This article is part of GPSG’s Cyber Leadership series. This series aims to help cyber and security management leaders make more informed resource and risk mitigation decisions as they navigate the fast-paced, digital threat landscape.
GPSG’s cybersecurity team is honored to have met with Bonnie Stith, former Senior Cyber Executive in the U.S. Intelligence Community and Founder of Stith Associates to discuss a few of our most frequently requested executive leadership topics, risk tolerance and cyber leadership best practices. Our discussion included how to strategically approach cyber risk and encourage your workforce to stay ahead of the emerging technology risk curve.
Bonnie shared leadership insights and lessons learned from her time leading a multimillion dollar cyber threats and operations organization. She led thousands of officers, drove technology-focused programs, and integrated disparate business lines to accomplish complex missions. Since leaving government service, Bonnie continues Executive Coaching conversations with leaders in private and public sector organizations about their cyber issues and concerns.
“Step away from your comfort zone.”
What one piece of advice would you share with an executive team about how to manage cyber risk?
Bonnie: Step away from your comfort zone. This could mean decreasing your dependence on solely relying on your technical skills to address risk or trusting that purchasing another tool or product will completely mitigate your cyber risk problems.
When approaching a cyber risk challenge ask yourself, “What haven’t I asked myself, my team, or my staff?” Ask yourself different questions about the cyber challenge. For example, “What haven’t I done?”, “‘What could I be doing?”, or “Who knows more about this cyber challenge than I do?” If you ask different questions, then you get different answers; different answers take you to different places and solutions.
Instead of going to the board and soliciting resources to purchase the latest product, imagine painting yourself as more of a ‘thinker’ in front of the board. Lay out the challenges and considerations that went into your risk management decisions. Walk them through the risk as you see it. Encourage them to validate that what you see as risk aligns with their perspective. After all, what could be worse than protecting the wrong thing?
“Cyber is no different than other issues that executive leaders must deal with, except that it can be more expensive and damaging if not done well.”
How will an executive leadership team know when it is time to act on a suspected cyber incident or challenge?
Bonnie: I’ve gone on trips where I’ve followed the road and enjoyed the scenery. I don’t recommend dealing with big cyber issues this way. One key cyber incident planning question to ask is, “How will we know . . . ?” Once that tipping point is reached then ask, “What are the steps that follow?” When leaders choose to get involved depends a lot on the severity of the issue and the risk tolerance of the individual company.
Cyber is no different than other issues that executive leaders must deal with, except that it can be more expensive and damaging if not done well. One approach before acting is to separate what happened from how it happened.
Then, figure out and prioritize actions and risk areas. All too often we hurriedly combine the what and the how of a situation. This means that information that might need to be shared isn’t because it’s all jumbled together and considered too sensitive.
For example, determine whether you have the latest firewall, intrusion detection tool, or basic cyber hygiene in place. Then, direct the right people on those areas and leave others to focus on what was lost, reporting and compliance issues, etc.
” . . . a determined adversary only has to successfully penetrate your controls once while defenders have to be successful every time.”
How can cybersecurity leaders best approach strategic risk tolerance?
Bonnie: When managing cyber risk, remember that a determined adversary only has to successfully penetrate your controls once while defenders have to be successful every time. In other words, failure is not an option. Your enterprise security is only as good as your next patch.
Some foundational questions that leadership teams should ask themselves about risk tolerance include:
- What does failure to consider cyber risk look like at my organization?
- Are some control areas more resourced than others?
- What investments could overlap as a resource for multiple areas of cyber risk management?
- Are we including all stakeholders in the solution?
- What questions aren’t we asking?
“Promoting innovation is the key to success in this dynamic cyber world.”
How can cyber leadership teams drive their organization to stay ahead of the emerging technology risk curve?
Bonnie: Listen to what your workforce has to say about challenging cyber issues. Provide them training and time to research opportunities to explore new cyber ideas. As a result, this will keep your company ahead of the curve and at the forefront of innovation. This is where the difference is made.
Don’t be afraid to accept a lifeline. An outside expert might know more about something than you or your team does. The value that an external expert can bring may surpass what your company would continue to churn on internally.
Look for the innovative solutions and approaches. However, beware of shiny objects or someone promising a silver bullet that will solve all your problems. Be sure to identify and explore fresh, strategic ideas instead of only reviewing product solutions.
Promoting innovation is the key to success in this dynamic cyber world. Don’t punish employees who bring bad news or challenge the status quo. Constantly check your own complacency with how things are being done.
“What is it that my organization is afraid of losing?”
What advice on cyber risk management would you give to a company whose cybersecurity team is in the initial development stages or separating security from the IT department?
Bonnie: One key question that inaugural security leadership teams should ask themselves is, “What is it that my organization is afraid of losing?” This will be unique for each organization.
Other key questions to drive the conversation include:
- Do you know what types of assets are most critical to your organization? If data, what protection measures need to be taken?
- Do you know which assets are least critical?
- Does your leadership team and/or board agree?
Your most critical assets serve as the foundation for your cyber risk management approach. Once your most critical assets have been identified, then you can obtain senior leadership team buy-in. As a result, you can build and prioritize your cyber risk efforts around those assets.
Resources, including time and money, are limited. A company can spend its entire budget on cybersecurity and still be vulnerable. Protect what needs to be protected at the level it needs protecting. This approach helps ensure the strongest risk management approach for insider risk.
If your security team or another area of your organization has previously identified your organization’s assets, that can serve as a starting point for you to review through a cyber risk mitigation lens.
Oftentimes, I meet with clients whose senior leadership team have a miscommunication or misunderstanding about what assets are most critical to protect and in what order of priority.
Not all data or assets are well understood and not all data/systems are of equal value. Assess where you have to put your primary and most effort. Then, rack and stack other priorities. Not all data is equal!
More cyber leadership insights . . .
For more cybersecurity leadership best practices, check out the previous article in this series, “How to Stop Forcing Heroic Cyber Leadership Efforts” by GPSG’s Cyber Vice President, John Lister. Stay tuned for our next article in the GPSG Cyber Leadership series, coming soon.
To connect with us on cyber leadership risk management best practices, contact GPSG at cyberteam@gpsg.co for a free consultation.