Dr Ruth Massie, Senior Lecturer in Cyber Resilience Leadership at Cranfield School of Management, considers cyber-security a challenge for management and leadership functions to rise to—and not, as widely thought, as a problem purely for technical teams to solve.
This critical re-framing of the question of cyber-security—of how to build a cyber-safe business in today’s digital world—underpinned a talk given by Dr Massie to an audience of senior executives at the Brand Exchange in the City of London recently (pre-lockdown!), in the latest event in Cranfield’s wide-ranging Leadership Series.
There are three “genres” of cyber-attack—or three-and-a-half—as Dr Massie tells us
1. Where you are the target of the cyber-attack;
2. Where you are the route through to the target of the cyber-attack;
3. Where you are collateral damage from a cyber-attack;
Or—and this is the ‘half’—where you are victim to a ‘do-it-and-see-what-happens’ cyber-attack.
All three genres of cyber-attack can carry with them serious consequences for any organization, but it is the former where the consequences are the most extreme, and thus where leaders should concentrate their preemptive response, and their related strategizing.
“Collateral damage attacks—where you are not the target—some of these will get through. That’s just the reality. The question we have to ask is: if you were the direct target of a cyber-attack, what would you want to protect?”
With priority systems and data identified for key protection measures, Dr Massie uses the metaphor of a castle’s defences, as a useful image around which to organize your cyber-security strategy. This approach has staggered lines of defence, from moat to curtain walls, to strongbox deep in the castle keep. The key here is that there are priorities in any cyber-security effort, and that keeping every single cyber-attack out, from your entire digital sphere—is an impossible aim.
“A cyber-security strategy that aims to lock down absolutely everything would result in going back to paper, pens and fax machines—and even then faxes can be spoofed—so it’s not a realistic approach.”
The central theme of Dr Massie’s approach to building a cyber-safe business, though, starts with leadership questions. “Leading on Cyber-security you must first ask: Is everyone looking at this problem in the same way? Is everyone talking about it? Is everyone using the same language? That’s the first step.”
The technical view, as Dr Massie explains, is to view the problem of cyber-security data-first. So, from data, to information, to knowledge, to organizational actions, and finally to business results. Conversely, the business view is the complete reverse—putting business results at the top of the conversation, and working back finally to the data. The role of good cyber leadership therefore, is to marry and weigh these two outlooks together, so that both are given equal prominence in a successful cyber-security strategy.