Stepping up to the Cyber Challenge: You Need a Lawyer
Today’s news is full of cyber security stories on a daily basis. Just a few short years ago this security issue was typically dismissed. Today the boards of directors at public companies are racing to understand the cyber threat, their fiduciary responsibilities around it, and even attempting to attract board members with cyber experience. At the moment, such talent is difficult to find. But integrators have an opportunity here to become that cyber-educated resource to the board of directors.
The key challenge for integrators is finding an ally with receptive ears on that board.
Welcome to cyber crime in 2012. It’s getting visibility at the highest levels in organizations of all sizes, and yet many security policies have yet to embrace it tactically or strategically. The new breed of security executive understands these challenges and opportunities. And as a result, a changing of the security executive is occurring globally.
Today the cyber crime and espionage trend is in full swing and there are very few companies operating that are not in its path. From hackivists with a political or social ax to grind to criminal syndicates and nation state actors — the threats are now sophisticated and, unfortunately, automated.
Download and go — “malware for the criminal masses!” The success rate for illegal hacking is in the high 90 percent range, and the court system (domestically or internationally) is a long way from acting as a deterrent to anyone. Today, the reputation of your company hangs in the cyber balance. Security policy cannot ignore a major threat like cyber crime and industrial espionage at these levels. What are you doing about it?
The first lesson in Cyber 101 might be to understand what it is not. At day’s end, it is not a piece of bad software that is the attacker. It is an actual opponent: a living, breathing human being that is stealing your information or attacking your company for any number of reasons. It is a human being, or group of individuals, that need to be understood, countered and marginalized.
Malware is a tool. The attacker has a purpose, a plan that in some cases takes weeks, months and even years to fully execute. These are not hit-and-run tactics today, but rather infiltrate-and-stay intelligence gathering operations.
What is the state of your organization’s counterintelligence capability to understand your cyber adversary? Do you have in-house capabilities or contract outbound to a consultant or services provider? Nothing, you say? Good luck with that plan. What is the state of your employee and partner cyber training? Is it updated regularly to keep pace with the new tools and tradecraft of the adversary? Nothing, you say again?
Cyber is a crime, like fraud, not an issue left to the IT department. Cyber crime — like any crime — is not totally preventable, but it can be anticipated, mitigated and planned for in both a pre- and post-breach scenario. How do you protect your critical data from physical and digital theft? Do you have a cyber incident plan?
A smart security executive sees cyber as an opportunity to educate the board. The Machiavellian security executive aggressively pursues the chief legal counsel as an ally and cyber advocate. Rarely are the CIO or CSO board members.
Educate the top lawyer; have him/her in turn educate the board. This is a mutually beneficial relationship. If someone on the board is fired after a cyber breach, chances are it will be the chief legal counsel before the CFO or CEO.
Get a cyber insider for your cause, funding support and position cyber into your global security policy, including third-party partners and supply chains. The new security executive will step up to the cyber challenge before it is too late.