Why Getting Hacked Is Just What Your Organization Needs

Why do the CFO(Chief financial officer), COO(Chief operating officer, CIO(Chief information officer), and CRO(Chief risk officer) need to report to CISO(Chief information security officer), not the other way around?

“CEO: People: Are we ready for the launch?”

“CRO: Absolutely, we should see a bump of 35% in sales in the first quarter.”

“CFO: If we hold the 55% margin, our projections will be inline.”

“CIO: All systems are up and ready. We were over budget. However, it was unavoidable.”

“CEO: Anything Else.”

“CISO: We will most likely experience several cyber attacks within minutes after the product launch.”

“CEO: What??? Are you kidding me? I approved your budget personally. Now you are telling us we will be hacked?”

Every element of the dialog above speaks to the criticality of cybersecurity. The company’s decision to enter a new marketplace or develop a new product should revolve around the notion of if a new business venture will survive ongoing cyber-attacks. This threat vector can and will do more harm than any business competitor in the market.

While this may seem far-fetched, many of us could contest the authenticity of the dialog. In my last blog, I discussed why being “hacked should not be a reason for employee termination. Any organization’s cybersecurity posture is everyone’s responsibility, not just the SecOps, DevsecOps, and NetsecOps teams. When should the CISO be the ultimate decision authority regarding digital transformation, security investments, and business risk?

Old school thinking is still alive and reasonably today still considers cybersecurity insurance, and not everyone gets hacked. Now organizations are investing in actual cybersecurity insurance because of their past belief that security technology would protect them without any regard or understanding of cybersecurity risk. When the investment into more cybersecurity technology became a business decision, this is when organizations’ security posture began to fail. Even with the complex risk analysis tools, ongoing risk assessment, and threat modeling, organizations still have little grasp of their risk tolerance.

Having been a technology sales and engineer professional for 26 years, I have sat in several client meetings with finance people deciding the fate of a deal solely based on “ROI” or some form of financial justification. Gartner, IDC, and Forrester do an incredible job of collecting analytical data to help prove a solid “ROI” for cybersecurity. Even with compelling data, CFO’s and finance people often have to consider the organization’s needs and balance the growing demand for security over the available funds.

During the early days of Covid-19, many hospitals had to cut back on cybersecurity because several income streams, including elective surgeries, dropped dramatically. Even though many medical attack surfaces continued to be exposed, organizations did make the hard choice to cut back and eliminate SecOps, DevOps, and NetOps resources to reduce operational costs.

Most authors for years have written publicly about the need for the CISO to report to the CEO. I believe this change in cultural reporting continues to miss the point of solving the most significant problem in organizations today. Without a difference in the central decision-making process towards security first transformation focusing on cybersecurity concerns, many business initiatives will never reach their full potential.

Every change in organizations today revolves around two components; making money and business transformation. Organizations that do not innovate and adapt will not be around much longer. Digital transformation is this business climate’s mandate for growth, cost reductions, and greater operational efficiencies. To accomplish all of these mandates, technology is at the forefront. Technology innovation, artificial intelligence, machine learning, and DevOps culture have become critical digital transformation pillars. Yet, without security in the DNA, these projects face an uncertain future while failing to show the expected results. Because of operations and cybersecurity events, more digital transformation projects rarely meet or exceed their full potential.

Assume every element of a business, including financial forecasting, product development, operations, business development, and company evaluation, revolve around a secure environment. Why would the CISO not be the executive leader? A broad understanding of cybersecurity is needed for organizations to see the big-picture impact.

If, for a moment, the CFO, CRO, CIO, COO, and CMO all report to the CISO. Every financial decision, business operation, product development, go-to-market plan, and risk management posture decision rolled up to the CISO, would that make the organization more resilient?

Would projects reach their full potential? Would wasteful spending on legacy thinking be replaced with secure first initiatives? These could make a case for the CISO, not the CFO.

While many will disagree with this thinking, after witnessing several crushing cyber-attacks in my 26 years career, I will advocate for this new line of thinking.

After witnessing several organizations hacked, I believe that getting breached began a godsend for these companies. Seeing the early finger-pointing from financial teams to the operations people complaining that their processes are outdated and IT not having a say in the project sign-off, all of these fail to understand the true nature of the problem.

Security at the inception of any digital or business transformation ensured the initial survivability of a project along with creating updated operational processes that securely fit the business objective, not making a detection and response plan. These plans have run their course and continue to fail organizations while reducing outcomes expected by the organization.

Security First. Security Second and Security Last should be a new formula for success for every organization.

All the best,

John

Aubrey L. Morgan