In this blog, Admiral Mike Mullen, Chairman of the Board for ITC US and Former Chairman of the US Joint Chiefs of Staff for Presidents Bush and Obama, looks #BEYOND the now in cyber security, at the importance of leadership and the need for collaboration to tackle the speed of change.
When I was in uniform, I worked a lot with General Keith Alexander who was, at the time, the Director of the National Security Agency and Chief of the Central Security Service. Keith and I used to talk a lot about the speed of the Internet to be able to counter the enemy at speed.
Today, it’s not only the physical speed of the Interne but also our ability to adapt to the speed of change in the world that we operate in. A world where the enemy
continues to advance, continues to change, continues to try to outsmart everything that we’re putting in place.
One thing’s for sure: The cyber security threat is an existential threat. It’s a central threat to our countries. It’s an existential threat to our businesses. It’s an existential threat to our way of life. And given that, do we really understand the risk?
Billions of entry points to defend
We are living in the digital age where virtually every type of cross-border business transaction now has a digital component. The possibilities for new relationships with customers and partners are endless – all thanks to technology.
But technological advancements can be a double-edged sword, bringing both opportunities and threats in equal measures. The more we connect to the outside world, the greater our risks become. Every time another device or capability is added within your business, you also add a vulnerability – of project failure, of a data breach, or worse.
We’ve gone from having between 50,000 to 500,000 endpoints in a corporate network and today we have millions or even tens-of-millions with the advent of the Internet of Things (IoT). Whilst the number of endpoints has grown exponentially, many of the older devices are not adequately secured or maintained by their manufacturers anymore, which poses significant risk when using them in your business environment today.
By 2030, it’s predicted that as many as 500 billion devices will be connected to the Internet worldwide, with many of them outside corporate control. Already smart cars and homes have been exploited by malware that can be used in distributed denial-of service attacks, while billions of chips are at risk from Meltdown and Spectre weaknesses. These are just some of the risks that need to be considered and understood to protect ourselves and our businesses.
Supply chain and nation-state attacks intensify
Historically, nation-state actors directly targeted infrastructure, think tanks, and governments of other countries. However today, nation-state actors are expanding their objectives to pursue intellectual property theft and look for new ways to gain access to their targets through the third parties, software, and networks they rely upon.
Nation-states have become bolder in their attacks as evidenced by the Russian attack on SolarWinds. We have also seen attack tactics evolve from targeted, stealthy operations into opportunistic hacks for potential future uses, such as the attacks attributed to Hafnium.
Interestingly, nation-state attacks are not always highly complex attacks. The reality is that they can be far simpler in design. It’s perhaps no surprise that 95% of cyber security issues are traced back to human error.
This uptick may be due in part from COVID 19 and the shift to hybrid working – forcing core business services out onto the internet – making employees more accessible targets for hackers. Social engineering is the most common method used to break into business systems taking advantage of human vulnerabilities, highlighting the human element of risk and the importance of cyber awareness.
The role of the C-suite and the questions to consider
The C-suite involvement is critical. However, even though the topic of cyber security is an increasingly more prominent in the Boardroom, the question to really take note on is “how deeply does the C-suite understand what’s going on here?”
In my own Boardroom experiences, it is only until leaders really understand the technology, will the right decisions be made with respect to hiring the right talent, resourcing correctly, defining the right policies, and understanding what the risks are over time.
By understanding the technological and risk landscape first, the C-suite will then be able to explore the various parameters necessary including how do we make decisions with respect to these risks? What are our principles, values, and beliefs with respect to cyber? How do we prioritise our data? How do we protect it? And how do we survive risk? – making security and resilience a strategic business issue.
Together is stronger
The cyber threat is seen as an existential one. Businesses and CEOs are taking it seriously with the savviest recognising that no single leader, or team, has the complete perspective needed for effective decision making when it comes to cyber security.
The reality is that the complexity of today’s world makes it difficult for any one group to manage the number and types of internal and external threats, evolving technological landscape and all the vulnerabilities across the cyber security trifecta: people, technology, and governance.
In my experience, the optimal approach for cyber security is a collaborative one – one that takes an enterprise-wide perspective that involves a collaborative way of working, inclusive of the teams of the chief information security officer (CISO), the chief information officer (CIO), and the chief risk officer (CRO), as well as the business units.
From a cross-industry perspective, changes across the broader security ecosystem are also necessary. Embracing the philosophy of collective defence that brings together a mix of business, technology, and government leaders to create an open and ongoing exchange of intelligence sharing, and better collaboration between the public and private sector to fortify our business and government against this existential threat.
Former Defense Secretary, Bob Gates, recently stated that “Cyber is the most dangerous weapon in the world – politically, economically, and militarily.”
Collectively, with better intelligence and stronger collaboration driven by leadership across the public and private sector, can lead to a safer digital world.