Issue Nineteen
November 2022
The world is smaller. Challenges more complex. Our purpose never more important.
The interconnected nature of the world we live in today brings nearly everything into our purview. Cybersecurity has become much more than a line item on a budget, a compliance checklist, or a set of policies and frameworks. It has become a foundational principle, weaving itself into the ethos of a global narrative.
We’ve seen tremendous progress in the overarching cyber initiative during this Administration. Collaboration serving as the catalyst for moving beyond the mire. This is encouraging for a challenge so vast. Resilience by design requires a sea change in mindset and approach. A cultural shift that will span years before reaching maturity.
Rightsizing requires creativity and thoughtfulness. It requires uncommon solutions to unfamiliar challenges. Where we might have applied brute force in the past, we’re seeing the need for a more considerate approach moving forward.
Cybersecurity is built on the principle that meaningful relationships are critical to achieving goals. That collaboration is the key to solving modern challenges.
This month’s issue of Target Lock serves as an opportunity to pause and reflect on the challenges we’ve overcome together – as well as an opportunity to leverage those common shared experiences to face the challenges ahead. Enjoy.
ZEROING IN
The real reason we’re having a hard time moving past COVID
“Facing adversity is hard, especially when we have minimal control over what will happen. However, it is precisely in these moments in life that we are gifted with deep wisdom about what really matters.”
Until we recognize what really matters isn’t the same for everyone, we will continue struggling with what “moving past COVID” looks like. For some, it’s returning to the office - a break from our makeshift desk in the spare bedroom and the distractions of a frenzied household. For others, it’s the assurance of not having to uproot the work life balance we’ve fought so hard to establish over the past several years.
We would expect the victim of an overturned vehicle to have difficulty finding their bearings afterwards. We should also expect them to feel a level of uncertainty the next time they get behind the wheel.
When we experience traumatic events, we need time to process, digest, and heal. We need time to reacclimate. The pandemic was a two year long car wreck we all went through together. It happened without warning and flipped our entire world upside down.
Now here we are, most of the debris cleared away and the road ahead passable. It’s time to leverage the deep wisdom of making it through adversity. It’s the organization’s turn to remind our teams that while the landscape might have changed, the meaningful journey remains the same.
Lead with steadiness and optimism.
Acknowledge reality or risk alienating people.
Be compassionate.
Give people choices to empower them.
Communicate, communicate, communicate.
We should pay close attention to the nuances of preserving the cultures that helped our organizations navigate the pandemic. Cultures that took years to cultivate and nurture, made up of the very people that were thrust into inexplicable uncertainty overnight. We must reinforce, by example, the fact that meaningful is what really matters.
If we’re going to compete in the marketplace - and as a nation – we should understand and prioritize the nuances of human nature. We should respect the fact that we are all in the people business, no matter what our product or service is. We must begin to understand psychological safety and the critical role it will play in “getting back to normal.” In other words, business becoming human again.
“Leadership and learning are indispensable to each other.” - John F. Kennedy
SQ Insight: Adam Brewer - CEO
Security vs. Safety: Should We Reframe Cybersecurity to Make It More Recession-Proof?
The past few years have been extreme and trying for businesses across all industries and, in the aftermath of the pandemic and strengthening economic headwinds, many are evaluating necessary cost-cutting measures. Given the ongoing costs associated with cybersecurity and the fact that it rarely makes an apparent difference to the bottom line, it's understandable that many businesses are considering a reduction in cybersecurity spending - in fact, it's viewed by many organizations as merely a cost center.
"Indeed, 41% of businesses have cut back on cybersecurity spending as a result of the Covid-19 pandemic. But cutting your business expenses should not include reducing spending on cybersecurity. Making budget costs in this area can ultimately be disastrous for the business and result in the company losing far more money than it would have needed to put in to keep it secure.”
It's critical that all organizations examine why cutting (or even slashing) cybersecurity costs - particularly within the current environment - will not serve their best interest. This will require a shift in approach and vernacular. And to that end, reframing security as safety can add powerful weight in more accurately communicating the value of security within and throughout an organization.
The fact is society takes risks when it comes to security. Often, speed is valued over security; something we witnessed during the COVID-19 pandemic and how organizations took shortcuts with security in order to facilitate a quick pivot to remote work.
We should move to characterizing much of our cybersecurity practices as safety-oriented. We must communicate internally and to trusted partners that compliance and hygiene practices are standard safety measures which help us to operate within a safe digital environment. We must build a truer narrative around the fact that safety and security go hand-in-hand, they are the same thing - the key is learning how to speak the correct languages and to tell stories that convey the true value of cybersecurity.
Organizational leaders, board members, and all team members must understand the role of security in helping sustain the business, protect its reputation and brand trust, manage operational risk, and ultimately empower the company to continue to sell in times of uncertainty and chaos.
"It’s about providing safety for the organization overall in terms of reducing the volatility that they need to expect in the sense that you don’t want to wipe out your net income. We are here to protect the organization, to continue to operate throughout the downturn. The recession is a stress test, right? It’s an unplanned stress test on the organization. And you want to be able to demonstrate that [...] we are preserving the capability of the organization to endure through this.”
For organizations to maintain business viability and weather a downturn, leaders will need to get creative. Not just in the way they speak with their teams but also in how they evaluate their entire security posture.
This is the true differentiator.
SQ Insight: Kenneth Holley - Chairman
The Future of Cybersecurity Requires a Federal Enterprise Approach
Silent Quadrant
Not a day goes by that we are not alerted to another cybersecurity incident that has put at risk personal or corporate data, subjected a company to ransomware, or put critical infrastructure on the verge of catastrophe. It can be daunting. And while sometimes it seems easier to ignore, of course that approach is neither rational nor sustainable. Through the years, there has been a call for the federal government to take a greater leadership role in addressing cybersecurity and cyber-threats, as well to collaborate more effectively with the private sector. Cybersecurity threats are not likely to abate so the call to action remains pressing with some evidence it is heeded.
Noteworthy, are numerous cybersecurity initiatives undertaken by the current Administration. Establishing the Office of the National Cyber Director was an important step. And, a recent White House Fact Sheet, describes various efforts to “strengthen and safeguard our nation’s cybersecurity" to include adopting minimum cybersecurity standards for critical infrastructure, addressing cybersecurity supply chain risk management, working with international partners to address cyber threats and establish cyber norms, as well to address the need to grow and strengthen the cyber workforce. Some might argue this is too much, others not enough. Given that risks continue to increase, and the number of threats has not particularly subsided, I’ll go with “it’s a good start” and more needs to be done.
Clearly the federal government and private sector are working together to solve some pressing issues. A most recent example is the collaborative effort between the government, private companies, and industry associations to establish standards for an Internet of Things (IoT) labelling program. Beyond domestic initiatives, The Time for Global Cybersecurity Is Now, underscores the need for cooperation and coordination globally, to include research and development, work on quantum systems, critical infrastructure, and risk management. This international collaboration is intent on finding innovative solutions which is commendable and necessary.
So, while there is important work being undertaken, it remains unclear how cybersecurity strategies are integrated and where cybersecurity leadership ultimately rests. Earlier this year, Axios recognized what it called President Biden's “three-headed cybersecurity team” to include national cyber director Chris Inglis, Cybersecurity and Infrastructure Security Agency director Jen Easterly and Anne Neuberger, deputy national security adviser for cyber at the White House's National Security Council. The qualifications of these individuals are unquestioned, but who has the final say? Director Inglis recently defended a “tough” cybersecurity strategy, expected to debut in the next few months, that will advance cooperation between the public and private sector. Yet, in the absence of a designated authority, there remains risk of competing strategies, priorities, and resources. Consider, too, various federal agency cybersecurity initiatives: Department of Homeland Security, home to the Cybersecurity and Infrastructure Security Agency; Department of the Treasury; Department of State; Commerce, home to NIST; and the National Security Agency, to name a few.
Given the cybersecurity imperative to our future as a nation, it might be time to revisit the idea for cabinet level Department of Cybersecurity, with the authority to integrate the various interests and align policy and strategy along a common goal. We fight daily the idea of cybersecurity silos in organizations. It might be time to address the enterprise risk of cybersecurity silos at the national level, too.
SQ Insight: Tony Ogden - President, GRC
