When the King heard his prize elephant was sick, he called in his three wisest counselors to provide advice. They all had multiple certifications from many elephant clinics across the land, and they were not shy about offering their strongly held opinions. The advisor from the Institute of Tusks and Trunks opined that clearly the trunk was infected and perhaps some sanitizing disinfectant (hydroxychloroquine, perhaps?) would help. The second advisor, from the Council of Animal Foot Fungi focused on the elephant’s oversized and darkened toenails, suggesting some radical surgery was in order. Finally, the fellow from the Academy of Acute Animal Acoustics addressed the floppy ear problem convinced the poor elephant couldn’t hear as evidenced by its inability to follow commands. The sad truth is that, even though the King followed the advice of each advisor quite scrupulously, the sick elephant died nevertheless, from a common cold that could have easily been treated, if only the counselors knew two very important things: a part of the elephant is not the whole elephant, and one must know all the ways an elephant can be ill in order to prevent illness and death.
Why is this old story a cyber parable? Because industry, for the most part, treats cyber security as a specific type of illness, for which specialty solutions must be found, rather than look at the organism, or company, as a whole creature with multiple, interacting parts. Note our wise men weren’t wrong, but their testing and detection were incomplete. They could not find all the places on the elephant where compromise and contagion needed to be contained, in part because, as trained specialists they naturally focused on the areas of susceptibility they were trained to detect.
Cyber security has a similar problem. Let’s look at the type of “wise men” that companies often call to treat their cyberproblems: CISOs, CITs/CTOs, Insurers, Regulators, and Cyber Security Vendors, to name just a few. To make matters more complicated, the King from our previous example is not unitary either: there are Boards of Directors, CEOs, C-suite managers, and heads of business unites and countries, who all may be responsible for hiring the wise men. What problem, exactly, is the latter group trying to solve? And if they are focused on fixing a problem, perhaps they have already missed the mark. The key to robust cyber health is to stay focused on the business goals of the enterprise, and determine a regimen involving regular check-ups, reinforcing the healthy precautionary behaviors that lead to vulnerability, either in a single place or of the company as a whole. A weakened, compromised body will eventually sicken and die, but in these cases the actual cause of death is less important than the fact that general cyber immunity was neglected. This holistic approach is the only approach that will consistently prevent a cybercompromise of the entire system. Anything short of this, and we are putting band-aids on systemic vulnerabilities.
Traditionally, CITs (Chiefs of Information Technology) or CTOs (Chief Technology Officers) were the first line of defense, when cyber security was thought to be “just” a technology problem. As technology has pervaded every aspect of a company’s existence, the CIT has too many responsibilities and demands to be able to address this type of vulnerability consistently. More to the point, however, he may not even have the language, or conceptual tools, to fully appreciate the problem. Similarly, with insurance professionals, regulators, and cyber security vendors: they know their world quite well and can speak to it expertly – but do they have the interest, ability, and will to address the whole organism in all its complexity. The answer is, usually not. To make matters worse, they are often financially incentivized to stay focused on their single, proprietary solution.
The CISO (Chief Information Security Officer) comes closest to understanding the whole cyber security threat. He or she should have the tools, the language, and the access to top management, in order to view the company-as-a-whole. There is an interesting parallel here in the field of medicine. The practice of medicine became so specialized that, in some hospitals, every single problem a patient had required a new specialist to treat it. Eventually, the role of “hospitalist” was necessary to bridge the input of multiple specialists without losing sight of the patient-as-a-whole. Their job, at least in part, was to ensure that the patient survived the treatments recommended by specialists. A critical part of the role required the ability to speak to patients, family, other doctors, and administrators to translate for all the players. Administrators wanted to know about treatment codes so they could bill, patients wanted to know what they could do to get better, family wanted to know when to get ready for the patient to come home, and the doctors wanted to know if their treatments were successful so they could go on to the next patient.
In businesses, there is more opportunity for alignment at the top. Boards are usually aligned with the CEO, who in turn ensures his C-suite is aligned to the corporate vision. This alignment enables a CISO to have line of sight with her CEO and Board, to ensure the company, from a holistic standpoint, is being treated properly. There is often a natural tension between the CISO and CIT, but this can be positive, an internal system of checks and balances to ensure the health of the company.
The broadest approach to cyberimmunity requires looking at the company as an organism. A piecemeal approach to cyber health, like the patient who only consults specialists but never visits the General Practitioner, will always be inadequate. A regular, general check-up, followed up by specialists if need be, is the only way to keep this organism healthy, and problem-free.