Roundtable Discussions – MBA Student Perspective: Rethinking Cyber/Information SecurityNovember 15th, 2017
MBA Fellow alumni, Tim McDowell T’17, attended our Roundtable on Digital Strategies back in April 2018 (hosted by LafargeHolcim in Zurich, Switzerland). Read the key insights and full report. Before coming to Tuck, Tim worked as a Senior IT Security Engineer at Southern Company Services. Tim came to Tuck looking to build on his past as a cybersecurity analyst/engineer with the goal of becoming a leader in the technology sector. During that process, Tim participated in a daylong discussion with chief information officers and chief information security officers from major European companies at a digital strategies roundtable focused on cyber security in the digital age, in Switzerland. This included a conversation about global views on technology with Yvon Le Roux, an executive fellow with the center and former VP of Cisco’s Global Cyber Security Initiative in Europe. Tim now works as a Manager of Corporate Strategy at Cisco. Below you’ll find his takeaways from the day in Zurich.
Target. Yahoo. The Democratic National Convention.
How are enterprises learning from the past to cope with the operational and reputational risks of a cyber attack? Could the new normal require accepting that such hacks are inevitable? These questions were the springboard for discussion at the Center for Digital Strategies’ Rethinking Cyber/Information Security Roundtable in Zurich. With several distinct industries represented at the Roundtable, I was surprised to hear strong parallels between companies as executives detailed the cyber/information security risks facing their firms. The sheer number of threat actors, the increasing professionalization of attacks, and the exponentially larger attack surface companies face in the era of cloud services, bring-your-own-device/app policies, and less-than-secure collaboration tools are among the myriad threats keeping leaders up at night.
The headlines are rife with examples of hacked companies that failed to implement adequate technical controls.
Even as security threats become more salient to top executives, convincing an enterprise to increase information security spend accordingly remains a hard sell. The executives also emphasized the difficulty of benchmarking one’s suite of tools against industry peers. It is easy to cite how many full-time security employees were hired or the percentage of total IT spend your competitors have dedicated towards the latest tools, but are peer-comparisons the best metric? Some industries are clearly differentiating themselves and becoming best-of-breed while others have fallen behind the curve. Decision makers must be adept at creating narratives focused on why resource intensive security solutions such as 24/7 security operations centers are worth the substantial investment.
Another takeaway is that cyber resilience should be the primary goal of today’s CISO.
It is no longer feasible to defend against all threats, and the focus needs to shift towards increasing cyber detection and response capabilities. The ability to compartmentalize damage and quickly recover from an attack will only come through meticulous disaster recovery, business continuity, and corporate communications planning. Multinational companies face a particular challenge as risk appetites and standard security practices vary across geographies. Culture and history also play a role in defending a distributed footprint. Selectively identifying the weak links present in one geography that are not present elsewhere is resource-intensive and requires political savviness—stressing the need for CISOs to be adept people managers in addition to maintaining some baseline of technical knowledge.
This diverse group of leaders also reached unanimity in stressing employee education and awareness-building.
These goals have become even more important than technical controls—though they may be even more challenging to implement. Communication is key, and IT executives must work with their HR and compliance counterparts to mandate security awareness training and integrate cyber vigilance and best practices into the company culture. This two-pronged strategy of combining technical tools with employee awareness and education remains paramount as enterprises adapt their digital strategies to cope with the modern cyber-threat landscape.
Learn more about our MBA Fellows Program for second-year students.
Learn more about our Roundtable on Digital Strategies.