I know how difficult cyber security can be for a CEO and for boards.
For 18 years I was CEO of F-Secure, a cyber security company I founded in 1988. Today, F-Secure is the largest European cyber security company with both technology and services offerings for enterprises. I have also served as Nokia’s chairman since 2012, observing how a global technology company strives to protect itself and its customers, as well as build security into all its products and solutions.
“There is increasing external pressure to hold the CEO accountable for the company’s ability to defend itself and its customers.”
Cyber security is an ever-changing, deeply technical field in which the CEO cannot and should not be an expert. Unfortunately, it is not enough anymore to completely delegate the topic either. There is increasing external pressure to hold the CEO accountable for the company’s ability to defend itself and its customers. The board is asking for status reports. And, most importantly, the risks have risen to a point where cyber security has, by necessity, become a CEO responsibility.
So, what then is the CEO’s role?
Is it possible to find the middle ground between a remote and meaningless 30,000-foot view of the issue on the one hand, and being buried with endless technical detail on the other? How should a CEO prepare to have sufficient understanding to be able to guide the company forward?
This challenge is even more difficult for boards, who have to address many of the same questions the CEO faces, but from a less informed position and even further away from the action. How much time to allocate to cyber security, and how often? What are the right questions to ask the CEO? How does one know what the company’s capability level is and what it should be? How should progress be measured?
The answer is always partially company-specific, but there are pragmatic common-sense steps every CEO and every board can take. If you are running a large bank or a defence contractor, the following list should be an easy read as you are probably routinely doing everything I mention. On the other hand, if you run a more traditional industrial business, there may be some things you have not thought about.
1. Identify your most critical systems. It is important that the CEO knows which IT systems the company cannot live without. You should assess the importance of the systems at least from the points of view of revenue generation (how would the loss of the system impact revenues), brand (how would the penetration of the system impact brand, for instance, via the public loss of confidential customer information or disruption of customers’ business), and future competitiveness (loss of R&D plans, core software assets or strategic plans).
More and more businesses are building sensor capabilities into their products and services. For some traditional industries this means a jump from the analogue world to the digital world. It means your products have embedded computers in them and those computers can be hacked. This requires you to develop new competences for building those systems in a secure fashion so that you do not expose your customers and your internal critical systems via the sensors you install into your solutions.
Therefore, as you work on identifying your critical systems, you can not look only at your IT systems. You also need to look at your manufacturing control processes and all your own solutions equipped with connectivity. You should also look at your own supply chain, and any of their systems that connect with your own. Just as you may be the weak link in your customers’ cyber defences, your suppliers can be the trojan horses enabling attackers to penetrate your systems.
2. Understand and openly discuss the implications of those critical systems being penetrated and the maximum damage that could be done through them should the attacker desire to do the maximum amount of harm.
For instance, very few companies think about a scenario where the intranet, Outlook and VoIP communications are all down. How do you get in touch with your employees if they have no access to email and you’ve stopped memorizing their phone numbers? I could name several large companies that have been in this situation over the last couple years, and their ability to recover was slowed down by their initial inability to communicate with key people.
3. Identify what type of attackers might be attracted to your operation. This will give you an idea of what kind of attack vectors they would most likely use and what their objectives might be. This will help you plan your defence.
4. Order a red team attack by a trusted cyber security company against your most critical systems. Do not tell your CIO of the attack in advance. This will give you real-life information on the abilities of your cyber security team. Just to set the expectations correctly, assume the red team attack will be successful (F-Secure has conducted hundreds of red team attacks over the past few years, and to-date, has a 100% success rate.)
When you assess the red team results, look for the following:
- Whether the critical systems can be penetrated (whether your prevention capability was good enough to prevent the attack).
- If the red team attack successfully penetrated a critical system, count yourself lucky that this was a friendly attacker and remind yourself of the worst-case damage that could have been caused by an unfriendly attacker. Take action to start a long-term development program, but also immediately strive to plug the holes that were used by the red team to prevent a similar attack from succeeding again.
- Whether your cyber security team noticed the attack and whether your detection capabilities were good enough to identify what is happening.
- If the attack was noticed, what did the cyber security team do? There are certain things that should be done and things that should not be done. Some of these are not obvious, such as disconnecting the penetrated devices from the rest of the network, as this may alert the attackers that you are on to them before you actually know what is happening and are ready to take the appropriate action.
Did they notify you? When would you have wanted to be notified? When should the CEO be expected to inform the Chairman or the full Board?
5. Of course, the red team attack is only a first step. Think of cyber security as a muscle. You gave it a quick flex with the red team and got valuable but narrow information on your capabilities. There is a lot more to be done, including:
- Asking a few fairly simple technical questions to take the temperature of the maturity level of your defensive capabilities.
- Setting a target level for your cyber security defences that’s proportional to the threats.
- Starting to develop your capabilities.
- Exercising continuously to measure progress and build the muscle.
- Creating a scorecard to follow the process.
- Using that scorecard to report to the board.
6. Build awareness. Social engineering is one of the most effective tools for a professional attacker. Employees with higher levels of access to key systems, in particular, should be trained to identify social engineering attempts. You can also train the employee population at large to detect phishing emails, for instance, but do not think that this can prevent attacks.
7. Finally, in order for this to work, you have to have a ’no blame’ culture. Without it, there is no hope to truly improve. People must feel they can report mistakes, weak signs and failures quickly in order for constant improvement and learning to happen.
I hope this gives you some ideas on how to get started. But, once started, it is also critical that you do not stop. Everyone involved must continue to learn – and that includes leveraging outside specialists.
Risto Siilasmaa, F-Secure