8

ACHIEVING DIGITAL RESILIENCE

A Top-Down Guide

Organizational relationships, priorities, and risks change over time. They change because of new leadership, external factors affecting the business, new recruits with new ideas, and evolving supply chain and customer relationships. Cybersecurity and its implementation are among the forces of change that impact organizations.

By the early 1970s, arguments over the pros and cons of innovative “flat” corporate organizations versus traditional hierarchical, or “tall,” organizations were shading distinctly toward the flat end of the spectrum. More and more C-suite executives and boards of directors were being drawn to the idea of elevating employee levels of responsibility, streamlining management layers, improving the coordination and speed of communication among employees, facilitating decision making, and—not least of all—reducing or eliminating middle-management salaries. Besides these business considerations, flattening out corporate hierarchies seemed a desirable affirmation of democratic values. Flat felt good.¹ The status quo, represented in the “super bureaucracies” of the 1920s, became the new status quo of the flat organization by the 1970s. From here, by the early twenty-first century, the flat model spawned such ideas as eco-leadership, collaborative leadership, and distributed leadership. These are what business journalist Vivian Giang calls the “super flat” organizational model.²

“When we look at organizations that are flatter, there’s both top-down and bottom-up decision making,” MIT professor of management and organizational studies Deborah Ancona told Giang. Ancona pointed out that “a lot more tasks are given to people lower down in the organization. There’s more empowerment and freedom given to people.” In effect, as Giang observes, in today’s super-flat organizations, “everyone needs to step up and be the leader.”³

LIABILITY IN TODAY’S “SUPER FLAT” ORGANIZATIONS: WHY RESILIENCE IS MORE IMPORTANT THAN EVER

At least some of the democratic idealism that clings to the super-flat organization may be aspirational hype, but it is almost certainly true that even large corporate structures have never been flatter. This is in large part a function of digital networking within the organization, among different organizations, and among people inside and outside any organization. In the old analog days, the top-level executives not only made most of the money, they possessed most of the data—the information necessary to make key decisions and run the company. Today, thanks to intranets and the Internet, almost everyone in a business has access to almost all data. Where tall analog organizations imposed draconian restrictions on who could connect to whom, both within the company and outside of it, today’s substantially flatter organizations promote connection pretty much at will. The ability for anyone in a company to have a personal email conversation with the CEO has cemented this change to flat.

This is efficient, productive, and good—mostly. But while each connection enhances transparency and presents business opportunities, it also poses business risks. And that is when the realization hits CEOs and boards of directors that while leadership may be widely distributed across their enterprise, liability for the corporation is ultimately concentrated at the top of even the flattest of modern organizations. In managing this twenty-first-century flat, digital, transparent corporation, resilience is more important than ever. We must be prepared for more risks, more disruptions, and the creation and dissemination of more misinformation.

The 2013 breach of Target Corporation (Chapter 1) not only compromised the personally identifiable information of some 70 million people (nearly 30 percent of the adult population of the United States), but resulted in the outright digital theft of 40 million credit cards and cost Target in excess of a quarter-billion dollars.⁴ The breach also brought a barrage of lawsuits against the company by the banks that issued the affected credit cards, by shareholders, and by customers. Target’s CEO was fired, and directors and officers were “caught in the crossfire” of “a series of derivative lawsuits,” in which “shareholders claimed that the retailer’s board and C-suite violated their fiduciary duties by not providing proper oversight for the company’s information security program, not making prompt and accurate public disclosures about the breach, and ignoring red flags that Target’s IT systems were vulnerable to attack.”⁵ The four derivative suits filed in federal court were subsequently consolidated and eventually dismissed, but only after nearly two years of costly inquiry and investigation. In the end, an independent oversight committee did recommend replacing the board.⁶

The 2013 Target case and its fallout were a wakeup call to boards and the occupants of the C-suite. Today, everybody must assume a degree of leadership, but leadership toward digital resilience must ultimately be a top-down initiative. If protecting digital data assets were strictly a matter of cybersecurity, top executives and board members could turn everything over to a CISO (Chief Information Security Officer) or a CIO (Chief Information Officer) and audit their work on a quarterly or yearly basis. But as we have demonstrated in this book, cybersecurity implemented by itself is not likely to fail, it is certain to fail. A recent article in The Economist documented this fact alarmingly. The blunt title of the piece is telling: “Why Everything Is Hackable.” The second paragraph catalogs some of the biggest cyber hits of 2016: $81 million lifted from the central bank of Bangladesh, the theft and subsequent leaking of CIA data and NSA hacking tools, the paralyzing distributed denial of service attack against Internet performance management company Dyn via the Internet of Things, and, of course, the hacking of the Democratic National Committee’s email servers, the WikiLeaks data dumps that followed, and the creation of a cloud of uncertainty over the U.S. presidential election and the presidency it produced. But the hacks, the exploits, and the crimes are not the focus of the article. The victims’ vulnerability is—and that vulnerability, it turns out, is universal: “everything is hackable.”⁷

We could say that businesses face a clear and present danger, but the more salient truth is that boards and C-suite leaders face a clear and present certainty since they bear the liability for failure. As the 2013 Target breach demonstrated, cybercrime is a global criminal enterprise that in many astounding ways is run like the businesses it attacks. “Obscure forums oil the trade in stolen credit-card details, sold in batches of thousands at a time. Data-dealers hawk ‘exploits’: flaws in code that allow malicious attackers to subvert systems. You can also buy ‘ransomware,’ with which to encrypt photos and documents on victims’ computers before charging them for the key that will unscramble the data.” The traditional pop-culture view of hackers as rogue savants supremely skilled in the black arts of malicious coding—and therefore, like the Leonardo da Vincis of the world, few and far between—is dead. So much malware is commercially available through online vendors “that coding skills are now entirely optional.” It makes cybercrime easier, a lot less risky, and great deal more profitable than buying a gun and walking into the neighborhood store to rob it. Even botnets—“flocks of compromised computers created by software like [the IoT-oriented] Mirai, which can then be used to flood websites with traffic, knocking them offline until a ransom is paid—can be rented by the hour.” What is more, “Just like a legitimate business, the bot-herders will, for a few dollars extra, provide technical support if anything goes wrong.”⁸

CYBERCRIMINALS ARE NOT JUST CRIMINALS, THEY ARE YOUR COMPETITION

Caleb Barlow, president of IBM Security, cites a United Nations report estimating that 80 percent of all attacks are conducted by “highly organized and ultra-sophisticated criminal gangs”—New Age thugs, I like to say. Barlow points out that this 80 percent “represents one of the largest illegal economies in the world, topping out at, now get this, $445 billion,” which is “larger than the GDP of 160 nations, including Ireland, Finland, Denmark, and Portugal, to name a few.”⁹

The cybercriminals the UN report is talking about resemble the attacker that hit Target in 2013. They “operate like highly regimented, legitimate businesses. Their employees work Monday through Friday. They take the weekends off. How do we know this? We know this because our security researchers see repeated spikes of malware on a Friday afternoon. The bad guys, after a long weekend with the wife and kids, come back in to see how well things went.” Via the so-called Dark Web, they offer “everything . . . from a base-level attack to a much more advanced version. In fact, in many cases, you even see gold, silver, and bronze levels of service. You can check references. You can even buy attacks that come with a money-back guarantee if you’re not successful.” In fact, these criminal enterprises “look like an Amazon or an eBay. You see products, prices, ratings, and reviews. Of course, if you’re going to buy an attack, you’re going to buy from a reputable criminal with good ratings, right?”¹⁰

Cybercrime has evolved into a viable business, with a remarkably low bar to entry. Legitimate businesses suddenly find themselves facing a whole new category of competition. No CEO and no board of directors would even think of failing to address their company’s competition or other “legitimate” threats. No C-level executive or board member would disclaim responsibility for dealing with the emergence of a new category of competitor by declaring it a problem for the chief marketing officer or the director of sales. No, it is no longer an option for C-suites and boards to view cyber threats and cyber vulnerabilities as matters for IT or the CIO or the CISO. These are whole-business issues that demand solutions starting at the top.

In truth, criminal cyber enterprises are not just competitors, they are super-competitors. Not because they are geniuses—they are not—but because the very nature of today’s rapidly evolving Internet creates new business vulnerabilities for every astounding business opportunity it enables. The Economist is a journal that likes to quantify what it prints. In the case of “all this hacking,” however, The Economist throws up its editorial hands, calling the cost of cybercrime “anyone’s guess.” Nevertheless, “all agree it is likely to rise, because the scope for malice is about to expand remarkably.” The expansion is due to the fact that, as security analyst Bruce Schneier puts it, “We are building a world-sized robot.” This is the IoT, the networked computerization of “everything from cars and electricity meters to children’s toys, medical devices, and light bulbs.”¹¹

Just about every electrically powered device in our world is being designed to connect with the Internet, which means that just about anything can, does, or soon will connect to the networks we think of as “our own” and “under our control.” Traditional cybersecurity—the kind that was once the exclusive responsibility of IT, the CIO, or the CISO—is all about defending network perimeters. Much as insurgent wars—such as Vietnam during the 1960s and 1970s—forced traditional militaries to transform themselves into organizations capable of fighting armed conflicts that no longer had a defined “front,” so the IoT is forcing businesses to discard the very notion of any network “perimeter” to defend. “The default assumption,” University of Cambridge computer scientist Robert Watson says, “is that everything is vulnerable.”¹²

ACTION ITEMS

Writers of memos and directives love the heading Action Items. But what action items are appropriate when everything is vulnerable? Big companies are turning “to an old remedy for such unavoidable risks: insurance,” the current market for which has been reported at $3 billion to $4 billion a year, with 60 percent annual growth.¹³ The risk of cyberattack is indeed “unavoidable,” and insurance is a prudent tool for managing unavoidable risk, but, like cybersecurity itself, though necessary, it is not sufficient.

Faced with unavoidable risks, corporate leadership has three choices:

1.Get off the Internet. (In other words, go out of business.)

2.Insure the enterprise for losses at quite possibly unrealistic or at least unsustainable levels.

3.Take steps to achieve digital resilience—not with the impossible objective of avoiding the risk of cyberattack, but of managing cyberattack, dodging or defeating intrusion where possible, containing and thereby neutralizing a breach when it occurs, preventing (or at least minimizing) exfiltration, and learning from the incident to improve resilience while, in the meantime, continuing to do business even while under attack and, when damage occurs, recovering as quickly and completely as possible.

As we have seen, digital resilience is not a product one can simply purchase and deploy. It is a state of mind and operational philosophy that, in due course, is destined to be embedded in all future management training, schooling, and corporations. Why “destined”? Because only organizations that embed resilience will have a future. Although resilience, like quality control and quality assurance, can at first seem like just another additional expense, the fact is that, once implemented, resilience becomes a competitive advantage—truly a whole-business issue.

Action Item #1

Create awareness at the highest levels of the enterprise—the C-suite and the boardroom—of both the risks associated with your digital infrastructure and the certainty of cyberattack and its potential impact.

Action Item #2

Accept and understand that cyber insurance, while prudent and necessary, is not sufficient to mitigate the unavoidable risk of cyberattack. For one thing, currently available insurance does not begin to cover all costs associated with a breach. For another, insurers have yet to deploy technology and methodology to properly measure the risk they are being asked to cover. Most providers focus more-or-less exclusively on the threat environment and do not measure an organization’s ability to defend itself, which is a critical component in evaluating risk and rationally determining the scope and pricing of coverage. Policies, moreover, usually cover only out-of-pocket costs associated with notifications and other statutory reporting and compliance. By contrast, if the factory burns to the ground, insurance will rebuild it, pay lost wages of workers, cover inventory, and, in some cases, even cover lost revenues. Cyber insurance adheres to no such model of coverage. Suppose, for example, that you need to replace all the routers in your organization because a systemic digital flaw was discovered. Cyber insurance does not cover this expense. And that expense could be very considerable if you had to replace, say, 10,000 routers—the number in a not-very-large business. In any case, corporate leadership cannot blithely hand off management of cyber risk to a Chief Risk Officer (CRO). It is a business issue that demands whole-business involvement led from the top.

Action Item #3

Accept and understand that perimeter and detection cybersecurity is necessary but not sufficient to protect the digital data assets of the company, its customers, its suppliers and vendors, and other stakeholders. The assumption throughout the C-suite and the board must be that everything is vulnerable, including internal assets; therefore, to enable the organization’s survival, cybersecurity must be paired with digital resilience—the ability to respond to, counteract, and contain the event.

Action Item #4

Through audit, find out if your company is as digitally secure as it can be. Boards need to audit cybersecurity regularly. Yet this action item is something of a trick because you already possess the answer to the question Are we optimally secured against attack? It is, No, we are not optimally secured against attack.

Why not? Because no company can both be digitally connected to the world and optimally secured against a successful attack. Former FBI director Robert S. Mueller III said back in 2012, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”¹⁴ No cybersecurity solution is bulletproof. Cyberattack is both frequent and inevitable. Given sufficient time, successful cyberattack—an attack that penetrates your security and impacts your business—is also inevitable. It’s what you know and how you respond that makes the most difference in how you emerge from an attack.

Action Item #5

Determine your risk appetite. Top leadership needs to ask and answer four key questions:

1.What risks can we control?

2.What risks must we accept because we cannot control them?

3.In balancing exposure to attack with the business opportunities presented by openness of digital access, how much risk are we prepared to stomach?

4.What can we do to manage and mitigate the risk we decide to accept?

These questions are not unique to digital resilience. They are already asked regarding practices and policies throughout many other aspects of the business. Often, organizations have risk officers who assess risks based on the type of business they’re in. The cyber thugs want your data. They want to steal it, sell it, disrupt your operations, or wreak havoc on you and others. How your business acquires the data—what you do for a living—is of no concern to them. If you are big, have data, or have access to others who have the data and control, you are a target. Since data is the target, senior management must lead the effort to protect that data, whether you are making bread or making steel.

Action Item #6

Understand the difference between digital security and digital resilience. You don’t need to reread this book. Here’s the nutshell: Security is about locking up and hunkering down. Resilience is about standing up to do business while fighting back.

Although leadership must demand the best digital security compatible with doing business in an intensively connected digital ecosystem, there is a danger that a CISO or CIO is in the position of the proverbial person armed only with a hammer and to whom, therefore, the entire world looks like a nail. Security is a security issue, whereas resilience is a business issue, and that is why it is incumbent upon top leadership—the CEO and the board—to ensure that the enterprise has the best and most appropriate digital security compatible with doing business optimally.

Digital security proposes to keep attackers out of your network mainly by defending the network perimeter using antimalware detection software and firewalls. The problem is that no perimeter defense that is compatible with connectivity—in other words, compatible with doing business—is bulletproof. If you connect intensively enough to do business optimally, you expose your internal network to attacks, some of which will penetrate your perimeter defenses. Besides, today’s cyber threats come from the inside as well as the outside. So, one way or another, an attacker will get into your network. That is why your enterprise must achieve digital resilience.

Action Item #7

Lead your company toward resilience. “A computer at its basic level has an engine that runs things and a list called ‘memory’ from which it fetches instructions on what to do next,” Dr. Phyllis A. Schneck, President Obama’s DHS deputy undersecretary for cybersecurity and communications, explained in her keynote address to the 2016 NACD Global Summit. “A hack is simply: I’ve got your next instruction, and I can make your computer do what I want it to do. And once I do that once, I can do it forever, because I’m in.” Assume that your network will be penetrated; therefore, start leading your company toward resilience. It is a capability and a strategy that will give you the “ability to fight while under attack and stay alive”—that is, stay connected, doing business.¹⁵

Action Item #8

Frame resilience as a business issue, not as a security issue. Old habits die hard. Make an affirmative effort to avoid misfiling resilience under security. Treat it as you would any other business issue that involves and impacts the whole enterprise. This means planning for and budgeting resilience not as an operational adjunct, a regulatory burden, or so much defensive “hardware,” but as a positive business asset. Make it a competitive weapon. Not only will resilience help you to prevent data exfiltration, minimizing damage while enabling you to continue doing business, it will facilitate recovery from the most successful attacks. Beyond these benefits to the enterprise, resilience, properly promoted from the top, will attract customers, partners, and investors, all of whom are becoming increasingly savvy when choosing vendors, partners, and investments.

Sixty-eight percent of responders to EY’s Nineteenth Global Information Security Survey 2016–17 “would not increase their information security spending even if a supplier was attacked—even though a supplier is a direct route for an attacker into the organization.”¹⁶ On the one hand, this indicates a stunning failure to appreciate the stark fact that the security of your network is only as strong as the security of the networks with which you connect; on the other hand, however, it suggests that nearly a third of corporate leaders do value the security of the digital networks operated by their vendors and other partners. By treating your network’s resilience as an asset to the whole business, the board and the C-suite are positioned to promote a corporate culture of resilience as a value to customers, suppliers, investors, and other stakeholders. Perhaps “only” a third of business leaders currently recognize this value. Your promotion of resilience, from the top down, can be instrumental in growing that number by educating your customers and others in the value resilient digital practices offers the entire business community. Increasingly, consumers and businesses can be expected to choose to work with organizations that have demonstrably robust resilience policies and platforms.

Action Item #9

Secure a whole-business commitment. The board and CEO must be united in getting all C-suite and department and other executives not only committed to, but actively involved in, creating and maintaining digital resilience. This commitment and involvement requires the actions that follow in items #10 and #11.

Action Item #10

Adopt resilient measures that address the whole network with the objective of protecting data rather than protecting individual hardware devices. Recruit the entire organization to contribute the detailed working knowledge and insight required to prioritize all data assets according to the business value of data items as well as their accessibility to attack. Assets of greater business value require more access controls than items of lesser business value; however, items of greater business value that are not readily accessible from outside of the network may require fewer access controls than assets of lesser value that exist on parts of the network readily accessible to the outside. Thus, prioritizing data assets requires a two-factor analysis that is both a strategic business assessment and a technical assessment. Top leadership should require this assessment from those best positioned to perform it. Creating a truly resilient digital strategy—one that balances the security of selective user privilege against scope of access—requires the diverse insights of the entire organization. The goal is to provide efficiently differentiated protection for the company’s data. Critically important assets call for close control of access as well as high levels of encryption. Less sensitive data assets can be made more widely and readily accessible.

Action Item #11

Prioritize your assets, and, at regular intervals, audit the measures established in Action Item #10. The board of directors should not micromanage data asset prioritization. Nevertheless, it must accept responsibility for regularly auditing prioritization. It also should, when necessary, question the rationality of the priorities with an eye toward ensuring that data resilience throughout the enterprise is based on a productive and prudent balance between accessibility and security.

Action Item #12

Nurture a resilient organizational culture from the top down. Because it is both key to the survival of the enterprise as well as a feature of its value proposition, digital resilience must become an integral aspect of the culture of the organization. In a society, culture tends to develop from the bottom up, but in a business, culture emanates from the top, through the leadership of the board and the CEO and, from there, throughout the C-suite, through operational executives, and down to the frontline employees. This said, the entire organization needs to buy into the values and standards of the culture, which means that everyone must be involved in integrating digital resilience throughout the enterprise. Data is accorded lofty status in a resilient organization. Employees at every level should be recruited and trained to value and protect whatever data assets they handle. Nowhere is this more important than among personnel who deal with customer data and other core, critical assets of an organization.

Action Item #13

Take basic training for digital hygiene. Top leadership, including board members, should receive the same instruction in basic safe computing practices that all employees receive. “Social engineer-ing”—the cons and deceptions at the core of pretexting, phishing, and other exploits—is the most common means by which attackers gain access to a network, and sophisticated attackers make a special effort to target high-ranking executives on the assumption that they have access to more of the most valuable information. The 2013 Target breach and the 2015–2016 breach of the Democratic National Committee, cybercrimes of historic proportion and consequence, began with social engineering—deceiving some human being to click on an email-borne link that deployed a piece of malware onto a computer system and therefore throughout the network. Awareness of social engineering exploits and how to avoid them should be universal throughout the organization. An attacker needs just one door to open. Whether that door belongs to the chairman of the board or to an intern matters surprisingly little.

Action Item #14

Deploy resilience in all business processes. Resilience is best applied to processes rather than divisions or functions or departments or individuals. Boards and the C-suite should require that resilience be designed into such processes as product development, marketing, sales, human resources, and the supply chain. In planning, overseeing, and auditing resilience, top leadership should think in terms of processes instead of organizational silos. At bottom, most business activities consist of a network of connected processes. Building into all business processes such features as strategic redundancy, alternative sequences, and segmentation of operations is a resilient approach to workflows that enable businesses to survive attacks and buy time to contain breaches while continuing to do business. This may be the easiest of all actions to take.

Action Item #15

Know your network and digital assets. Forty-nine percent of businesses responding to EY’s Nineteenth Global Information Security Survey 2016–17 “doubt that they are going to be able to continue to identify suspicious traffic over their networks.” Little wonder, since 46 percent “are also concerned about their ability to know all their [hardware] assets, . . . how they are going to keep these devices bug free (43 percent), how they will be able to patch vulnerabilities fast enough (43 percent), and about their abilities to manage the growth in access points to their organization (35 percent).”¹⁷ If we average these results, we can assume conservatively that four out of ten companies effectively admit to not knowing their networks. In consequence, even if they can find vulnerabilities, these companies (and, truth be told, probably many more) have little or no idea how accessible those vulnerabilities are to an attacker. Nor do they know what vulnerabilities lurk in unknown portions of their network. Moreover, they do not fully understand how making a change in one place (such as adding a device or changing a user privilege) affects the network as a whole, perhaps changing the status of its exposure.

Digital resilience begins with knowledge, not as a static map of your networks and their connections to the outside, but as a close to real-time picture of the network. Software tools are available to provide this dynamic picture. Without such timely knowledge, no organization can achieve digital resilience.

Action Item #16

Create a common language using a common metric to talk about risk, security, and resilience. A picture, even one that refreshes frequently to reflect the changing realities of your networks, their devices, and their connections to the outside, may not be universally intelligible, especially to nontechnical specialists from your board and C-suite. Fortunately, digital resilience can be measured; therefore, measure it. Better yet, score your networks in terms of digital resilience, expressing quantitatively both their resilience and their level of vulnerability with high objectivity and low ambiguity. This will enable CISOs and CIOs to make their business case to the CEO and the board to justify investment in specific aspects of the company’s digital infrastructure, or reallocate their precious capital and human talent to mitigate risk in the most accessible parts of the network. Armed with a resilience score, top leadership has a guide that enables cost-effective allocation of digital devices and software resources to strategically enhance high-performing resilience.

Action Item #17

Ask—What if? This is the magic of resilience. Using your network mapping and resilience scoring tools, test a variety of what-if scenarios to calculate the impact of proposed changes in the network—addition or deletion of connections, alterations in access privileges, addition or removal of devices. The Pentagon has looked at the world for decades, asking what if about an array of potential enemies. The same concept can be applied to resilience in a business. Score how such changes will enhance connectivity (and therefore business opportunity) versus how the changes will pose security risks or reduce business opportunity. Test the effect of changes before the changes are made. The resulting scores should be expressed in terms meaningful to nontechnical board members and C-suite officers.

Action Item #18

Understand the digital ecosystem by evaluating your connections. In December 2016, hackers impersonating a recording company executive sent emails to a music management company and to a management and recording company that persuaded human beings at both firms to send them Lady Gaga’s stem files, the files recording engineers and producers use to remix and remaster records. “The heist,” The New York Times reported, “was a classic example of how hackers exploit the weakest link in the extensive chain of vendors, postproduction studios and collaborators that corporations must trust with their most valuable intellectual property.”¹⁸

The thing is, your network ceases to be exclusively yours the instant you connect to another network. Whether you are Lady Gaga or Target Corporation, a breach is enabled by vulnerabilities in your network, but it may begin with a breach in the network of a vendor—in the case of Target, a certified vendor—who has privileged access to your network. In the Target case, neither the vendor nor Target detected the insecurity. Nevertheless, the vendor’s malware issue became Target’s problem when the two networks communicated.¹⁹ As for Lady Gaga, through no willful action of her own, her intellectual property, her very costly bread and butter, fell into the hands of cybercriminals. We know that most companies—68 percent, according to data cited in Action Item #8—would choose not to increase their cybersecurity spend even after one of their vendors was breached. This suggests that many, if not most, companies also fail to evaluate the digital security and resilience of firms with which they regularly do business, even when they allow them to access their own networked systems via (as, for example, in the case of Target) estimating and billing programs. The fiduciary responsibilities of boards and C-level leadership do not end at the corporate network firewall.

Action Item #19

Never sacrifice business to security. “Air gapping” your business—pulling the plug on connectivity with the Internet—will dramatically increase your digital security. Unfortunately, the price is unacceptable. You go out of business. At the risk of repetition, remember: security is a security issue, not a business issue. When top leadership focuses exclusively on eliminating security risks, there is a high probability that its actions will make the business less efficient, less agile, less responsive, and therefore less profitable by heedlessly throttling access. Taking the wider view, a view that encompasses digital resilience—which is a business issue—compels the board and the C-suite to find, oversee, and audit solutions that balance network access with network restriction. Resilience is about enhancing profitability and value by prioritizing data assets and intelligently managing access to them for the purpose of business. Effective leaders resist the blind impulse to build walls. Instead, they demand that access be dynamically managed with vigilance informed by active intelligence and objective measurements.

Action Item #20

Get into the data loop. Top leadership needs to know what it knows and what it does not know. Look at how information on digital security and resilience is communicated to the top. Invite regular briefings from IT executives—CISO and CIO—to discuss the state of the organization’s digital infrastructure, always bearing in mind that it is inherently dynamic and exists as one part of a much larger digital ecosystem.

Action Item #21

Give subject-matter experts a seat at the table. As boards typically include executives in compensation, audit, and other key functions, someone with a strong cybersecurity background should claim a seat at the boardroom table as well. Not every board member needs to be a cyber specialist, but all need sufficient understanding of their organization’s networks to make informed decisions about risk and reward, risk and opportunity. All members should acquire sufficient training in network security to make IT-related evaluations and judgments aligned with their organization’s risk appetite. The management of cyber-related risk should be integrated within the broader context of all other business risks. Consider forming dedicated committees to oversee and audit both cybersecurity and digital resilience throughout the enterprise. In addition to ensuring the availability of technical subject-matter experts, consider adding a special legal counsel experienced in data security issues.

Action Item #22

Get ready. The time to prepare for cyberattacks, which are inevitable, is now. In addition to auditing readiness and addressing any gaps that are found in readiness, reinforce your organization’s culture of resilience (Action Item #12) by ensuring that it is, above all, a culture prepared for change. Whatever else a serious network breach is, it is change—sudden, radical, painful, scary, and potentially destabilizing. Ensure that you have people in place who are capable of nonroutine leadership and crisis management. Resilience is not just about resistance, it is also about recovery.

Action Item #23

Start playing games. Militaries play at wars much more than they fight real wars. This is not because they enjoy being soldiers, but because they understand that war entails all manner of uncertainty and the more you game out that uncertainty, the less uncertain it becomes. Top leadership needs to support digital wargames designed to hone resilience. This means finding out what works and what does not. It means challenging the status quo—existing procedures for breach response—and it means adopting and rehearsing whatever procedures appear to have the best prospect of prevailing in a crisis. As always, knowledge is essential to resilience. Gaming out a breach and your range of responses to it chips away at ignorance. All games have rules. Include among your rules everything you have decided about the balance between risk and opportunity, restriction of access and openness to the world.

Action Item #24

Act to reduce chaos. A serious network breach creates chaos. You cannot eliminate it. You cannot decree its suppression by executive fiat. You can, however, act to reduce it. Some of this reduction can come from good technology, but much of it requires top-down leadership that prepares and trains people at all levels in how to respond, how to behave, what to communicate, and what not to communicate in a digital crisis. A network breach is not an IT problem. It is a whole-business crisis that affects every employee and every stakeholder, including customers, partners, vendors, and investors. Top-down transparent, authoritative, and realistically affirmative communication is essential to rapid recovery. Ideally, resilience helps you avoid an attack or to quickly contain one. But when a breach results in substantial damage and data loss, resilience is essential to rapid and full recovery of business operations as well as stakeholder trust.

Action Item #25

Find the truth, hold onto the truth, present the truth. A network breach may be many things. It is, however, indisputably one thing: a crime—the ultimate cost of which can, to a significant degree, be managed, if the board and other top leadership act to gather, preserve, and present data. And since this is a crime, data is also evidence. In a cyber breach, top leadership has profound fiduciary responsibilities and potential exposure to criminal prosecution and civil action. Secure legal counsel, cooperate with government authorities and law enforcement, and conduct your own formal investigations—with the understanding that these will become part of the legal record. Prepare for a serious breach in advance by establishing procedures by which the CIO, CISO, and others are to communicate with designated top leadership, both internal and external counsel, and those with responsibility for investigations and compliance.

The primary goal of your investigation is to determine, first and foremost, whether the attackers remain in your network as a persistent threat. Are they still in the system? What malware have they left behind? Contain the damage. Stop the crime.

Beyond this, collect evidence to support a full investigation with the objective of learning from the breach: Who carried it out? Why? And how? Since knowledge is the key to resilience, learning from the breach will help make your enterprise more resilient.

Your investigation should not be aimed exclusively at minimizing your company’s legal exposure, but should also be conducted with the objective of bringing action against the attacker in the form of criminal prosecution and pursuit of civil claims. Assess the liability of others, including vendors who may have failed to meet contractual obligations or may have carried them out in a negligent manner.

Action Item #26

Share your pain. After a breach, the natural impulse at the top is to hunker down and clam up. Resist this inclination. IBM’s Caleb Barlow points out that most hackers remain forever anonymous and, therefore, remain forever beyond the reach of law enforcement. This being the case, he proposes changing “the economics for the bad guys” by making their crimes unprofitable. Barlow notes that the top priority in responding to a disease pandemic such as SARS, Ebola, bird flu, or Zika is “knowing who is infected and how the disease is spreading.” In an outbreak, “governments, private institutions, hospitals, physicians” respond “openly and quickly” in “a collective and altruistic effort to stop the spread in its tracks and to inform anyone not infected how to protect or inoculate themselves.” Although a cyberattack is in many ways similar to an infectious disease outbreak, organizations “are far more likely to keep information . . . to themselves.” They are “worried about competitive advantage, litigation, or regulation.”

Barlow wants “organizations to open up and share what is in their private arsenal of information.” Sharing the information is “equivalent to inoculation. And if you’re not sharing, you’re actually part of the problem, because you’re increasing the odds that other people could be impacted by the same attack techniques.” Moreover, by detecting and stopping criminals’ exploits “closer to real-time, we break their plans. We inform the people they aim to hurt far sooner than they had ever anticipated. We ruin their reputations, we crush their ratings and reviews. We make cybercrime not pay. We change the economics for the bad guys.” With this objective in mind, IBM released more than “700 terabytes of actionable threat intelligence data, including information on real-time attacks that can be used to stop cybercrime in its tracks.” As of December 2016, more than 4,000 organizations were “leveraging this data, including half of the Fortune 100.” Barlow’s hope is to “get all of those organizations to join [IBM] in the fight, and do the same thing and share their information on when and how they’re being attacked.”²⁰

At the very least, in consultation with counsel and law enforcement, you need to share the news of an attack as well as the results of your investigation. The board and the C-suite should not hoard as privileged intellectual property the details of a breach and the lessons learned from it. Instead, this information should be regarded as knowledge to be shared freely with the business community. Your network exists in a digital ecosystem. Any knowledge with the potential to enhance the resilience of your network has the potential to make the ecosystem more resilient. The resilience of every network in the ecosystem enhances the resilience of yours.