Whether it is the targeted exploitation of corporate databases by state-sponsored groups, or the lack of judicial oversight on “warrants” issued by the National Security Agency, leaders are seeking solutions in response to the cybersecurity highlights of 2014. Thus far, the status quo response has been to develop reactive, check-the-box, risk management procedures. The current legal landscape for cybersecurity is comparable to that of workplace harassment and discrimination in the mid-1980’s (i.e. a frustrating lack of meaningful response and oversight to the mistreatment of a highly-valued organizational asset). Historically, the development in workplace behavior is primarily derived from the countless lawsuits filed in the mid-1980’s that culminated in the Anita Hill/Clarence Thomas Hearings. From a corporate culture standpoint, the Hill/Thomas Hearings represented a paradigm shift in workplace employment practices for many organizations. While we have not yet experienced such a tipping point in the cybersecurity context, FBI Director, James Coffey, succinctly stated on 60 Minutes, “[t]here are two types of publicly-traded companies, those who have been hacked by the Chinese, and those who do not know they have been hacked by the Chinese.”
Most all businesses in the State of Washington are comprised of heterogeneous devices (i.e. PDA’s, laptops, personal computers, etc.) that are operated over heterogeneous environments (i.e. office communication networks, open wireless networks, etc.). This makes securing mission-critical data exponentially more difficult. Additionally, the ecology of the Internet is such that data risk exposure is the proverbial elephant in the room. Many businesses are unable to proactively respond to a cybersecurity issue for a myriad of reasons:
- Many executives see the issues around cybersecurity as being overblown
- The organization has a mindset that it will deal with information management issues later
- A perception that cybersecurity does not foster sharing and openness
- The business is unable to decipher the relative importance of their proprietary information.
One risk management solution to cybersecurity is simply transferring the risk to a third-party (i.e. buy cyber-insurance). There are plenty of available cyber-policies being offered in the marketplace by insurance providers, but understanding the nuances of what is covered in the policy is a critical procurement decision. For example, a policy that covers an insured against third-party data loss may protect the business against third-party claims, but that does not necessarily mean the insured will recover its direct loss. Additionally, investment in a first-party policy may be more cost prohibitive than self-insuring against all direct and indirect losses.
An alternative approach to dealing with cybersecurity is for organizational leadership to design a “tone at the top” governance strategy. In order to mitigate the unauthorized release of mission-critical data, corporations should explore a paradigm shift in cybersecurity away from the check-the-box procedures to a Control Conscious Corporate Culture. Laws and regulations will continue to act as an arbiter in leveling the playing field, but the ebbs and flows of regulatory guidance also create legal uncertainties. A Control Conscious Corporate Culture goes beyond technology, and, focuses, to a much greater degree, on the systematic processes and people that are within, and unique to, an organization. The behavioral choices we make – to disregard the processes – as humans has an equally catastrophic impact on the technology that supports the business. A Control Conscious Corporate Culture is accomplished through the hiring and promotion of people with the desired values, adoption of a formal set of internal controls, and the deployment of quality technology premised on core values that uniquely identify the organization from its competition.
IT departments are chartered with safeguarding mission-critical assets, but the application of better processes and employee training should be included when developing a more robust data governance strategy. Much like employment practices, the government expects organizations to be good corporate citizens, and self-monitor to ensure compliance with all laws and regulations. The ability to maintain the confidentiality, accessibility, and integrity of critical knowledge resources will accumulate long-term benefits like good public relations; high customer satisfaction; preservation of intellectual property and competitive advantage; higher investor confidence; and higher valuation.