Much has been written regarding the importance of how companies deal with cyber threats. While most organizations have focused on the technical ramifications of avoiding being compromised, few have examined the need for senior management to make security a priority. This article discusses the salient issues that executives must address and how to develop a strategy to deal with the various types of cyber-attack that could devastate the reputation and revenues of any business or organization.
Historically, different types of cyber-attack have evolved, and the pace of these attacks on business entities has changed. Prior to 1990, few organizations except for government, the military, banks and credit-card companies were concerned with information security. In 1994, with the birth of the commercial Internet, higher volumes of attacks began to occur, and in 2001 the first nation-state-sponsored attacks emerged. These attacks resulted in the development of commercial firewalls and against malware from 1997. By 2013, however, attacks had reached greater levels of complexity, as shown for example in the Target credit card breach, the compromising of Home Depot’s payment system, and the exposure of data held by JP Morgan, which affected 76 million customers and seven million businesses. These events resulted in an escalation of fear, particularly of sabotage, theft of intellectual property, and stealing of money. Figure 1 shows the changing pace of cyber security.
The conventional wisdom among cyber experts is that no business can be compromise-proof. Leaders need to realize that there must be 1) other ways beyond merely developing new software to ward off attacks, and 2) internal and external strategies to deal with an attack when it occurs. These challenges in cyber-security management can be categorized into three fundamental areas:
- Learning how to educate and present to the Board of Directors;
- Creating new and evolving security cultures;
- Understanding what it means to be organizationally compromised.
Each of these components is summarized below.
TALKING TO THE BOARD
Board members need to understand the possibilities of cyber-attack exposures. For this, they certainly need regular communication from those executives responsible for protecting the organization. Seasoned security executives should articulate the positive processes that are in place, but without overstating their confidence, since there is always a risk of being compromised. C-level managers should refrain from hitting the panic button unnecessarily and scaring the Board. Fear only results in a lack of confidence in an organization’s leadership. The most important thing is to always relate security to business objectives and above all avoid “tech” terms. Another important area of discussion is how third-party vendors are being managed. Very many breaches have been caused by a lack of oversight of legacy applications that are controlled by third-party vendors. Finally, managers should always compare their company’s state of security with that of its top competitors.
ESTABLISHING A SECURITY CULTURE
Exposure to a cyber-attack often results from careless behaviour among an organization’s employees. The first step to avoid such behaviour is to have regular communication with staff and establish a set of best practices that will clearly protect the business. However, mandating conformance is difficult and research has consistently supported that evolutionary culture change is best accomplished through relationship-building, leadership by influence as opposed to power-centralized management, and ultimately a leadership presence at most staff meetings. Individual leadership remains the most important variable when transforming the behaviours and practices of any organization.
UNDERSTANDING WHAT IT MEANS TO BE COMPROMISED
Every organization should have a plan of what to do when security is breached. The first step in the plan is to develop a “risk” culture. In simple terms, what this means is that an organization cannot maximize protection of all parts of its systems equally. Therefore, some parts of a company’s system might be more protected against cyber-attacks than others. For example, organizations should maximize the protection of key scientific and technical data first. Control of network access will likely vary depending on the type of exposure that might result from a breach. Another approach is to develop consistent best practices among all contractors and suppliers and to track the movement of these third parties (e.g., if they are merged/sold, disrupted in service, or even breached indirectly). Finally, technology executives should pay close attention to cloud computing choices and develop ongoing reviews of possible threats from within these third-party service architectures.
Figure 1: The Changing Pace of Cyber Security. – Source: Russell Reynolds Associates 2014 Presentation.
CYBER-SECURITY DYNAMISM AND RESPONSIVE ORGANIZATIONAL DYNAMISM
Dynamism is defined as a process or mechanism responsible for the development or motion of a system. Langer (2011, 2013) introduced technology to this concept, defining “Technology Dynamism” as “the unpredictable and accelerated ways in which technology, specifically, can change organizational behavior and culture” (2010, p. 44). Thus, technology dynamism is a process based on the acceleration of events and interactions within organizations, which in turn creates the need to better empower individuals and departments. Another way of understanding technology dynamism is to think of it as an internal drive recognized by the symptoms it produces. The new events and interactions that emerge in response to cyber-security threats are symptoms of the dynamism that the digital world manifests, or “cyber dynamism”.
Cyber-security dynamism at work in organizations has the power to disrupt any antecedent sense of comfortable equilibrium or unwelcome stasis. It also upsets the balance among the various factors and relationships that pertain to the questions of how new technologies might be integrated into the business – what Langer called strategic integration – and how the cultural changes they bring about can be assimilated organizationally – what he called cultural assimilation. Managing cyber dynamism is therefore a way of managing the negative effects of a particular technology threat. Langer proposed that these organizational ripples, i.e., precipitous events and interactions, should be addressed in specific ways and at the organizational level. These sets of integrative responses to the challenges raised by technology represent what Langer called responsive organizational dynamism (ROD). As stated above, strategic integration and cultural assimilation are two distinct categories that become relevant in responding to cyber dynamism. Figure 2 shows the components of ROD.
Figure 2: Responsive Organizational Dynamism. – Source: Langer (2011).
Strategic integration is a process that firms need to use to address the impact of cyber-attacks on their organizational processes. That is to say, the strategic impact of technology requires immediate organizational responses and in many instances zero latency. Strategic integration therefore is the concept of recognizing the need to scale resources across traditional geographic boundaries, redefining the value-chain in the life cycle of a product or service line, and generally fostering more agile business processes (Murphy, 2002). It is a way to address the need to change business processes in response to new cyber threats to ensure that the business is not disrupted, and in most cases continues to operate and survive.
Cyber dynamism via the process of strategic integration can be complicated by so-called “factors of multiplicity” – essentially what happens when several new cyber-attacks overlap and create a myriad of problems in various phases of an organization’s operations. Cyber-attacks can also affect consumer confidence, which in turn hurts a business’s ability to attract new orders. Furthermore, the problem can be compounded by reduction in productivity, which can be difficult to track and to represent to management. Thus, it is important that organizations find ways to develop strategies to deal with cyber threats, responding for example to the following questions:
- How to reduce cyber-attack occurrences by instituting aggressive organization structures that review existing exposures in systems;
- What new threats exist which may require ongoing research and collaborations with third-party strategic alliances;
- What new processes might be needed to combat new cyber dynamism based on new threat capabilities;
- How to create systems architectures that can recover when a cyber breach occurs.
In order to realize these objectives, executives must be able to:
- Create dynamic internal processes that can function on a daily basis to deal with understanding the potential fit of new cyber-attacks and their overall impact on local departments within the business, that is, providing for change at the grassroots level of the organization;
- Monitor cyber-risk investments and determine modifications to the current life cycle of idea-to-reality;
- Address the weaknesses in the organization in terms of dealing with new threats should they occur and how to better protect the key business operations;
- Provide a mechanism that both enables the organization to deal with accelerated change caused by cyber threats and integrates them into a new cycle of processing and handling change;
- Establish an integrated approach that ties cyber-risk accountability to other measurable outcomes integrating acceptable methods of the organization.
The combination of evolving cyber threats with accelerated and changing consumer demands has led to a business revolution best defined by the imperative of the strategic integration component of ROD. The changing and accelerated way businesses deal with their consumers and vendors requires a new strategic integration to become a reality, rather than remaining a concept. Without action directed towards new strategic integration focused on cyber security, organizations will lose competitive advantage, which will ultimately affect profits. Most experts see possible breaches from cyber-attacks as the mechanism that will ultimately require integrated business processes to be realigned, thus providing value to consumers and modifying the customer/vendor relationship. The driving force behind this realignment emanates from cyber dynamism, which serves as the principle accelerator of the change in transactions across all businesses.
Thus, strategic integration represents the objective of dealing with emerging digital technologies on a regular basis. It is an outcome of ROD, and it requires organizations to deal with a variable, which forces acceleration of decisions in an unpredictable fashion. Strategic integration will require staff to realign the ways in which they perform decision-making tasks. Most companies find that implementing strategic integration is challenging because of the limited skills of their current employees. Getting these individuals to embrace new processes is problematic.
Cultural assimilation is a process that addresses the internal organizational aspects of how technology is organized, including the role of the IT department and how technology is integrated within the organization as a whole. As discussed earlier, the inherent contemporary reality of cyber dynamism is not limited only to strategic issues, but also embraces cultural change. This reality requires that organizations address all aspects of the business. This can foster a more interactive culture, as opposed to one that is regimented and linear, as is too often the case. An interactive culture is one that can respond to emerging cyber-attacks in an optimally informed way, and that understands their potential impact on business performance and reputation.
The kind of cultural assimilation elicited by cyber dynamism and formalized in ROD is divided into two subcategories: the study of how the organization relates to and communicates with “others”, and the actual displacement or movement of traditional staff from an isolated “core” structure to a firm-wide, integrated framework.
The acceleration factors of cyber-attacks require more dynamic activity within and among departments, which cannot be accomplished through discrete communications between groups. Instead, the need for diverse groups to engage in more integrated discourse and to share varying levels of cyber-security knowledge as well as business-end perspectives requires new organizational structures that will give rise to a new and evolving business social culture. Indeed, the need to assimilate technology creates a transformative effect on organizational cultures in the way they are formed and reformed.
In order to facilitate cultural assimilation, organizations must make their staff more comfortable with the digital world. The first question becomes one of finding the best structure to support a broad assimilation of knowledge about any given cyber threat; the second is about how that knowledge can best be utilized by the organization. There is a pitfall in attempting to find a “standard” organizational structure that will address the cultural assimilation of the cyber-threat world and its associated complexities. Sampler’s research and Langer’s studies with chief executives confirm that no such standard structure exists (Sampler, 1996). Organizations must find their own unique blend of new organizational constructs that can cope with unprecedented cyber dynamism. The digital age requires staff that can “sense” cyber-threat exposure and “respond” quickly, but such exposure is a foreign concept for legacy staff. The question, then, is where organizations can find staff that are more accustomed to a digital world and are more “change”-oriented. Thus, it is more important to design a process of assimilation of older and younger staff than to try to transplant the structure itself.
Today, many departments still operate within “silos” where they are unable to meet the requirements of the dynamic and unpredictable new cyber-security environment. Traditional organizations do not often support the necessary communications to implement cultural assimilation across business units. However, business managers can no longer make decisions without considering cyber security, and will always find themselves needing to include cyber staff in their decision-making processes. Cyber assimilation becomes mature when new cultures evolve synergistically, as opposed to multiple distinct cultures attempting to work in conjunction (partnership) with each other.
While many scholars and managers suggest the need to establish a specific entity responsible for cyber-security governance, one that is placed within the organization’s operating structure, such an approach creates a fundamental problem. That is it does not allow staff and managers the opportunity to assimilate cyber-security-driven change and understand how to design a culture that can operate under ROD. In other words, the issue of governance is misinterpreted as a problem of structural positioning or hierarchy, when it is really one of cultural assimilation. Thus, business solutions to cyber-security issues often lean towards the prescriptive instead of the analytical in addressing the real problem.
This article has made the argument that organizations need to excel in providing both strategic and cultural initiatives to reduce exposure to cyber threats and ultimate security breaches. Executives must design their workforce to meet the accelerated threats brought by cyber dynamism. Organizations today need to adapt their staff to operate under the auspices of Responsive Organizational Dynamism by creating processes that can determine the strategic exposure to emerging cyber threats and to establish a culture that is more “defence ready”. Most executives across industries recognize that cyber security has become one of the most powerful variables in maintaining and expanding company markets. ■
Langer, A. M. (2011). Information technology and organizational learning: Managing change through technology and education. CRC Press, Inc.
Langer, A. M., & Yorks, L. (2013). Strategic IT: Best Practices for Managers and Executives. John Wiley & Sons.
Murphy, T. (2002). Achieving business value from technology: a practical guide for today’s executive. John Wiley & Sons.
Sampler, J. L. (1996). ‘Exploring the Relationship between Information Technology and Organizational Structure’. In M. J. Earl (Ed.),
Information Management: The Organizational Dimension (pp. 107-123). New York, NY: Oxford University Press.
ABOUT THE AUTHOR
Dr Arthur M. Langer is the Director of the Center for Technology Management at Columbia University and is Vice Chair of Faculty and Executive Director of the Division of Innovation and Design in the School of Professional Studies. He also serves on the faculty of the Department of Organization and Leadership at the Graduate School of Education (Teachers College) and is an elected member of the Columbia University Faculty Senate. Dr Langer is the author of Strategic IT: Best Practices for Managers and Executives (2013 with Lyle Yorks), Guide to Software Development: Designing & Managing the Life Cycle (2012), Information Technology and Organizational Learning (2011), Analysis and Design of Information Systems (2007), Applied Ecommerce (2002), and The Art of Analysis (1997), and has published numerous articles and papers relating to service learning for underserved populations, IT organizational integration, mentoring and staff development. Dr Langer consults with corporations and universities on information technology, cyber security, staff development, management transformation, and curriculum development around the globe. Dr Langer is also the Chairman and Founder of Workforce Opportunity Services (www.wforce.org), a non-profit social venture that provides scholarships and careers to underserved populations around the world. Prior to joining the full-time faculty at Columbia University, Dr Langer was Executive Director of Computer Support Services at Coopers & Lybrand, General Manager and Partner of Software Plus, and President of Macco Software.
ABOUT THE REVIEW
The Cyber Security Review is uniquely positioned to draw on the combined knowledge, skills and expertise of the cyber security community to identify the emerging threats and facilitate the international community’s development of coherent policies and robust capabilities to protect cyberspace, improve security and enhance confidence in the resilience of the cyber-enabled world. For more information please visit: www.cybersecurity-review.com or view the latest edition here: https://issuu.com/deltabusinessmedialimited/docs/cyber_security_review_summer_2016_-?e=6269486/36907214