Cyber threats and cybercrimes have become daily news stories. These are the new realities of e- commerce. Ray Rothrock’s book, Digital Resilience: Is Your Company Ready for the Next Cyber Threat?, warns that busting your cybersecurity budget in pursuit of an impenetrable network to combat such events is the wrong approach.
Rothrock paints a frightening picture of how passively most C-suite executives address cybersecurity –– a firewall, some anti-malware software, and some regular email reminders from the department about not opening suspicious email attachments.
The author argues that this underestimation of the potential harm of a cyberattack is driven by financial mismanagement. Digital security costs don’t produce revenue, so many companies justify the lack of investment with a vague notion of responding to a breach with a prepared apology and a year’s free subscription to a credit monitoring agency as compensation.
In reality, the cost can be great. Yahoo, for example was forced to reduce its sale price to Verizon by $350 million after a massive data breach in 2016. Companies that manage to survive beyond such attacks must face the loss of customer trust, the loss of brand image and the likelihood of a swarm of lawsuits.
Rothrock’s call for a more pragmatic approach to cybersecurity is based on a characterization of cyber threats: “more persistent, more sophisticated and more pernicious.” Pinning your hopes on the promises of a vendor that their security system is “state of the art” is no longer the smart choice. What is needed, the author argues, is a proactive plan that receives the same attention and funding as the corporation’s disaster recovery plan (DRP) and business continuity plan (BCP), because a cyberattack now has the potential to do just as much damage as a hurricane, an earthquake or any physical terrorist attack.
Such planning begins with the realization that there is an inherent “risk-reward tradeoff” of e- commerce and digital connectivity. Opening the company up to the opportunities of digital connectivity also opens the doors to cybercrime. This tradeoff, Rothrock argues, demands a “whole business engagement” with the problem, as opposed to the current preference of leaving digital security to the I.T. department.
Whole Business Engagement
Since we may be years away from the digital equivalent of building codes to withstand hurricane- force winds or earthquakes, it falls to C-suite executives to reorient their approach to data security by proactively engaging the problem. Rothrock offers a simple but effective manual for this by summarizing the “seven hallmarks of digital resilience” proposed by Kaplan, Bailey, O’Halloran, Marcus and Rezek in their book, Beyond Cybersecurity: Protecting Your Digital Business.
- Prioritize information assets based on business risks.
- Provide differentiated protection for the most important assets.
- Integrate cybersecurity with enterprise-wide risk management.
- Enlist front-line personnel to protect the information assets they use.
- Integrate cybersecurity into the technology environment.
- Deploy active defenses to engage attackers.
- Test continuously to improve incident response across business functions.
Digital Resilience challenges the assumption that the best use of cybersecurity budget dollars is for the prevention of network penetration. The author provides overwhelming evidence that network design and response protocols must now be built around the assumption that cybercriminals will find a way in at some point. Whether it’s from a ransomware attack, a blatant theft of customer data or malware designed for maximum disruption, this book carries the important message that no network is impenetrable.