Counsel need to help chart a path that effectively deals with risks and allows the company to continue to drive innovation
Cyber by definition is global, and businesses and their counsel have to think globally. Yes, of course you have to comply with local law, but faced with increasing national security and economic security cyber threats from organized crime, nation states, non-nation states, hackavists and insiders, counsel need to help chart a path that effectively deals with these risks and allows the company to continue to drive innovation and win in the marketplace, globally. Here’s how to do it.
Countries and companies are working their way through this not-completely-charted “cyberspace.” Fresh from the headlines are Sony, Target and Anthem, and in the not too distant past, Snowden, Saudi Aramco, Stuxnet, NASDAQ and a spate of new legislative proposals around the globe. A couple of CEOs have lost their jobs, boards of directors are answering questions about what they did or didn’t know about cyber readiness, and of course lawsuits have been filed and litigated.
But the cyber “issue” today is hard to define. What does it mean to effectively deal with cyber globally? It means you understand your “crown jewels,” competitive advantage and values, employ risk-based “real security” to protect them, and are ready to respond and recover when something inevitably goes wrong. That sounds easy, but in the ill-defined world of cyberspace, it’s not. It’s hard work. But work that can and should be done.
Understand your “crown jewels”
What are the crown jewels of your company? How do you prioritize them? Is there agreement at the C-suite and the board about what they are? It could be intellectual property, product quality, innovation, brand, data, service quality, culture, customer trust, government trust or global reach. All of these no doubt are important, but which are the real crown jewels (tangible and intangible) that drive competitive advantage and market leadership? Run a cross functional process to define and prioritize your crown jewels—you can then build prioritized real security around those assets.
Understand your adversaries
Who are your adversaries? What group, individual, nation state or non-nation state might be motivated to impact your crown jewels, and why? Yes, unfortunately, you have to think like a bad guy. Who wants to steal your latest innovation, destroy your data, undermine your service delivery, undermine market trust, embarrass you or create market access barriers in local markets? Do you play a critical role in national or economic security (financial services, communications, information technology, electric, energy, transportation, health care, defense or government) or represent values such as free speech, association or the dissemination of viewpoints? In a global interconnected world, adversaries can reach out and touch you from most anywhere (often masquerading the actual location) and can be insiders too. Understand who your adversaries are, what motivates them and what methods characterize their activities.
Implement risk-based "real security"
Once you understand your global crown jewels and adversaries, you can and should build risk-based real security around the things that matter most. Compliance and security are not the same thing. You have to do compliance, but you should and must do real security. Start with baseline situational awareness, and then plan a risk-based shift. For example, you need to understand basics such as: identifying all your hardware and software assets, the ingress and egress points to the Internet, where your data is stored, how it’s secured, who touches your supply chain, your methodology to ensure product integrity, techniques used to stop data exfiltration, denial of service, data destruction, data corruption, service disruption, and what choices you are making about the use of encryption. You then have to ask—are these tied to and focused on protecting crown jewels? There is a saying in security: “If you try to secure everything, you secure nothing.” So no doubt, after setting the baseline and the prioritization, a shift will be in order.
Prepare and exercise response and recovery
What is your plan to respond to and recover from a cyber event? Have you exercised those plans? Things you need to understand or set include: who “owns” the overall response, escalation triggers and process for information flow, and who will run impact analysis, forensics, containment, mitigation and external communications. How about recovery: What are the plans to restore systems, assets or data, and who owns it? There is another saying in security, “There are two kinds of companies—those that have been hacked, and those who just don’t know it yet.” So, know your response and recovery plans, and exercise them, you will likely need them.
Get help and use best practices
Fortunately, the methodologies to manage cyber risk are improving. Cyber is a team sport, internally and externally. You need representatives from counsel, CIO, CISO, CFO, BUs, HR, PR, IR and others to understand and drive cyber risk management. The board has to understand the issue, buy in, and make informed choices. Outside counsel who deeply understand security can work with you top to bottom to understand crown jewels, manage real security, translate law and technology for the board, limit litigation risk, contractually protect cyber assets, and help lead teams to respond to incidents in real time. Cyber best practices like the new NIST Framework, and others, create methodologies to organize cyber management and substantiate the use of best practices. And, like other risks, cyber specific insurance can both help manage risk and drive good risk management practices.
The cyber issue is fundamentally global, here today, and will continue to grow as companies drive more innovation through the use of technology. Now is the time to drive leadership in cyber for the company. It is important, possible and fundamental for competitive advantage.
Originally appeared in InsideCounsel on April 27, 2015.