How To Govern For An Enabled And Safe Organization

As I write, Texas is in an uproar. Equipment is frozen at power plants. Natural gas wells have iced over. Millions of citizens are without electricity. Hundreds of cases of carbon monoxide poisoning are being reported as people attempt to warm up by their own generators.

Ten years ago, the state’s electric-grid operators were warned that they were not prepared for just the type of storm that hit Texas this week. The threats were not taken seriously, and the planning failure has led to catastrophe.

No one wants to be on the end of these questions:

• What did you know?
• When did you know of the threat?
• Why did you not do something about it?

In Texas, lives and careers will now suffer for lack of proper governance.

This week I gave a presentation to a state on digital stewardship and security. They are aware that there is a threat. They want to know more about how to be proactive and what to do. I was honored to contribute.

I am one voice of many, and excellent resources are being made available. I certainly recommend the book A Leader’s Guide To Cyber Security: Why Boards Need To Lead...And How To Do It.

I covered three main areas in my presentation: How boards can be misguided, what boards don’t know, and what boards can do about it.

How boards get off course: Misguided Paradigms

In essence, a paradigm is a construct of how we view things. Most boards are not given the proper construct in which to think rightly and see clearly. Specifically, unless the board is viewing digital stewardship as a business strategy, they will fail to fully address the critical strategies and first steps needed to guide well and to avert disaster.

Misguided paradigms fall into three categories.

1. Narratives
   In issues of security, three narratives can easily tell a false story.
   ‍
   ‍Security is a people problem. It is true that people will be people and do what we wish they would not do. But why is security left to a wish? People will also do as they are instructed and be accountable to their job, sometimes to a fault. Security is not a people problem. It’s a leadership problem.
   ‍
   ‍Protect the crown jewels. Naturally, we protect assets, such as data. But security is an environmental issue. The first focus is on protecting the business. “Particular” security is not whole protection.
   ‍
   ‍Cyber threats are always new and changing. Yes, they are. Again, particular security requires tests and updates. Cyber threat as a whole needs to be a business concern, and preparedness is far from one-dimensional.
   ‍
2. Influencers
   Misguided paradigms are also perpetuated by non-technical influencers.
   ‍
   ‍The myth of compliance. Compliance does not equate to secured business. But a secured business is likely compliant.
   ‍
   ‍Employee motivation. In any group of people, motivation varies. But leaders are called to motivate people to common and shared behavior.
   ‍
   ‍The economics of cyber attacks. Cost is always an influence, but it must not become the paradigm. Boards are masters of cost-benefit analysis. Security is the investment, and the lack thereof is the cost. Just ask Texas.
   ‍
   ‍The asymmetry of attack and defense. The sides are not equal and it is foolish to think so. Attack has the advantage of inflicting heavy damage with modest effort.
   ‍
3. Voices
   Governments, vendors and media send mixed and biased messages. Unfortunately, most boards still don’t have technologists at the table to help interpret and contextualize the ideas that are out there.

In essence, a paradigm is a construct of how we view things. Most boards are not given the proper construct in which to think rightly and see clearly.

What boards don’t know

1. Your job is to minimize business risk.
2. If it doesn’t make sense, it wasn’t explained. You can understand technology well-enough to make sound business decisions. The role of a technology leader is translation.
3. Cybersecurity is not to be siloed.
4. Align user and department motivations.
5. Symptoms of Negligence looks like this:

• Failure to fund security appropriately
• Measurements are not in place
• Uneasy IT people are not being heard
• Lack of independent evaluations of your security
• No information officers in place or the wrong ones in place
• Cyber security unit is not involved in the business
• No technologists at the board level or in the room

What boards must do

Boards must own the management of cyber risks that threaten the most critical business functions of the organization, ensuring that risks have been identified and mitigated.

Boards must also strengthen their security posture. They must conduct regular reviews of risks and create new mitigation plans. As well, boards need an honest assessment of current realities so that they can optimize overall security. In this, boards must lead with and promote transparency. Feeling secure is not being secure.

Boards must prepare and be able to lead in a crisis. They need to know cyberattack characteristics, have prepared an incident response, and have prepared and be aligned with executive leadership on all facets of security.

As you can imagine, there is so much more to come into play. But the above is a fair sketch for boards and governances to begin with, and for CEOs and CIOs to base security frameworks around.

A coach will tell you, “Training beats trying.” It’s not enough to try to be secure. Executives and boards must train themselves and their organizations to be secure.