Are you an executive or work with/for an executive that has accountability for making decisions that enable progress, support, and funding on the risk reduction efforts around cybersecurity threats?
If so, corporate statistics would predict that you are (or are reporting to) a CIO or CFO. If you are in a progressive organization on this topic, you might be/report to the Chief Risk Officer or the elusive unicorn cyber-aware CEO.
In any case, you are probably extremely busy with numerous priorities pressing your time and attention. Even if you have understood the risk and impact of cyber on your business, and maybe even several years into providing elevated funding and support for your organization, you might be thinking:
- “When does it end?”
- “Can I truly see the value of what our team has been working on?”
- “Does the value (risk reduction) outweigh the cost (money and human capital)?”
While valid and helpful questions to ask and receive answers to, perhaps these are the wrong questions. This article will address the question posed in the title: Is cybersecurity nothing more than a costly annoyance that we might have to do, or could it become a differentiating competitive advantage for our organization?
I’m going to attempt to answer this important question through two contrasting stories of two very different executives, the choices they made, and how they engaged on this topic for their company. Both executives are fictitious, but we’re also molded like clay from real leaders’ experiences and true stories. If you find yourself self-identifying with one of the examples, rest assured that there are many others acting and thinking exactly like you. As much as you might not like to hear it, you are not all that unique on this topic and have a lot you could learn from one another.
Meet Jeremy and Michelle. They are both CEOs and executives for large and growing companies. They are both revered as innovative thinkers with likable charisma, sharp memories, and the ability to drop in and analyze a situation while providing clear and important decisions.
Jeremy Dushant – CEO of BrightSwan Medical Devices
Jeremy Dushant is the CEO of a specialized medical device manufacturer that focuses on digitally connected IV pumps and biometric monitors for hospitals. He has risen up the ranks in this organization and similar companies over the last 30 years. He was a mechanical engineer at the start of his career with an MBA from one of the nation’s top business schools. He prides himself on being able to roll up his sleeves, assess and solve issues amongst his team. This is the engineer in him. He would often sleep overnight outside of the R&D design lab after tackling a problem. Various leaders and team members debated whether this was always as helpful as perceived. Those that were willing and able to successfully challenge his thinking or ideas would sometimes come up with some amazing solutions. Those that couldn’t or wouldn’t steered clear of any confrontation, supported as they could, and hoped for the best.
While Jeremy prided himself on “diving in”, as the CEO, his time was very limited, so he had to choose where he used this approach. Cybersecurity was a topic he knew was important, as he had to help discuss it bi-annually with the board. However, Jeremy found the topic to be dry and uninspiring. As a manufacturer, there were thousands (tens of thousands) of vulnerabilities and so much technology to upkeep.
After a near-miss incident, Jeremy brought in the company’s first CISO (Chief Information Security Officer), Brian. Brian was super smart and super technical. Jeremy had been involved in interviews and liked his similar engineering background and approach to driving deep analysis and making data-based decisions. Brian had come from a smaller organization and had led security for the past three years at his prior company. Jeremy positioned Brian under the CIO (Sandy) because he didn’t want technology agendas competing and knew most of the vulnerabilities sat with IT. As they say, he wanted “one neck to choke.”
For the last three years, Brian had been given a budget that was nearly five times what the company had been spending on cybersecurity prior. The strategy prioritized a massive investment in state-of-the-art cyber tools and technology and had been crafted in partnership with a leading Big 4 firm, and a 3-year roadmap had been approved by the executive team and the board.
The cyber team had been hard at work implementing everything, and trade-offs were made to make sure the agenda had the right leadership, funding, and internal/external resourcing. Jeremy had stayed engaged through quarterly executive team reviews and had held everyone accountable to hit dates and expectations. Results were measured in capabilities deployed against prioritized targets.
Three years later, during the business plan, Brian and Sandy presented the annual budget, and Jeremy was stunned. “Brian and Sandy, we’ve just spent a massive investment over the last few years, and you are asking us for another capital investment for technology upgrades. When will we be done?” Jeremy asked with frustration showing in his tone.
Brian started to pull up a diagram reflecting the roadmap and tech stack, but Sandy jumped in, “Jeremy, as you know, the technology landscape is different now. We are dealing with the unexpected surge in generative AI and more use of the cloud. We need our APIs to be more cross-compatible because of our hospital customers’ divergent tech. Part of the funding request is to develop some backbone IT technology that will enable these capabilities but more securely. If our platforms are modernized, security will be enhanced further than what is possible today.
Brian abandoned his PowerPoint search, knowing his window to be heard was closing fast, “In addition to that, for the last few years, we have invested heavily in detect and respond capabilities, but we are still somewhat behind in some of the key areas of protective focus like Privileged Access and Identity. These will be critical to enabling Zero Trust.”
Jeremy closed his eyes for a brief moment to think. As the team awaited his thoughts, the seconds felt like hours. Once his thoughts were collected, he said, “Team, I understand that all these things are important, and I somewhat understand the concepts around Zero Trust. However, I feel like we are shooting at a moving target with these tech investments. For example, why did we spend $20m on an in-house SIEM just to learn that it would have trouble integrating with our expanded cloud-first strategy? And I get that detecting anomalous activity on endpoints and users can help us stop bad stuff, but does our workforce even understand the role they play in helping protect the company? I’m not sure if the online training and quarterly phishing exercises are helping anything other than people being afraid to click links. Also, how can what we have been doing help prevent last month’s issue with our external law firm from being compromised and directly impacting us? How much coverage do all these tools we implemented really have anyway?”
Jeremy took a long dramatic pause and then concluded, “I’m going to need answers to these questions before I even consider this additional funding ask. I also hesitate to add more budget when almost every other area has been flat or reduced budget since the pandemic.”
Sandy jumped in to say, “Jeremy, we understand. Allow Brian and me a few days to pull together thoughts, and can we come back to you early next week with our analysis and answers?”
Jeremy, mostly unsatisfied, said, “I suppose. We need to have this by Wednesday at the latest.”
Sandy and Brian left the executive conference room in a hurry. Both separately texted their lead consulting partner to ask for time to get outside perspectives on quick turnaround. They either needed to refine their story or abandon the direction and try another direction.
Scenario Recap: Wow, Sandy and Brian had done a lot of work over the last few years, with no shortage of significant overtime and family sacrificed. Unfortunately, this situation is all too typical. Jeremy, the CEO, was supportive but not engaged. The team had taken a tool-focused approach, investing in state-of-the-art technology elements (at the time) without focusing on the business aspects of cybersecurity. They hadn’t dialed in focus on what was most critical to protect, how to holistically protect it (across people, process, and technology), or how to truly measure progress from a risk reduction standpoint as the program evolved.
Further, they had stated a maturity goal and hit it in three years but not contemplated that most of their tooling was not at scale and the processes around the tooling were not setting them up to be very successful or efficient. So where could they go from here beyond the messaging of “technology landscape has changed, and our tech needs to change with it.”?
Michelle Smith – CEO of FutureFirst Pharma
Michelle Smith is the CEO of FutureFirst Pharma, an innovative R&D pharmaceutical lab and clinical research organization (CRO). Michelle had come in prior to taking the company public several years ago after the first successful product launch. Being a specialized R&D lab environment as well as having a line of business focused on conducting clinical trials for both this company as well as other pharmaceutical companies meant that cyber risk existed for pharmaceutical customers, the patients of the clinical studies, as well as protecting intellectual property from unethical competitors, ex-employees, or “patent trolls” looking to win lawsuits.
Michelle had been through a cybersecurity breach at her prior company, so her education was formed through “trial by fire.” She knew that her approach at her next company (FutureFirst) needed to be less reactive, more measurable, and more business-enabling. She first set out to hire a CISO that understood the business the company was in and was able to perform at levels broader than technology. Technology was important, but for Michelle to help craft the cyber risk capabilities into a differentiated competitive advantage, the workforce would need to be engaged and inspired, and the processes and capabilities across the cyber program would need to be simple and unimposing. She hired a prior colleague, Devin, who had worked for her at a prior company. He subsequently had a couple of different roles in building and enhancing cyber programs. Along with Devin, she brought in a leader from a firm that focuses on process development/design thinking, change management, and user experience (UX).
Devin was a seasoned leader and was not shy about saying that technology is great but is grossly overvalued in cyber programs and dominates too much of time and energy. He liked where Michelle wanted to take FutureFirst and was excited to be part of it. He made sure that he would report to Michelle because he had one too many experiences reporting to leaders in between that had competing agendas, and their words and actions didn’t match. When Devin asked this of Michelle, she proclaimed, “Devin, I wouldn’t have it any other way!”
Michelle and Devin got to work slightly before Devin’s first day. Devin believed he understood what Michelle’s vision and approach were but had a few assumptions that he had jotted down to cover over coffee.
- Key goals are to reduce risk and make cyber a competitive advantage for FutureFirst Pharma
- Engage and inspire the workforce to know their role and focus on protecting what matters most.
- Understand the full ecosystem of protection (within our company and throughout the supply chain) – and apply the right-sized efforts based on risk.
- Rationalize technology to be fit-for-purpose and balanced between platform plays and “best in class.” Don’t implement anything we cannot support and scale effectively.
- Have a streamlined user experience to enable doing the right thing to protect FFP to be easy and sustainable.
- Ensuring processes supporting technology, people, and policies were clear, scalable, and sustainable.
Devin went through the 5 points and asked Michelle if he had captured them accurately. Michelle smiled and said, “Not only did you capture them, but you have also enhanced them. You nailed it! If we can achieve these, we won’t be reactively chasing our tails and playing 3-card Monty with tech investments.”
Devin was pleased with his alignment and positive reinforcement with Michelle even before starting his first day. He went to work early on coaching his existing team and bringing in some additional help, recruiting for new internal roles as well as bringing in external support from a team of practitioners that had helped accomplish similar journeys within the industry.
Year one was all about standing up the basics. Foundational processes and technology. Everything that was set out to be accomplished was measurable by design. What was going to be done with the process or tool (from a value and risk standpoint) was intentional. This didn’t entail predictive analytics of how much money could have been lost without the project/tool, but how the capability was focusing on specific risks mitigated, what critical goals it enabled, and what scale it was currently at.
Devin also focused on a workforce-facing cyber program which was geared to ensure expectations were clear and the workforce was actively engaged and inspired to help. The company hosted design thinking sessions to evaluate employee experiences and make them better by simplifying and enhancing processes, tools, and knowledge.
Michelle played a key role in sponsoring and even participating in the business risk mapping project, in which Devin and the team worked with each division of the company to evaluate what information and critical operations would most impact the company if compromised. Michelle made sure that each functional leader owned the final output for their part of the organization. If the senior leader didn’t own and support what was deemed to be critical, there was no way anyone could expect their employees to support it.
Once they had the business risk mapping, they were able to stratify critical systems, business processes, and third parties. This enabled them to deploy additional controls to what mattered most and take some more risk on what did not. Specific to third parties, the team prioritized similarly, but really focused on process streamlining, being clear with suppliers about what was required of them, and using combinations of both human and digital risk/threat assessments to further reduce risk.
Michelle and Devin were in lock step that throughout the life of the program, they wouldn’t talk about specific tools and technology investments with the board. Rather, they would talk about capabilities, business risks being reduced, and the scale of focus. After all, the tools were an important means to an end from a risk reduction standpoint. Devin and Michelle knew it was too easy to get everyone enamored with tools and turning things on and lose sight of the processes, people, and scale required to accomplish the specific business risk reduction goals. They both knew firsthand that trying to get more money for a tool upgrade/swap-out or money to progress the implementation of something that was declared a success last year was an uphill battle – especially when the budget was tight.
In year 3 of their program, the request for their next phase was clear: increase scale to business areas not yet prioritized, deepen capabilities for new or evolved business risks and threats, and continue to enhance business processes and workforce engagement on key priorities.
Most importantly, she utilized the approach and story from the program into a Consumer and Partner Trust program that focused on showcasing the differentiated approach that FirstFuture Pharma was taking to protect clinical trial patients, pharma customer data, and the intellectual property of the company. This ultimately led to enhanced deals with customers as well as internal savings because the team had made it so much easier to do the right thing vs the workforce viewing security as a burden.
Michelle didn’t feel like she was less engaged than her last company from a time or effort standpoint. It was just more proactive and business-enabling. She shared her story with as many people as would listen because it not only furthered the competitive advantage positioning, it helped other leaders to dispel their own personal myth that cybersecurity was a topic only for the technical propeller-heads.
Scenario Recap: This much happier path scenario was made possible mainly by two people that formed and had a successful internal partnership to defy the norm of how to approach cybersecurity. By thinking beyond the tech/tool-first normal approach and setting a mutually intentional strategy between CISO and CEO that cyber would be business-enabling and competitively differentiating, the pair were able to bypass many of the pitfalls of typical cyber programs and make a difference for their organization. By focusing on what’s most important from a business risk standpoint, focusing heavily on the workforce experience and making things easy, and making evening measurable to the critical goals, they were able to gain and maintain support to improve and keep improving FutureFirst Pharma without adding pain and overhead.
Regardless of if you see yourself, your boss, or your boss’ boss in the first, second, or some mix of the examples, there is hope!
We at Reveal Risk would love to have a brief 30-minute chat with you to evaluate if a roadmap to pivot your approach to cybersecurity success could help you achieve better outcomes. Our depth of experience goes well beyond consulting and services, as our entire leadership team has diverse practitioner experiences accomplishing cyber risk reduction success in a variety of environments and company cultures. To set up a discussion, please complete the attached contact form. and a team member will reach out to connect!