Why are cyber threats on top of every executive’s mind?

 Sharing a few thoughts on Cyber Security --- I was on the phone last week with a data visualization expert (and author) discussing visualization problem solving – basically, how to solve problems or at the least understand problems with pictures (i.e., drawing pictures). He asked a question about cyber security. He said “why is a cyber threat so scary? Isn’t it just another threat?” He is right. Cyber is another threat; just like an infectious disease, civil unrest, flood, power outage, fire, war, or an accident. We use common frameworks and capabilities for threats such as command and control, situation awareness, threat intelligence, common operating picture, common ground, and so forth. However, each threat does have its unique characteristics we need to consider. I shared with him my thoughts on why cyber security is on the top of every executive’s mind. It comes down to five (5) characteristics of a cyber threat [mnemonic for the five (5) characteristics "is [w]ild":

1. Intentional
2. Speed 
3. Interconnectedness
4. Location
5. Detectability

The first reason cyber threats are escalated (emotionally, financially, cognitively) is because they are intentional. With intentional threats, the threat actor seeks to ensure the attack’s success and maximize damage. It is a thinking threat, adaptable, unlike natural or accidental threats. Innately, humans are hypertensive to threats that desire to cause harm – someone is trying to hurt me. Additionally, intentional threats are reputational sensitive. They can quickly turn public. We tend to be more relaxed when it comes to natural threats. We refer to them as Acts of God or Mother Nature, as if we have no control over these types of threats. Accidental threats get categorized in the health safety environmental bucket.

Second reason is speed. Cyber threats can move at the speed of light. Typically, you don’t warm up to (as in union strike) or have warning (as in hurricane) before you find yourself in a crisis situation. Cyber threats can blindside you. It is not a physical building that requires repair. Understanding the time element is essential in successful managing crises. Executives do not like (and rightfully so) to be caught off guard or events with short fuses. These attributes increase the complexity of the threat.

Third reason is interconnectedness. The digital environment is built on connections and interdependences. The speed and density of our digital connectedness makes it extremely hard to related cause and effect and almost impossible to see cascading effects. A cyber threat can come from anywhere and anyone. It is a double edge sword. The more connected and collaborative we are in the business world enhances our business capabilities. Unfortunately, it also opens the field up for more threats.

Fourth reason is location. Most other threats can be quarantined by space (i.e., proximity) and time (i.e., how quickly impact occurs). Hurricane has a season in addition to a defined geographical space and time. A cyber threat sits in an electronic location and can be global in nature.

The fifth reason is detectability. It can be difficult to detect cyber threats. We may be infected without knowing it. It could spread without knowledge of its effects. I found myself describing cyber threats like a cancer to my colleague. Just because you went in for a physical examination and received a clean bill-of-health doesn’t mean you don’t have cancer. It means the doctors didn’t find any evidence of cancer. If you catch cancer early, you are typically in a good position. If you catch cancer late (e.g., stage 4) you are in trouble.

Lootok is not a Cyber Security shop; however, we do work in the cyber arena with crisis management and communication, reporting (data visualization), training, and awareness. Our Creative Learning Technology Center works with CSOs and CISOs to enhance their awareness, communication, and training capabilities. A great example is from a CISO we know. He shared his thoughts on changing the organization’s culture to enhance its information security capabilities. He said, “Most of my problems are human and behavioral, not software or technology. If I could get the organization to live by these five (5) rules it would solve 80% of my cyber problems.” The five items he referred to are:

1. Don’t click on the link
2. Don’t go to bad websites
3. Protect it like you own it - protect your assets as if they were yours; that is, follow security policy for passwords, securing assets (e.g., don’t leave electronic device you of sight), update patches, and so forth
4. Trust no one – keep an honest person honest by making them follow the rules
5. If something is wrong or feels wrong tell us immediately – bad news is good news

Enhancing your cyber security capabilities requires changing and enhancing people’s mindsets, awareness, and behavior. This was a good discussion with my colleague that I thought should be shared.

Best - Sean