The emergence of digital technologies has transformed just about every element of our lives. It has enabled countless new business models, reinvigorated entrepreneurial spirits and spurred the development of thousands of new products and services. There is no doubt that connected digital systems improve our lives.
But digitization has also created new vulnerabilities. Just ask senior executives of Home Depot, Target, Anthem, or JP Morgan about the risks of employing cyber systems to manage customer data. Each company had the records of tens of millions of their customers stolen. And it’s not just customer data that’s at risk. After Sony Pictures was hacked, confidential information about employees and production plans were posted online. The hackers also tried to intimidate the company’s sales channels when it posted a vague threat against theaters showing the movie The Interview.
Cyber risks can be much bigger than mere data or identity theft.
The same technologies that enable us to rapidly order an Uber or to instantaneously download the latest book by Michael Lewis can also empty our bank accounts or steal our identities. In short, cyber is a two-sided coin. About two years ago, Richard Danzig, former US Secretary of the Navy, delivered a speech he titled “Surviving on a Diet of Poisoned Fruit.” In it, he noted the very systems that enable wide scale collaboration and information sharing also allow for unprecedented intrusion. Cyber systems, he stated, both nourish and poison us.
Last week I had the opportunity to speak with and listen to retired four-star Air Force General Michael Hayden, former head of the Central Intelligence Agency and the National Security Agency, at an event organized by First Republic Bank in Boston. Hayden’s message: We don’t fully appreciate the magnitude of the transformation that cyber systems are enabling. But it’s urgent that we do, and that we do so rapidly.
Hayden suggested we treat cyber as an entirely new domain, just as the military has done. Doing so will allow corporate boardrooms and IT managers to focus on managing cyber risks more effectively. To help us rethink risk management in this new domain, Hayden pointed to the three primary factors driving risk: the threat environment, vulnerabilities in our defenses, and the consequences of an intrusion.
The threat level can be thought of as our level of participation in the cyber domain and the number of type of hackers who may want to inflict harm. If we had zero participation in the domain, we wouldn’t have any risk. But it’s not a binary consideration: A company’s HR systems, for instance, could digitally store all employee records except for social security numbers. And it’s also possible to monitor threat risk by understanding and monitoring likely attackers. In fact, some cyber security firms are beginning to offer such services.
Most of our cyber risk management efforts are targeted at minimizing vulnerabilities. Citing FireEye’s Kevin Mandia, Hayden noted that most of our efforts are focused on developing stronger defenses, firewalls and the like. And while worthwhile and generally effective, no amount of effort will ensure penetration-proof protection, he noted. The probability of hackers getting through cyber defenses will almost certainly be greater than zero for some time to come.
Minimizing the consequences of cyber attacks, however, is a big opportunity. It requires a company and its IT managers to be self-aware and focus, as Hayden noted, on resilience, response and recovery after an attack. Today, it often takes months for organizations to identify that an attack even took place. By focusing on rapidly identifying an intrusion and limiting its impact, organizations have the ability to greatly reduce the risk of catastrophic effects resulting from cyber attacks.
The stakes are simply too high for cyber risk management to not get the attention it deserves. Cyber attacks have the potential to generate massive destruction and widespread loss of life. Think I’m being overly dramatic? Think again.
We need to think about cyber risk management more broadly, as General Hayden recommends. Danzig had it right: We’re drinking a nourishing poison. And while we should obviously minimize threats and address vulnerabilities, the blunt reality is some cyber attacks will be successful. So if we are to truly enjoy the nourishment digital systems provide, we better not allow the poison to kill us.
Subscribe to our NewsletterBusiness & Investing
An indispensable guide to finance, investing and entrepreneurship.