- “He who has superiors and subordinates who want the same thing, wins.” (Chinese General Sun-ce)
But then on a formal-logical basis:
- “Those whose superiors and subordinates do not want the same thing, lose.” (GéPé Hungarian blogger)
And finally:
- “A superior can only want what a) he has already heard about, b) he has already realized that he has to want.” (GéPé Hungarian blogger)
But what is this brilliant (?) reflection doing in a cybersecurity blog post?!
The answer has to start a little further afield.
After years of continuously looking at the publications that cut into the profile of SeConSys, the last year – especially in the second half of the year – has seen a proliferation of articles on the role and responsibility of company and senior management (CEO, CISO, etc.) and boards of directors in cybersecurity, supporting their decisions in this direction.
Some of them (not exhaustive):
2020
- 5 Questions a CISO Should Ask About OT/ICS Cyber Security – Verve Industrial (Nem sokkal a SolarWinds/Orion incidens előtt publikálva)
- H1
- PowerPoint Presentation (deloitte.com)
- A CISO’s guide to discussing cybersecurity with the board – Help Net Security
- How boards can lead cybersecurity | McKinsey
- H2
- How much does a CEO or business leader need to know about cybersecurity? (eccouncil.org)
- Why Your CISO Should Report Directly To The CEO (forbes.com)
- Report: Boards Typically Updated On Cybersecurity Only After An Incident (chiefexecutive.net)
- Why CISOs Shouldn’t Report to CIOs in the C-Suite (securityintelligence.com)
- Boards Can Surmount The Cybersecurity ‘Intimidation Factor’: 10 Questions Directors Should Discuss With C-Suites (forbes.com)
2022
- A cybersecurity guide for board directors – The Corporate Governance Institute
- Boards, CISOs seek alignment on OT security challenges | Cybersecurity Dive
- Talk to the board, not just IT, about ransomware | Cybersecurity Dive
It seems that after the SolarWinds/Orion, Colonial Pipeline, etc. incidents, a little slowly – but then after the II. In the second half of the year, it really started to sink in that the prevention and handling of new challenges, which are enormous in both quantity and quality, is no longer the task and responsibility of IT security staff hidden deep in the organisational hierarchy, nor even “only” of the CISO, but
“largely” of the company management – and dedicatedly of the CEO.
First, let’s see what can happen when a company’s management does not rise to the occasion!
In 2017, an IT security expert from a software (!) company drew the attention of his company’s management to the company’s inadequate security level. The company’s management did not take the advice and the expert left the company.1,2 This company was SolarWinds, whose unsuspecting download of the Orion update, compromised by inadequate security measures, infected the systems of some 18,000 of their customers.
Well, the company management should have listened to the warning of their responsible staff member!
Although the management was warned, and therefore heard about the risk, they did not realise that they had to want to manage it. More broadly, superiors and subordinates did not want the same thing. And SolarWinds lost…
Such cases can be prevented, but only with openness on both sides:
-
“Subordinate” cyber security professionals must learn to think “boss”!They need to be able to succinctly present both the tasks to be done and the risks of not doing them, the potential financial and reputational damage!They must write and speak in such a way that what they have to say can reach the “specific receptors” of their competent bosses!
-
And “superiors” must trust their “subordinate” cyber security experts!They must be able to take messages from their competent experts!
And how can we make it more successful to ensure that critical signals from subordinates are received by their superiors?
By sensitisation, i.e. training.
And primarily on the part of the superiors.
The subordinate side has already been forced to send the “right messages”.
The superiors, on the other hand, need to transform their current, essentially profit-oriented thinking into profit AND security-oriented thinking!
They have to learn that in the current “new world”, inadequate security can cause reputational damage that can reduce profits enormously!
The right thinking, adapted to today’s challenges, can be taught and learned.
Otherwise, “those whose superiors and subordinates don’t want the same thing lose.”
1 SolarWinds Adviser Warned of Lax Security Years Before Hack – Bloomberg
2 SolarWinds missed early security warnings | Cybersecurity Dive
[32]
***
We welcome messages either agreeing or disagreeing with the above. For example, by responding to them in a new post, a substantive professional exchange of views could be initiated.