Among the CEO’s most important responsibilities is securing her or his company against internal and external threats. Ultimate responsibility lies with the CEO for:
- Physical security for people, inventory, raw materials, and the physical plant.
- Financial security through insurance, reserve funds, and contracts.
- Market security through forethought, strategic planning, and research and development.
- Organizational operability and efficiency through policies and procedures.
- Organizational resiliency via disaster recovery and business continuity planning, testing, and execution.
- Compliance with laws and standards.
A seventh discipline that has gained new prominence in the digital age is information security. Businesses’ intellectual property and trade secrets have always been under attack; now their operational data is a prized target of thieves, hackers, and other bad actors. This brief blog explores what this threat means to companies and what smart CEOs do to practice information security as seriously as the other disciplines of security.
We admire Bruce Schneier for his expert knowledge and leadership in the field, in particular because he recognizes that it’s not just about code and authentification factors, it’s about people. Bad passwords, credential stealing, and carelessness are worse than hacking and viruses. He recognizes that as people push the boundaries of their own humanity, starting to use a global mesh of devices and connections to do their bidding, the situation will become even more complicated and beyond our direct control.
His basic argument is within a couple degrees of the compass of the argument advanced by FEMA, which since its missteps of the late 1990s and early 2000s has become a leader emergency management agency: Organizations that focus all their energies on breach response and recovery are failures; those that devote energy and focus to prevention and intervention will be far ahead of the curve.
For many CEOs and, indeed, most CTOs, grasping this shift in focus requires a fundamental change in mindset. Most CTOs and their IT departments are trained and oriented to problem-solve. If a new hack emerges, they learn to beat it back. If data servers are breached, they are trained to contain and recover. If intellectual property is stolen, they have procedures in place to “ring the bell” and send the lawyers out to tackle the offending software company.
But this example from Apple shows how little this reactive approach really accomplishes. By the time the data has slipped the surly bonds of its owner’s server, it becomes enmeshed in the global data stream for anyone to see or take. Apple, Alphabet, Facebook and their ilk know well that the play is not to react to information security breaches, but to proactively prevent them. Prevention, not intervention, is where these companies spend or should be spending most of their energy—and it’s where you should be spending yours.
After all, breaches have everything in common with the growth curve for invasive species, perhaps because the two find their entrée in some of the most common human behaviors and preferences. By the time most people spot them, it’s already too late to solve them.
If your CTO is the guy or gal you call when you spot the signs that you have been breached, you’re way behind the 8-ball. If your CTO is proactively counseling you on preventive measures and you are proactively implementing them, you are fortunate and unusual. More companies need to practice the discipline of information security and spend more resources assessing and preventing, as opposed to reactively intervening when things go bad.