website only requires a username and a four-character password? You will probably be held accountable for not keeping up with maturing your authentication systems.
(NOTE: I am not a lawyer but I did stay at a Holiday Inn Express last night. For cybersecurity legal guidance, please consult with your internal or external legal teams)
Depending on the type of vertical you are in, there are a number of information-sharing programs in place. The biggest are ISACs (Information Sharing and Analysis Centers). It’s not important that you know the details, but it is important to understand why these were created.
“Information Sharing and Analysis Centers or (ISACs) are nonprofit organizations that provide a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information between the private and public sector”
These groups are designed to help your team understand the threats targeted at your vertical. They provide threat and risk information and host conferences. The key is having a two-way exchange of information to help make us all better.
This question isn’t intended to have a hard answer. But just remember: when it comes to cybersecurity, your team should be allowed to talk to other peers to help provide this type of information exchange. It will also give them a good idea about how their program compares to a similar organization.
Sharing the right data at the right time can make a huge difference to your cybersecurity posture.