At the tail end of 2014, the dramatic hack of Sony Pictures’ emails and data captured the imagination of the media and the public. The year before, it was the data breach at Target making headlines. In between were assaults on JPMorgan Chase and other companies. If you are a casual observer outside of cyber security circles, you may think that these are isolated incidents, rather than a persistent problem. You would be wrong.
In a 2014 global threat assessment, the Office of the Director of National Intelligence placed cyber threats at the top of the list. The perpetrators and their motives may vary from attack to attack but, taken together, cyber threats represent a fundamental shift in the business environment. Every executive and consumer should be concerned.
This is only in part a technical issue. It is more important for leaders to grasp the strategic implications of this new and dangerous world. I first understood this last spring when I had the opportunity to hear Frank Abagnale—the slick fraudster portrayed by Leonardo DiCaprio in the film Catch Me If You Can—address senior leaders of a federal law enforcement agency. Abagnale has been advising the FBI without pay since his release from prison in 1974. He said that consumers should realize that their concern should not be whether their information will be hacked—it’s simply too late for that. We have all been compromised or can be easily. Rather, it is most important to know if and when this could happen, so that you can take effective countermeasures. That’s a game changer both for individuals and businesses.
How do you shape your strategy for the age of the inevitable hack?
1.Realize that every company—including yours—is a data company. In a highly digital world, every organization large and small is awash in data and at the mercy of its technical infrastructure for everything from product design to processing payroll. Try taking your company “dark” for even a day and watch what happens. I doubt that Sony thought of itself as a data company. However, the hack quickly brought its operations to a halt.
2.Reputation is the real battle. Organizations are hit daily with assaults on their firewalls. A breach can result from careless oversight—as was the case at JPMorgan Chase, where a server was accidentally left inadequately protected—or bad guys who simply overcome your defenses. When you are first compromised, you are a victim. But if you fail in your response, you can become a villain. You can’t hunker down. You can’t hide. As a leader, you have to realize that, although part of the fight is repairing technical damage, you also have to engage immediately and assertively with customers, suppliers, the media, law enforcement, and regulatory and elected officials—the full range of stakeholders—in order to protect your reputation. Transparency is key to regaining trust.
3.Learn how to fight in the castle, not just at the ramparts. Although one necessary tactic is to ensure that your defenses are robust, you must also prepare to fight the bad guys if they get inside. It is essential that your entire organization—not just the IT professionals—act with agility and coordination. There can be no finger pointing in the midst of the incident; fight the intruders, not each other. And though it is easier said than done, given that the instincts of the CEO, CIO, CMO, and general counsel may be in conflict as to what to do, leaders must emphasize team cohesion. David Rock’s principles of social safety are an excellent guide to setting the conditions for unity of effort and mitigating destructive behavior.
4.Drill, baby, drill. Preparation is a strategic imperative because a cyber-attack can thrust non-technical executives into the center of a highly technical calamity. They can become defensive as their lack of expertise becomes apparent. That’s why it is critical for the CEO, CFO, and others on the executive team to have confidence in their technical teams. Drills and tabletop exercises in which the senior players participate are a proven way to build understanding of how a response is supposed to unfold and foster trust among the participants, but they must be practiced before a breach happens. If, as CEO, you simply show up and expect to be in charge of an unfolding incident without a grasp of the protocols, you will disrupt the battle rhythm of your team and increase the likelihood of potentially serious missteps.
5.You may be a pawn in a larger competitive context. Long-held approaches to strategy, such as Porter’s Five Forces, can lend insight into traditional competitive situations. But what if your company is drawn into a battle between states or cyberterrorists competing for the world’s attention? Such rivalries may not be directly relevant to your business, but they can have an extraordinary impact on your business. Does your risk assessment account for these nontraditional actors and their objectives? Have you established a plan that would allow you to coordinate strategy with your traditional rivals should it be necessary to respond industry-wide or throughout the supply chain? For example, the Motion Picture Association of America was largely silent in the Sony case and coordination between theater owners and the association appeared poor. Do you have active relationships with the relevant public agencies, such as the FBI and Secret Service?
Abagnale’s warning to consumers is just as relevant to your organization: Stop thinking about what will happen if you are hacked and start crafting a strategy that assumes you will be hacked. Just as in every response my colleagues and I have studied, leadership will be an independent variable in whether you succeed or fail. Fortunately, following these steps will greatly enhance your prospects.
Stop thinking about if you are hacked and start crafting a strategy that assumes you will be hacked.