It’s 4:30 pm on a beautiful Friday afternoon, after several difficult weeks establishing a new research and development facility, and more than a year’s intense effort on one of the most technically demanding projects of my career… I am the last one left, and the floor is filthy after construction and moving. In our R&D process, contaminants and apathy are the enemy. It needs to be swept and mopped by someone, and my wife has planned tennis and sushi to start the weekend. Six hours earlier, I discussed the challenges transformational leaders face within their business organizations against cybersecurity threats with one of the world’s top management consulting firms. Leaders must drive their organizations to more secure future states, not simply choose another round of failing security products and services.

Remembering my own words, I smiled as I stepped away from the door and towards the dirty floor. Transforming an organization is one of the hardest challenges any leader can undertake…it’s often thankless and requires you to do what others often simply will not do. The journey away from cyber insecurity, requires leaders to recognize this vital need as a strategic imperative, and then step towards the hard work. The journey towards cybersecurity is harder and messier than you may think, but success is rooted in embracing the fundamentals- People, Process, and Technology.

World class leaders, lead world class organizations through complexity to address vital business needs. Your partners in navigating this immense challenge should deliver something more than products and services. There must be a better solution than accepting incoherent products and services with rapidly declining odds of success over time.  Network security integrated into a comprehensive organizational risk management plan, championed by the CEO, and led by the C-Suite serves as a strategic roadmap to achieve and maintain a secure and resilient digital infrastructure as your company delivers its world class brand promise. The development of a comprehensive and fully integrated corporate cybersecurity strategy for compliance, prevention, detection, mitigation, and remediation of cyber threats is beyond the network enterprise. Digital security, strength, and resilience is an organizational journey.  

The immense challenge corporate organizations face is the ubiquitous presence of digital technologies and their persistent vulnerabilities across an organization. Cybersecurity isn’t one system of appliances and features, it is a system of systems providing support, awareness, security, and resilience to the entire company against a wide spectrum of threats. Cybersecurity is a corporate strategic imperative serving as a foundation for people, products, processes, and technologies to function in support of your customers, shareholders, and investors. The CEO is the one person entirely responsible for EVERYTHING the company does and fails to do. He or she is responsible for ALL the people, ALL the processes, and ultimately ALL the technologies required for the company to remain profitable and endure. Strong and resilient cybersecurity relies on the recognition by the CEO of this looming threat, unflinching leadership, and the determination to tame the complexity of  this digital interdependence.  Great leaders need help to understand the threat, develop a comprehensive organizational strategy, prioritize their risks, and prioritize their resources in order to move towards a more secure future state. It is a process of continuous improvement. Cybersecurity allows your company’s purpose to endure beyond a growing existential threat… It’s not if, but when.

1) People matter most:  How many brooms, dust pans, and mop buckets will you purchase in order to keep your organization cleaned and maintained? The organization must understand the need and share the will for the fundamentals to manifest successful real outcomes. Brooms and mops do not clean by themselves. Digital security like cleanliness is strongly rooted in shared culture. No magical technologies can replace a strong security-minded corporate culture.  It’s easy for everyone from the Chief Information Security Officer to the entry-level worker to be overwhelmed by the immensity of the challenges, complexity, and winding path away from cyber insecurity. An over-reliance on security technologies and an avoidance to rely on your people to make the critical difference is the failing strategy your attackers expect.  A comprehensive cybersecurity plan incorporates compliance requirements within the industry, state and federal levels. The plan acts as a roadmap for organizing, training, and educating employees, so everyone understands their critical role in maintaining a secure digital infrastructure, safekeeping customer data, and guarding the company from a broad spectrum of threats. Training, education, and professional development are essential pillars within this strategic imperative. Investments in human capital compliment your technology choices, and both reinforce one another against agile threats.

Cybersecurity as a journey begins with a cyber organizational risk assessment.

A meaningful roadmap is far easier briefed, than executed…because the ubiquitous presence of digital information systems cross every corporate organizational diagram, the lines of authority, responsibility, and accountability can be blurred and organizations need to work together to reduce uncertainty and ambiguity.  Much like an accounting audit, a cyber audit traces the relationships between people, processes, and technologies and develops a functional relationship matrix between people, processes, hardware, and software. A cybersecurity risk assessment is developed unique to the organization, products, markets, logical and physical infrastructure, threat profile, attack surface, and employee behaviors. Everyone in the company has to understand the fundamentals, because it’s vital everyone contribute towards the future state of stronger digital security. Leaders need to support an environment of which promotes stakeholders AND users to openly discuss concerns, disputes, and conflicts because enduring solutions reside on the other side of uncertainty, ambiguity, and conflict.  It may take time to trace, reveal, and develop a constructive dialogue as stakeholders navigate through conflict. The harsh reality is criminals, hacktivists, foreign nations, unscrupulous competitors, and toxic insiders will take the time to search, discover, and exploit the vulnerabilities weak management teams may try to ignore in an effort to reduce organizational conflict. Not surprisingly, persistent vulnerabilities on networks often transcend hardware and software…people matter most. Cybersecurity as a strategic imperative requires a unique team of skillsets crossing multiple disciplines with their full time focus, and CEO/C-Level support. Yet, they must maintain the humility and empathy to earn the respect of everyone they engage. They must consider the legacy investment in technology, and the sweat equity invested across the organization to fight the good fight. A cross-disciplinary team must also be invested in the outcome so strongly that it COMPELS them to persevere through the significant challenges ahead as they work to gain trust, momentum, manage conflict, and drive towards progress in full partnership with the client organization.  Success is hard earned and even magical, when ownership, expertise, and implementation transition away for the specially selected team to those who live and breath it every day.

Transformational Leadership:  Style of leadership in which the leader identifies the needed change, creates a vision to guide the change through inspiration, and executes the change with the commitment of the members of the group.

Lessons learned from organizations who endure ERP implementation testify to the many different facets of the organization which are vital to successful enterprise-wide technology implementation. At its most basic level, as ERP supports order fulfillment, very similarly does cybersecurity function as the digital nervous system and immune system of today’s companies.  There’s nothing fun about change in one’s self or seeing the need for change in your organization.   People buy into change for the outcome, not the process, but they have to understand the value of doing both.  There must be a compelling sense of the importance of digital network security moving beyond complex passwords and avoiding spearfishing. Cybersecurity is a pillar of success in today’s economy. Each portion of the organization may perceive their need and their interest differently, but sharing the common “angst” is essential in effectively mobilizing the entire organization to embrace changes needed to strengthen the company.

2) Process Reinforces Outcome:  Leading this effort is tough. The bad news- next years products and services are an illusion of greater security. The good news- genuine digital security and resilience are a journey that can transform the company into a much stronger and better integrated organization. Cybersecurity can be the catalyst driving organizational transformation towards stronger performance in a more competitive landscape. …Vertical integration, from top to bottom. Horizontal integration, from leader to leader, employee to employee. The digital domain serves as the backbone to most all essential services within and outside the company: communication, sales, production, supply chain management, personnel, product development, and on and on.  Tracing your corporate processes and policies against an entangled web of support software and hardware to better understand interoperability, compatibility, data sharing, backup resources, and known vulnerabilities can be an invaluable process.  Out of necessity, most companies band-aid growth by cutting and pasting, and then adding, and then adding even more software and hardware under the duress of ongoing corporate operations. Unentangling these technologies from processes and policies allows leaders to “rethink” how and why tasks are executed.  Often legacy processes encircle long forgotten constraints, which may not, or should not encumber future methods. A cyber risk assessment team can broker process mapping discussions between those that support (IT) and those organizations that execute, as they work together to drive towards cleaner solutions. Cleaner and simpler solutions promote both teams to actively evaluate need, value, and risk within their hardware and software support, based on smarter policies and processes. Often aggressively engaging legacy processes reduces the dependence on legacy software, and can dramatically change the cyber threat profile and attack surface.

3) Technology, Cyber Defense in Depth: Your adversaries are agile, persistent, and patient. Their goals vary in the depth of damage they desire to cause, their expertise, and their resources, but they are a growing existential threat to your customers’, shareholders’, and investors’ confidence. Technology often obscures relationships, processes, and leaves people with a false sense of its voodoo-like ability to address security issues and solve problems. A comprehensive cyber strategy must reconcile your adversaries strengths and weaknesses against the existing corporate reality, candidly assess the risks, resources, and expertise available, and then develop an effective roadmap within the given priorities and constraints. Driving the integration of digital defense technologies and methods within a single corporate stove pipe is particularly difficult and ineffective because in reality systems touch almost every segment of a corporate organization. The ripple effects of unintended consequences are often BOTH the cause and effect of technologies’ tragic limitations.  Typically, policy and process further exacerbate vulnerabilities and weaken layered defenses. A full evaluation of an organization’s legacy technologies’ capabilities and limitations juxtaposed against prevalent threats, and then contrasted against current IT procedures, company policies, and processes can be eye opening revelation for a senior management team. However, presented in totality, leaders see the risks created through hodge podge decision making, drop-in technology solutions, and “make it happen” changes to corporate policies and procedures.

Moving away from a “See No Evil” cybersecurity strategy can be stark, but NOT MOVING from a “See No Evil” strategy is unforgiving and in today’s climate, likely career ending, a major financial risk, and persistently haunts the minds of those who matter, namely your customers, shareholders, and investors. 

Reconciling technology, processes, and policies drive leaders to be PROACTIVE and make deliberate choices in their cybersecurity risk profile, resource allocation, and technology choices.  Technology alone will not save your company, but layered technologies combined with vigilant and dedicated people, supported by smart policies and procedures can transform your company from victim to victor.

In the end, the threat is glaring, and the excuses are few…. Leadership calls you to recognize the need, embrace the hard work, and lead by example…don’t forget to sweep before you mop.

This article was originally published in Linkedin Pulse 08/03/2015 Huffington Post, 11/18/2016