Culture (Not Technology), Is the Best Cyber Defense

Most corporate Boards and small company leaders appear to have been throwing money at the post-Solarigate/Colonial pipeline/Microsoft-attack cybersecurity “problem”.?Beginning this past January, the going theme relayed during various corporate-level cybersecurity forums has been to increase funding so the CIO/CISO (Chief Information Officer/Chief Information Security Officer) can buy better IT and IT Security equipment plus talent, and that that would “fix” the company’s cybersecurity issue.?That is a dangerous Band-Aid fix, for just one symptom of a weak information security environment that overlooks the balance of People, Process, and Technology that builds the most effective cybersecurity culture.?Thankfully, in the following months, writings have begun to appear about the much wiser whole-of-organization “Cybersecurity Culture” approach.

The Board would be pleased that two or more quarters of better profit margins might result by increasing the Cybersecurity and IT budgets, decreasing the company’s cybersecurity exposure, and making investors feel more confident.?But the threat to profits and brand valuation -- from every organized, syndicated, criminal, and nation-state sponsored group of black-hat hackers, even the independent nefarious hackers who also populate the dark web -- is a “long game” and threatens all sectors.?As seen in various news reports in just the past nine months, hacks have been (and will for decades be) occurring against company finances, banks, governments, energy systems, food supply systems, water supply systems, military weapon systems, transportation systems, electric utilities, and households (the last increasing daily with the post-COVID-19 work-from-home “sea change”). But debilitating corporate and government hacks have been occurring for thirty or more years, and attackers have honed their skills to accelerate the impact to the victims and increase the likelihood of a successful attack, and increasingly the windfall of a financial ransom. Without a countering culture shift, attacks will continue to crush pockets and swaths of civilization for either a monetary ransom, the bragging rights, or even bigger nation-state domination.

Stephen King, Founding Board Member at CyberEd.io, consistently reminds with his posts that the paradigm shift has passed us, that we are in new territory in terms of cyber vulnerability, and there is no going back. Hackers burned our boats out from underneath us.?But, we’re letting them.

This new permanent Business Risk paradigm is best countered with a company-wide approach to Cyber hygiene for the entire employee base.?Cybersecurity is no longer a “tech thing”, but has become a critical and demanding discipline of organizational and societal culture. Dr. Eric Cole continues to relate in online videos and in his new book “Cyber Crisis - Protecting Your Business from Real Threats in the Virtual World!”, that the role of a CISO is not a “tech” role (and it never was), it’s about speaking to business risk.?The CISO, having the responsibility for driving financially secure company-wide cyber hygiene for investors, needs to be a well-rounded risk-focused technology-aware leader who is an equal on the C-ring and reports directly to the CEO.

As Michelle Phillips of CrowdStrike recently posted, Cybersecurity is no longer “checkbox/compliance”; compliance does not equal security. Many have paralleled and echoed that astute fact, and the swell is growing that a cultural shift is required, to become optimally Cybersecure.

The best cyber target is now compromising the non-IT person. Annual, highly regarded economy-wide "state of cybersecurity" reports from Horizon3.ai, Verizon, and additional, continue to highlight that phishing (aka Business Email Compromise, “BEC”) is the most successful hack for at least the past two years.?Attackers are less likely to brute-force hack through the already-strong defensive layers of your corporate IT systems. They’re increasingly more likely to use subtle and surreptitious social engineering via “imposter” phone calls (“vishing”, voice phishing) to get one email address and one log-in credential. They’ll use that stolen credential to legitimately log-in to your email system and send just one email to a key person in Finance.?It will look like it came from an Executive and “demands” that a payment be made to a Customer “now”.?But the hyperlink is fake and millions/billions of (pick your currency) goes to the hacker and dark web organizations and are never seen again,?at great loss to company credibility and investor confidence.

Bill Bonney, Gary Hayslip, and Matt Stamper, with ninety-plus years of IT Security experience between them, said in the Preface to their 2018 book, the two-volume “CISO Desk Reference Guide”, that the escalation in cyber-attacks will not peak anytime soon. Attacks will continue to shift toward small and mid-sized businesses. For instance, hackers can target a small Cybersecurity software company consistently without a CISO and with?security policies that have allowed source code to leak on to the public internet for years (pointed out by open-source reports), whose Summer intern was allowed to use a generic log-in to modify source code. The hackers then use that now-compromised log-in to implant malicious code into the company’s next software update to thousands of its Customers, creating electronic “back doors” used to infiltrate every "big" Customer’s IT and finance system. It was complex, but it happened (reference “Solarigate”).

Meanwhile, James J. Azar, Naomi Buckwalter, and Renee (Brown) Small use their weekly podcasts and posts to identify that we’re needlessly hindering our own success in this area of trying to “fix” the Cybersecurity problem.?Hiring Managers, Talent organizations, or an unknowing combination of hiring checks and balances, become fixated on making sure Cybersecurity job postings are only for highly educated, highly certified, and highly experienced technicians – “perfect” profiles that sometimes surpass even the credentials of software engineers that created some of our current systems.?However, a breadth of Cyber, IT Ops, Software, and the right selection of perspectives from Legal, Marketing, and Process Improvement candidates, would generate a power team with accelerated solutioneering capabilities.?A homogenous group is most likely to deliver only one flavor of solutions, and is more likely to not keep up with the changing landscape of cyber-attacks an organization will face. Diversifying the Cybersecurity employee portfolio will strengthen the flexibility of response to this business risk that is now a permanent part of your company’s Risk portfolio.

Serial and long-term CISO/CIO’s such as Mel Reyes (Getaround) and Chad Nelly (ESET) plus cybersecurity Founder/Owner/CEO’s such as John Shin (Managing Director of RSI Security), Lynn Hijar-Hoffman (Cibernetika), and Jack McCready (JWM Consulting), all veterans of IT/Security in both large and small companies, understand the need to remain flexible and entrepreneurial in choosing the most effective cyber-attack mitigation strategy, while remaining aligned with the applicable industry cybersecurity frameworks. They and their contemporaries such as Bill Reid and Chris Simpson at National University that speak at events such as Society of Information Managers (SIM), ISACA, ISSA, ISC2, and across a variety of podcasts, speak to the need to anchor organizational culture (not just compliance) in training all employees to be on your “Cyber Team” (at the appropriate level), to mitigate the business risk to your brand integrity, improve Customer loyalty, and grow profits.

David W. Samara (CISSP, PMP, CSM) is a former cyber offensive system operator rising to CIO (Chief Information Officer) of a complex set of high-accountability IT Operational/Security systems in a medium-sized global corporate enterprise, responsible for applying both daily and strategic Risk Management expertise throughout.?He brings expertise across Military and Defense sectors, recent Biomanufacturing experience, and is now in the Cybersecurity industry.