Bloomberg Government regularly publishes insights, opinion and best practices from our community of senior leaders and decision-makers. This column is written by Tom Skypek, co-founder and CEO of GovBizConnect.com, an online network for government contracting professionals
Cybersecurity is no longer the exclusive domain of corporate IT shops. In the past and in some quarters today, cybersecurity is still viewed as “some IT thing.” But the companies that take this view do so at their own peril.
The specter of data breaches and denial-of service-attacks are risks facing every business using an internet connection. High-profile cyberattacks on Target, Anthem, Sony, the U.S. Office of Personnel Management and recent incidents of ransomware underscore the pervasiveness and acceleration of these threats. Regardless of industry, cybersecurity should be a regular C-suite and boardroom agenda item for any firm. But for federal government contractors, cybersecurity must be a regular C-suite and boardroom agenda item.
Nate Fick, CEO of Endgame, a security software company that automates the hunt for advanced adversaries in cyberspace, explains, “Cyber security isn’t delegable from the board and C-suite for the simple reason that senior leaders need to manage existential risk. One of the reasons why a dollar of offense beats a dollar of defense is because of the talent imbalance between offense and defense—it’s more fun to be a pirate than to join the Navy. We will never right that imbalance if we relegate our defenders to the depths of the IT shop, where security becomes another check-the-box compliance exercise.”
Government contractors possess a range of sensitive data, from proprietary and personally identifiable information (PII) to classified national security information. Because of this, federal government contractors are a major target for bad actors—from extortionist hackers to non-state actors and nation-states. For certain businesses, a cyberattack can result in reputational damage and a temporary decline in sales; for other businesses, a cyberattack could kill the business because, as Fick notes, cyber threats can be existential to the business.
The question for C-suite executives and board members is one of risk and resources: How does a company most effectively deploy its resources to mitigate cybersecurity risks to an acceptable level? There are multiple strategies for managing cybersecurity risks—including some blend of risk avoidance, risk transfer and risk acceptance. And now companies like Fick’s are enabling businesses to assume a more offensive posture when managing this risk, instead of being a passive target.
Scenario planning is an especially useful planning tool for thinking about cyberattacks and potential responses. Are you likely to forecast with exact precision the cyberattack your company may face? No, but that’s not the point. Recall the Graeme Edwards adage: “It’s not the plan that is important; it’s the planning.” Companies looking to build strong cybersecurity plans should incorporate scenario planning into their portfolio.
Make Cyber a Standing Agenda Item
Cybersecurity needs to be regular agenda item at C-level and board meetings. It should not be a last-minute addition to the agenda once there is a problem. Deliberate thought on cybersecurity risks and the firm’s strategy for managing those risks is essential in today’s business world. According to Fick, “Boards and execs face a stark choice: be proactive with security or deal with the crisis of an incident response.”
Correction: An earlier version of this post listed Aetna as a victim of recent cyber attacks. The author meant Anthem. We regret the error.