How to Harden Your People So They Can Harden Your Cyber Defenses
New hybrid models in business have created a dichotomy in corporate governance that is accelerating disruption and exposing vulnerabilities in how organizations respond to change. Traditional governance models are proving to be inflexible and no longer sustainable where organizations have failed to adopt agile approaches to business and governance. Industry leaders, once considered Blue Chip players in the Dow Jones Index are supplanted by technology leaders in auto manufacturing, financial services, healthcare and more.
Change happens at speeds that go unnoticed until we experience the impact or our conscious mind realizes something is different. But this realization seldom takes place in time to respond efficiently. Human nature requires consistency to adapt to our environment and to allow people and organizations to develop processes that achieve reliable outcomes.
Unfortunately, human nature is hard coded to make sense of the world through five senses. When faced with novel risks and even in the face of imminent danger – like the threats in COVID-19, climate change and cyberspace – the senses are slow to react. Now is the time to consider new governance models in response to enterprise risks that require more advanced levels of awareness to respond to asymmetric risks from advanced adversaries and unanticipated corners of the globe and in our own backyard.
A New Phase of Growth
The world is entering a new phase of growth and transition. Change is accelerating at a pace where capital intensive industry must adapt digital strategies and digital business platforms must adopt new governance models. The threats haven’t changed because change is the mother of new risks. The challenge is to keep pace with change and to detect how change impacts cybersecurity, risk management and the role of corporate governance to respond in a timely manner.
In the past, risk professionals have relied on controls, processes and compliance in security and risk management to provide assurance under the false assumption risks could be managed by policy. Today, many risk professionals use analytical approaches to predict risk and cyber threats under the false assumption that risk quantification is sufficiently accurate to manage uncertainty. Analytical approaches are superior to professional guesswork but have also proven ineffective against advanced persistent threats and the self-interests of executive malfeasance.
What may have worked in simpler times is insufficient against adversarial computer scientists who code to trick human perception. The sophistication of the Stuxnet virus and its release into the wild along with the rise of entrepreneurial and nation state threats will require flatter governance models that are more nimble, transparent, collaborative and less complex. Different governance models will be required for different organizations.
The false assumption that an enterprise risk management and hierarchical, command and control governance model is the only approach to successful organizations is being demolished by Silicon Valley and corporate failure. The military, inventor of hierarchical governance, has directed its war colleges to train next generation leaders on writing code, cognitive science and pushing decision-making down to the officer ranks. Unfortunately, the change that is already underway will be ignored or justified away because many believe they will be unaffected. The nature of change is it continues whether we choose to adjust to it or not.
The Next Generation of Change
So, what will it take to prepare for the next generation of change in a hybrid operating environment? Well, if you follow the military’s lead, it will take Cognitive Readiness at the board of director’s level and across the organization.[1] It will take more than narrowly defined policies such as Zero Trust, ERM and analytics. It will take an investment in people, a deeper understanding of how human behavior leads to vulnerability and a commitment to simplicity by reducing single points of failure. Good governance, cybersecurity and risk management must include how the entire system behaves including the behaviors of partners, vendors and suppliers who support the system we call the enterprise.
Cognitive readiness is the mental preparation (including skills, knowledge, abilities, motivation and personal dispositions) an individual needs to establish and sustain competent performance in the complex and unpredictable environment of modern military operations. The people closest to the risks should have the tools to understand the risks that are material to operational excellence.
The nature of risk is too diffused to be understood by one department, group or person in an organization. So, an investment in cognitive readiness goes beyond a policy, concept or procedure. If Zero Trust doesn’t include all vendors, suppliers, contractors, technology and people who have access to critical infrastructure, connected or nonconnected devices, then vulnerabilities still exist. There will always be residual risks but are they understood and mitigated in ways to minimize these risks?
Traditional risk frameworks don’t explore the risk analysis of residual risks which are the risks that you did not anticipate. Stuxnet proved that what was believed not possible, was in effect, possible and very destructive. General Colin Powell had a doctrine for his intelligence officers,
As an intelligence officer, your responsibility is to tell me what you know. Tell me what you don’t know. Then you’re allowed to tell me what you think. But you always keep those three separated.”
General Powell
What Should Organizations Do Now?
Organizations are losing the battle in cybersecurity, in part due to a lack of scientific approaches. The most advanced adversaries in cyberspace are computer scientists. They are seldom attackers but design the tools to attack human behavior and the vulnerabilities in technology created by human actors. CISOs need to understand the science of cybersecurity, coding and risk management or have a team of specialists who possess the right skillset. This will require a multidisciplinary approach, not a one-off based on the latest fad in cybersecurity.
Digital assets will become more autonomous requiring advanced education, training and specialized skills to keep pace with sophisticated attackers. Nation states leverage the Dark Web for the best talent and tools to gain an edge. A new co-opetition is needed between the Federal Government and the tech community to build collaborative defenses and to iterate new encryption and trusted gateways for ecommerce. Only $1.9 billion was included in the recent Infrastructure Bill but billions more are needed in subsidies to state and federal facilities to bring critical infrastructure security up to level with best practices.
Corporate governance must begin to include nontraditional cyber and risk talent on the board of directors. Reliance on public accounting firms will not raise the bar on risk practice or cybersecurity and will likely create more conflict of interests than world class standards. Data scientists, human factor risk experts, risk researchers, computer scientists and network architecture engineers will bring a new perspective as advisers to in-house risk and cyber professionals.
And lastly, flatter, less hierarchical governance models are needed to streamline decision-making by developing a truly risk-based approach in practice and not just in rhetoric. Governance is a “black box” in most organizations where information goes in but few lessons come out. Existing research in organizational performance and risk management is anecdotal with attributes defined in ex post results without any insights into how decisions are formed or the processes that led to performance. Governance must evolve along with risk and cybersecurity practice in forward-looking organizations.