Cyber-security: Fear This, Not That
If you're an executive in the finance industry, you're probably used to the question: "what keeps you up at night?" For those of us who work in technology risk, a more common question is, "when do you sleep?"
As a practical matter, nobody can worry about every threat our businesses face at once. We must focus on the threats that matter most, and more specifically, the aspects of certain threats that we can control. Thinking deeply and fully about these threats is the job of your top risk, security and control officers. So if you don't work in risk, security or control, but you still oversee offices or assets or entire organizations, what is your responsibility?
Take a moment to understand the hazards and how your organization is dealing with them. Make sure you know who your go-to security, risk and control people are, and engage them.
I'm a strong believer that your responsibility is to understand what to fear and to do so strategically. To put it another way, crisis communications expert Peter Sandman has stated that "Risk" is equal to "Hazard" plus "Outrage." This is especially true in the information technology (IT) security field.
We are inundated with headlines about hackers, threats from nationstates, insider risks and frightening data breaches. The outrage is steep; but are the topics that generate this outrage necessarily a response to a true hazard? And if not, what are the real hazards? Getting past the outrage, then, and gaining a deep understanding of legitimate fears— thus the real risk your business faces— is where I believe you should put your energy.
According to a 2012 study conducted by Verizon, in 855 data breaches they examined, 71 percent occurred in businesses with fewer than 100 employees.1
Talk to each other
Open communication is essential to understanding what to fear, and when to put action and weight behind initiatives to remediate a threat. If you don't already have a strong and regular dialogue with the IT security experts in your organization, start today. Ask them what they see as the biggest threats you face, and the actions necessary to provide greater security and control.
There is another side to asking these questions: gaining a greater understanding of the security landscape yourself. Many in the IT security field take for granted that their terms aren't used in the greater business community. If you don't know how firewalls work, ask. If you don't understand what your risk officer means when she says "sandbox," "SQL injection" and "white list," ask. Don't be afraid to ask questions if you don't understand— the real hazard lies in not knowing what's going on.
The internet of things
A lot of recent headlines have been devoted to fears revolving around what many call the "internet of things," shorthand for the many objects in our environment that are now interconnected through web and wireless capabilities. These objects— everything from cars to HVAC systems to pacemakers—have been the subject of great outrage and speculation on how they could be turned against us in a cyber-attack. These threats are real, and in an age where nearly everything we touch involves technology, this speculation can lead to more than a little paranoia.
We also know that having this interconnected world provides great advantages. In today's workplace, we can stay at home and have face-to-face conversations with our counterparts across the globe. Chat functions, mobile devices, teleconferencing and the way we control our home and work spaces have changed and made work easier and more accessible.
So, how best to balance a healthy dose of fear with a realistic view of our modern workplace? It's perhaps best not to fear the interconnectivity itself, but rather, whether the right people have access to the right pieces.
This is where an understanding of your organization's posture on employee access plays a huge role. The process of managing identity and access to your critical systems and databases is sometimes a dry topic that is easy to write off as basic "hygiene." However, the importance of properly executing secure on-boarding, off-boarding and maintenance of your employees' access is critical to avoiding those above-the-fold headline issues that cause the most fear. Don't underestimate the importance of access.
Focus on hygiene
Hygiene is one of those sterile words that security professionals like to use as a catch-all for remediation, updates and other activities that we should obviously be doing every day to enhance IT security.
It's easy to get lost in the outrage generated over the last big data breach, and it's just as easy to get lost poring over details of the many, many small tasks and initiatives that constitute IT hygiene. But it is absolutely imperative, if you want to remediate the risk of that big data breach, to keep a strong focus on hygiene.
Again, open dialogue and clear reporting from your IT risk, security and control teams are essential. Are they staffed and funded properly to deal with what is required for this basic hygiene? Do you have the proper systems of updating, patching, tracking access and assets? These are all essential questions related to hygiene that are worth your worry.
So if you don't work in risk, security or control, but you still oversee offices or assets or entire organizations, what is your responsibility?
J.P. Morgan recently welcomed Richard Clarke, former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism in the United States, to discuss IT security with our employees. In talking about how companies can do a better job of listening to their staff, he made a reference to Greek mythology: Cassandra, the woman gifted with the ability to see the future while, at the same time, cursed with the fact that nobody would believe her.
Mr. Clarke suggested that we need to continue to find better ways to listen to the Cassandras within our organizations. In essence, he said you should be more afraid that you're not listening to someone trying to tell you about a problem, and less afraid that nobody is raising issues in the first place. Yes, every organization has its Chicken Littles—but every organization has its Cassandras as well. Be prepared to hear problems when they come up, and ensure that strong mechanisms exist throughout your organization to allow for thoughtful listening.
The bottom line: you don't have to be a technologist to be a strong listener and communicator, nor a good student of technology to know security basics. I encourage everyone, no matter their industry, to simply be a discerning consumer of information when it comes to IT security. Take a moment to understand the hazards and how your organization is dealing with them. Make sure you know who your go-to security, risk and control people are, and engage them. And in the end, adjust your outrage accordingly.
Candid Thoughts from a Security Expert: An Interview with General Michael V. Hayden
General Michael V. Hayden
Last November, J.P. Morgan Investor Services hosted its 5th Annual Chief Information Officer Summit in New York. The keynote speaker was General Michael V. Hayden, a retired four-star general who served for 40 years in the United States Air Force. He is also the former Director of the Central Intelligence Agency, the former Director of the National Security Agency and widely considered to be a global expert on security matters. Following his riveting presentation at the J.P. Morgan event, General Hayden offered this interview with Thought.
THOUGHT: What sort of measures would you say are essential prerequisites for companies to prevent cyber-threats?
HAYDEN: The first issue is simply awareness that cyber-space is a dangerous domain and if an enterprise chooses to take advantage of the incredible opportunities that it presents, it also must take care to protect itself. Cyber-defense is not a subtraction from the bottom line. Rather it is an integral and essential element in creating the top line.
THOUGHT: If you were newly in charge of cyber-security at a financial institution, what would be your first priority?
HAYDEN: My top priority would be to ensure that I had (or would soon develop) a "God's eye" view of enterprise IT. Since cyber-security requires active response rather than static defense, I need a single place to visualize, operate and secure my IT space.
THOUGHT: Can financial companies adequately protect themselves against cyber-threats without devoting significant expense and human resources to security?
HAYDEN: There is no doubt that investment will be required, but this is not just a question of resources. The first prerequisite, in fact, is largely governance: is this a CEO issue? Is there a single corporate official with appropriate responsibility and authority? Is the network governed as a unitary whole (even if individual P&L centers object)? Does the Board understand and attend to this issue? A second major issue is simply personal discipline. Is the workforce aware of and practicing simple cyber-security measures?
THOUGHT: What kind of help can the private sector look to receive from their governments, in terms of cyber-security?
HAYDEN: Government is truly working this issue hard with many good people. But government (and especially the U.S. government with its particular sensitivity regarding personal privacy) will be late to need, and enterprises will have to assume significant responsibilities for their own defense. Enterprises should push for more (and more rapid) information sharing by the government and for more security clearances for key personnel. They should also push government to use its diplomatic tools against regimes that permit, enable or (in some cases) conduct aggressive cyber-behavior from their national domains.
THOUGHT: What are some of the more successful measures firms are taking to mitigate risk?
HAYDEN: Current best practices invest sufficiently in patching vulnerabilities but also operate on the presumption of breach— regardless of defensive measures, some attacks will get though. And here is where resiliency separates the A from the C or D players. How quickly is the breach identified? Characterized? Isolated? Negated?
THOUGHT: How important is cybersecurity insurance right now? Do you foresee growth in these kinds of insurance products going forward?
HAYDEN: Cyber-insurance is a new but fast growing industry. Insurance firms are developing measures to help firms deal with risks to IP, network functioning and even loss of personal information. And along the way they are setting standards and demanding best practices that improve overall cyber-security.
THOUGHT: At J.P. Morgan's event, you spoke about the importance of consequence management for businesses today. What are some investments in this area that are proving to be successful?
HAYDEN: A determined attacked will get in. You have to accept that as a given. But that does not necessarily spell defeat. Successful cyber-defense allows you to operate while penetrated, to survive while under attack. That requires overall network resiliency, a high degree of self-awareness and an overall defensive scheme that wraps the most precious data and information more tightly within the network.
THOUGHT: In your opinion, should every major financial institution have a cyber-security expert on their board of directors? If so, why?
HAYDEN: Board expertise and interest in cyber-security is now recognized as an essential part of any baseline for diligence. It is also a signal inside and outside of the enterprise that the issue is taken seriously and that corporate leadership will be measured on it.
1 Cheryl Conner, Forbes, "Are You Prepared? Record Number Of Cyber Attacks Target Small Business," September 14, 2013, www.forbes.com .
Thought, 1Q 2014
Chief Information Risk Officer
JPMorgan Chase & Co.