The Cybersecurity world is a mess. According to Security magazine, there were 1,767 publicly reported data breaches exposing 18.8 billion records in 2021. This is a decrease from 2020’s pace. Although this may seem like progress, let me assure you it is certainly not. Data breaches have decreased because a more profitable attack has taken its place; Ransomware. However, ransomware and data breaches are the symptoms, not the disease. When we as a cybersecurity community get a handle on ransomware attacks, there will be another type of attack to take its place. The issue is not that there are attacks; the issue is the culture in our organizations. The only way to start gaining ground in the cyberwar is to instill a culture of security at every level. The only way this culture can be created is through command emphasis from the top of our organizations. A fundamental culture change must happen in leadership to drive that change. Leaders must understand the challenges they are facing to keep the data and the students they are entrusted with safe. In this article, I will discuss three topics every leader must understand to effectively lead security strategies and create a culture of security.
The first issue leaders must recognize is who is attacking them. There is a quote from a book written two thousand years ago that is relevant to this discussion. In The Art of War, Sun Tzu wrote, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” This quote is extremely insightful. In the cyber battle, when one type of attack is controlled, another is on the way. The issue is that we, as leaders underestimate our adversary. When we close our eyes and imagine who the hackers are, we envision a person in their parent’s basement, overweight, dirty, and socially awkward, pounding on their keyboards at three am. This is not the case. There are entire companies dedicated to stealing your data and making you pay a ransom for the privilege to exist. There are countries with cyber armies in the tens of thousands that can see your vulnerabilities at the speed of light from half a world away. Even beginners have enough free tools and training at their disposal to become a threat in a matter of weeks. Each of these enemies is more dedicated to stealing data that our leaders are not prepared to protect.
It is understandable if you cringed at that last sentence; however, it is the second issue we are missing as leaders. The bad guys are far more committed to stealing organizations’ data and encrypting their systems than leaders are to protecting them. This is not an issue of competence but one of time and culture. Cybercriminals have the luxury of being singularly focused on attacking. All of their research and development is aimed at breaking into systems and making money on data theft and encryption. Because of a lack of understanding about cybersecurity issues at the highest level of most organizations, the commitment to protection is nowhere near the commitment of invasion, handing the bad guys an enormous advantage.
The third issue is that there is a lack of written down, understandable, and enforceable policies guiding our organizations through this crisis. Companies must have all aspects of their infrastructure and employee cyber hygiene under control, or there will be an attack. The visibility of organizational vulnerabilities is staggering and invisible. Any misstep can immediately be detected. The only way to counteract this is with written down policies, procedures, and guidelines that are understood and followed by everyone. A framework like the Nist 800-53 or the ISO 27001 must be implemented and taught.
I understand that this is a massive undertaking for leadership. Other responsibilities take our time and attention. This problem must be solved by understanding, then delegating. A competent Chief Information Security Officer is a first step. However, leaders can delegate authority but not responsibility. The responsibility to keep data safe still falls on them. Every leader must understand who the enemy is, how they behave and why. They must push a leadership culture through a framework and be as committed to protecting their organizations as the bad guys are to attacking them.