CyberWire Daily - A look into the emotions and anxieties of the highest levels of decision-making. [Research Saturday]
Episode Date: September 16, 2023Guest Manuel Hepfer from ISTARI shares his research on cyber resilience which includes discussions with 37 CEOs to gain insight into how they manage cybersecurity risk. ISTARI and Oxford University's ...Saïd Business School dive into the minds and experiences of CEOs on how they manage cybersecurity risk. Ask any CEO to name the issues that keep them awake at night and cybersecurity risk is likely near the top of the list – with good reason. With the accelerating digitalisation of business models comes vulnerability to cyberattack. And while spending on cybersecurity increases every year, so does the number of serious incidents. Even the largest and most technologically advanced companies are not immune. CEOs must formally answer to regulators, shareholders and board members for their organisation’s cybersecurity. Yet the majority (72%) of CEOs we interviewed as part of our research said they were not comfortable making cybersecurity-related decisions. The research and associated article can be found here: Research: The CEO Report on Cyber Resilience Article: Make Cybersecurity a Strategic Asset Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
There's actually a story behind that report,
and it goes back to the research that I was doing
when I was still in my PhD at Oxford University.
I was exploring how three global companies
had responded differently to the same cyber attack.
And the cyber attack that I was studying at the time was not Petyo.
That's Manuel Hepfer.
He's head of knowledge
and insights at iStari. The research we're discussing today is titled Make Cybersecurity
a Strategic Asset. But what I did in each of these three companies was I got pretty good in deep access and I conducted about 15 to 20 interviews in each of these three companies with the IT engineers who were down in the trenches with the CISOs, the CIOs, the CEOs, and in some instances, the chairpersons as well.
And I was comparing their resilience.
I was comparing what works and what doesn't work.
was comparing their resilience. I was comparing what works and what doesn't work. And what came from that research was that there's a lot of things that companies do differently in the wake
of a devastating cyber attack. And all of these interviews and conversations that I had were quite
insightful. But the one type of conversation actually stood out. And that was the interviews
that I had with the chief executive officers,
the three in each of these companies. And they stood out to me because to them,
what they had suffered, what they had experienced at the time was something that they had never experienced in their career before. And I remember sitting in the executive office of one of these
CEOs in another European country. And I still
remember two of those things that the CEO had said to me. And the first thing that he said to me was
that before the attack happened, it was completely impossible to think that anything could put us out
of business. Now, bear in mind, this was a multi-billion, $60 billion business at the time
in revenue. So it was a massive,
massive business, right? Now, the other thing that he said to me was, this was the first time
in my career that I had no intuitive idea on how to move forward. This was the worst experience
that in my career. And I thought, well, this is quite strong language from a CEO of one of the,
you know, large global companies. And I published a smaller
report, a small article in MIT Sloan Management Review on the back of my PhD research that went
into some of the findings of what works and what doesn't and what some of the things are that
companies have to consider when they respond to an attack. But then I joined this company called Estari,
which is based in London. And after I had joined, I joined as a research analyst. And after I had
joined, the CEO of that company asked me, she really is a big fan of the research that I was
doing at the time of my PhD. And she asked me to do another research project that is really
difficult to do that really changes the way that
people think about some of these issues in cybersecurity. Now, I took on that task, but
I reflected on that. And as you know, the cybersecurity domain is a very noisy and very
crowded space. And it's really difficult to do something from a thought leadership and research
perspective that hasn't been done before. But then I remember the conversation that I had with that CEO, with the three CEOs during my PhD,
and I actually thought that there's something interesting there. Because for years,
the cybersecurity world and the community has had this belief that cybersecurity needs to be led from the top, that it's a CEO issue.
But to my surprise, and I looked around, no one had actually asked CEOs how they manage
cybersecurity risk and looked into their perspectives in a systematic way, speaking
to those CEOs who've suffered from an attack in a very systematic
and structured way. And I thought that's an opportunity, right? Because despite all of that
talk in the cybersecurity community, no one has actually ever done that. So this is the background
story of how the idea of that research project came to life. And what we then did was we had conducted 39 one-hour-long
interviews with CEOs of large global companies, nine of whom had suffered a devastating attack.
Now, we purposefully sampled those nine because we wanted to compare their voices and their
experiences to those CEOs that had not yet suffered a devastating attack. So that was kind
of the quick summary, the quick background story of how that research came to life.
It really is fascinating. And I have to say to our listeners, this is a report that is worth
your time and worth checking out. One of the things that really struck me was the difference between the CEOs who had been through a major event and the ones who had not.
Can you describe to us what you uncovered there in terms of that difference in mindset?
Yeah, yeah.
So what we discovered was three overarching things.
And the first thing is actually in the title of the report.
overarching things. And the first thing is actually in the title of the report. Now, if you look in the title of the report, it doesn't say the CEO report on cybersecurity, it actually says the CEO report on cyber resilience. And that's the first big thing that we found when we compared those CEOs who'd suffered an attack to those that had not yet suffered an attack, because those that had endured a serious attack realized that they and their organizations have to move beyond just hardening their enterprise's cybersecurity defenses
to creating organizational resilience to cyber attack.
Now, what some of these CEOs had told us was that they had spent years and years
of investments in creating cybersecurity defenses, but they realized
that when they were suffering from an attack, that their organizations was lacking sometimes even the
most basic forms of resilience. And that is a seemingly small change in approach, but it has
direct and big impacts on the consequences. Now, when you speak to the cybersecurity world,
there's a lot of frameworks out there,
and I'm sure you're familiar with most of them.
But I think the most common one, at least in the US,
is the NIST framework.
And you look at the distribution of these five different domains,
identify, detect, protect, respond, and recover,
all of these subcategories are actually skewed
towards the protection side of things.
So 80% of these subcontrols, I think there's 108 of them, are classified in the identify, detect, and protect.
And only 20% of them are in the response and recovery side of things, which oftentimes is associated with resilience.
Now, I think resilience is broader than that.
broader than that. But I think what a lot of organizations realize who've been through an attack is that they had probably over-invested in creating defenses and protective measures
and under-invested in creating resilience, right? Creating organizational forms of resilience,
not just technological backup resiliences, right? So that's the first thing that we discovered,
up resiliences, right? So that's the first thing that we discovered, right? Move beyond hardening cybersecurity protections to creating organizational resilience to cyber attack.
Let me ask you, why do you suppose that is? I mean, why was there such a lower emphasis on
resilience versus hardening that border? I think there's probably two, at least
two reasons for that. And the first reason is that cybersecurity as a domain has emerged from
the field of computer science and technology. So what happened over the last couple of years,
and we're seeing less and less of that, is that cybersecurity or IT security is seen as
a technological domain and a technological problem that requires technological solutions.
Now, when you're suffering from a cyber attack that disables your technology, yes,
there's a lot that needs to be done from a technological perspective, but there's a lot
of things that also don't require technology,
but that require innovation, that require business continuity, that require organizational ways of
continuing to work and recovering that don't necessarily have something to do with technology.
So the first thing is probably the heritage that cybersecurity has, because it emerged from this
technological domain, right?
And the second thing, or that's a hypothesis that I have, is that it relates to the cognition
or sometimes cognitive biases of people as well.
So there's actually some interesting research that was done that compared how people would
allocate investment into risk measures.
And it was a controlled laboratory experiment.
And the investment they could allocate either towards preventive measures or to reactive
measures after something had gone wrong. And what came out of that study was that most people tend
to over invest in protective or preventive measures while neglecting some of the responsive measures as well.
And I think there's something cognitive to that side as well, because what's more cognitively
available to you is actually the prevention, right? This is something that you do on a day-to-day basis,
whereas the hypothetical scenario of a response is more cognitively distant to you.
You know, one of the things that struck me as I was reading through this was, was that
I can't think of an example of a CEO of a non-cyber company who came up through the
ranks from a cybersecurity position within the organization.
Yeah, I think you're spot on there.
And this is also something that we looked at as well. I think there's very few CEOs of non-technology and non-cyber companies who have a technological background. But I don't think there's anyone, any CEO right now that has a background in cybersecurity.
And there's a danger to that as well, because sometimes what happens when you are an executive or a CEO, and it's just the nature of the job, is that there are so many different and competing demands on you when it comes to your attention or your resources, that sometimes people and executives tend to allocate attention and resources to those things that they're most familiar with. And because cybersecurity is often perceived to be this daunting,
difficult to grasp domain that speaks with a lot of acronyms
that don't mean anything to the normal business executive,
that means that sometimes cybersecurity receives less attention
because it's so daunting.
So I think you're spot on, right?
There's only very few people who have moved up through the ranks of technology. And I don't think there's any who's who've moved up
through the ranks of cybersecurity, at least in these days. Another thing that struck me as I was
reading the report, was the emotional component of this amongst the CEOs that you interviewed,
the ones who had been through a major event.
There's a quote in the report where you quote a CEO of a $4 billion US company who says, whenever I speak to a group of CEOs to share my learnings from the cyber attack,
I start by saying, put down your phone for 15 minutes. You want to listen carefully to
what I have to tell you. That's a powerful statement.
Yeah. We were actually surprised, or I was surprised by some of the candor and honesty by which the CEO spoke to us. So we granted anonymity and confidentiality,
and sometimes it almost felt like a counseling session, if I'm allowed to say that.
Now, if you're a CEO, pretty much the entire company rests on your shoulders.
And some of these devastating cyber attacks feel very much existential.
Now, there's only very few companies who have actually filed for bankruptcy after a cyber attack.
But that doesn't mean that their existence while they're happening shouldn't feel existential. So there's the anxiety of these
business leaders that the company is going to die on their watch. And I don't think this is something
that people want to go through. Now, we've done some of these interviews after the pandemic as
well. So we could compare and we could ask some of the CEOs how the experience of the cyber attack compared to other kinds of organizational crises.
And what we got was that cyber attacks feel much more personal and much more emotional for whatever reason.
I think there's a few potential hypotheses about why that's the case.
I think there's a few potential hypotheses about why that's the case.
I mean, the pandemic was happening to virtually every organization.
So there was a sense of collective suffering, whereas cyber attacks usually isolate companies and oftentimes they're not fully public.
But there is certainly a huge emotional toll when responding to an attack.
And I think another reason for that is because there's so much uncertainty about the impact, about the origins, about the attacker. You know that there's somebody out
there who's trying to intentionally create harm and cause damage with you, right? There's a cat
and mouse play. There's a game theory, like exploration of negotiations when it comes to ransoms, right? So it feels much more personal
as opposed to a fire or a pandemic. And I remember speaking to one of the CEOs of the study
who had said, I think the quote that he said was, the attack felt like somebody was reaching
inside of his guts and repeatedly wrenching them out. I think that was somewhat the quote that I
have in my mind still. And I think that was a very powerful way of describing that feeling.
Well, the report includes what you describe as four mindsets that every CEO should adopt.
Can we go through those four items together?
Yeah, yeah, of course. So the first finding that we had was that organizations should
move beyond cybersecurity to something that is more organizational resilience. Now, to achieve
that, we found that there's two things that CEOs and companies have to do, but in particular CEOs.
And the one thing is that they need to change the mindsets. So they need to change the way that they
think about cyber. And the second thing is
how they act. So change some of their playbooks. But in the report, we outlined four of these
mindsets in particular. And the first mindset relates to the idea of accountability. Now,
we asked all of the CEOs in our study whether they feel accountable for cybersecurity. And without
in our study whether they feel accountable for cybersecurity. And without exception,
all of them insisted that they are accountable for cybersecurity. They are, in fact, accountable for everything that happens in this business. But here's the funny twist. We also asked CISOs
in Europe and in the US if they believed that their CEOs feel accountable for cyber.
And 50% of the European CISOs said that they don't think that their CEOs feel accountable,
and so did 30% of CISOs from the US.
So there seems to be a gap in perception between accountability between the CISOs and the CEOs.
Now, the solution to this conundrum, we found by speaking to those CEOs who had been through
an attack.
And they said it's not enough to just feel accountable for cybersecurity.
Actually, what they need to become is co-responsible.
Now, that's a seemingly small change of mindset, but again, has big impacts.
Accountability is often associated with being the face of the mistake after something bad happens.
Co-responsibility means ongoing engagement before something happens.
And that is a big difference. So the quote that we included in the CEO report was from one of the CEOs who said, I am what I call co-responsible.
If you ask our CISO whether he feels responsible for cyber, he will say yes,
of course. But the CEO said it's important that he, as a business leader and CEO, also feels
co-responsible, not just accountable. You cannot delegate this fully to the expert. If you don't
feel responsible, then you don't participate in the dialogue, you don't evolve enough,
and then that will weaken your resilience. So the first mindset shift that we describe in the report is don't just be accountable,
become core responsible.
Now, the second one on the list is move from blind trust to informed trust.
What's that about?
Yeah.
Now, trust is an interesting concept.
Now, any CEO has to trust his or her management team to do the right things.
But there seems to be something different when it comes to cybersecurity, because those CEOs who had endured a serious cyber attack had somewhat blamed themselves for being not more engaged in discussions around cyber resilience.
So in other words, they had blindly trusted their cybersecurity teams and their advisors that things were going
into the right direction. So they had treated the absence of a serious cyber attack as an indication
that their company is on the right track. But they said, having been through the attack,
that they should have stopped blindly trusting what everybody else was just saying and moved
away from that state of blind trust
to something that we call informed trust.
Now, a CEO will never become a cybersecurity professional, and there's always a big element
of trust.
But what we call informed trust means that CEOs need to be knowledgeable enough to be
able to ask the right questions and willing to engage
in an informed dialogue with the CISO and the cybersecurity team.
And now a message from our sponsor Zscaler, the leader in cloud security. Enterprises have spent billions of dollars on firewalls and
VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request based on identity and context, Thank you. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
You know, I always hear people recommend that it's up to the CISO to speak to the board of directors and the CEO in a language that they can understand.
And typically, that means addressing things in terms of business risk.
Does that need to be more of a two-way street? In other words, are you seeing that the CEOs need to take responsibility for learning a little more of that language when it comes to cybersecurity?
You're exactly right.
The two-way street is exactly how I would frame that.
So I think it's easy to just say to the CISOs, you need to speak the language of the CEO and the board.
And it's also too easy to say to the board and the CEO to become technical experts, right?
I think it's a two-way street here, and you have to meet somewhere in the middle.
Now, cybersecurity and technology is still a technological domain, frankly, right?
But CISOs and cybersecurity professionals, when they speak with their CEOs and their boards,
need to do that in a language that resonates with them.
And by the way, what we noticed, and I can share
this also anecdotally, is that the language of resilience very much resonates with the CEOs.
Now, when I started the first three interviews overall of this research project, I started the
conversation by going straight into a conversation about cybersecurity. And what that has led to was a lot of discomfort
on the other end of the conversation on the CEO side. And the reaction that I got was,
oh, I've got a great seesaw. Do you want me to pull him or her in? And I said, no, no, no,
actually, we just want to have a conversation with you. And it's not too technical. But after
these first two or three interviews, I changed my approach. And the first question that I asked was about business resilience.
And I asked them questions about how their business had been able to go through the pandemic.
What made the business resilient, right?
What are some of the things that people have to do?
What systems they have in place?
And then I moved away from that business resilience to cyber resilience.
And then we spoke about cybersecurity. Now that small change has resulted
in a completely different dynamic of that conversation.
So I think, again, to what you said initially,
it's a two-way street.
I think CISOs and cybersecurity professionals
can put in a lot of effort to speak the language
of the board and the CEO,
but I think the board and the CEO can also do something
to become a bit more familiar with the world of cybersecurity and technology. language of the board and the CEO, but I think the board and the CEO can also do something to
become a bit more familiar with the world of cybersecurity and technology. The third element
you emphasize here is embrace the preparedness paradox. That's a fascinating turn of phrase to
me. What exactly are we talking about here with the preparedness paradox? Yeah, so we asked all of the CEOs to rate intuitively their organization's preparedness to respond to a serious cyber attack
on a scale from one to 10. So 10 was my organization is very well prepared to respond to a serious
cyber attack. And one was we're not prepared at all. Now notice the nuance here. We didn't ask
for their protective measures. We asked them how well the organization is prepared. Now, many CEOs admittedly didn't want
to answer the question, but of those who responded, a lot of them rated their preparedness
relatively high. So we're an eight, we're a nine, we're a seven and a half.
But here's the interesting thing. Those CEOs who had suffered a serious cyber attack
acknowledged that they too had previously believed that they were well prepared.
And they said that this was one of the biggest misconceptions that they had,
because the cyber attack showed them that their organization wasn't very well prepared to deal
with such a crisis. So what we said was, what we discovered was that there seems to be an inverse relationship
between the perception of preparedness and the actual organizational resilience.
Now, the reason for that is that if you believe that you're well prepared, that might lead
you to be becoming complacent, ultimately lowering the resilience.
So we call this the preparedness paradox.
The more prepared you believe you are, the less likely you're to exhibit high forms of
organization resilience. What we're saying is to solve this preparedness paradox is to embrace it,
to see or regard preparedness not as an achievable end state, but actually as something that you
continually challenge. So you'll never be fully prepared for something like that, right? But you
always need to be ready to respond. And you need to have a set of ongoing processes that continually
challenge the organization's preparedness. And that is the way to solve that preparedness paradox. Well, let's talk about the fourth item here. It's adapt your communication style
to regulate stakeholder pressure. Yeah. So the interesting thing here, and we spoke about this
already, was that experiencing a devastating cyber attack is a very emotional thing for a CEO or can be a very
emotional thing for a CEO. Now, interestingly, we also asked all of the CEOs whether they're
comfortable making decisions in the area of cybersecurity. Most of them, 72% said no,
they're uncomfortable making decisions in cybersecurity. That might be okay in the absence
of a cyber attack, but this is becoming a problem when the organization suffers a devastating cyber attack and the CEO is forced to having to make decisions.
Now, in that event of a serious cyber attack, there is going to be a lot of pressure from customers, from regulators who will want to come in and investigate, from shareholders, from the board.
They all exert
pressure on the CEO to demonstrate resilience. But at the same time, CEOs don't feel very
comfortable making decisions in the area. So what we're seeing is that there's four
communication styles that CEOs can use to regulate that stakeholder pressure in a meaningful way.
And the first one is that we're
calling it transmitter. And as a transmitter, the CEO pretty much just transmits all of that
pressure down to the organization that might be helpful in some instances, but not very helpful
in others. Now, the other, the second communication style that we outline is what we call the
amplifier. And this is especially helpful when the organization
is not suffering from a cyber attack. Because as an amplifier, the CEO needs to look around,
take some small pressure that's available out there and amplify it down to the organization
to embrace the preparedness paradox again. The third communication style that we outline is the
filter. And as a filter, the CEO only selectively
filters through some of the pressure to the organization in a meaningful way.
And the last communication style, the fourth one, is what we call the absorber. And as the absorber,
the CEO absorbs all of that external pressure and doesn't show that to the organization's employees.
Now, as an example of that fourth communication style,
there was one company that we studied who had suffered a devastating cyber attack.
And the day after the attack happened, that shut down all of the systems, the CEO hosted a town
hall meeting. And he started opening that town hall meeting by saying, you might be aware that
we're experiencing
a serious cyber attack. And we don't know what's happened. We don't know the impact of it.
But I want all of you to know that this isn't the fault of our cybersecurity or IT team. In fact,
they are the ones who are going to get us out of trouble. Now, he said that, even though there was
a lot of calls from shareholders, from the investors, from regulators, and from the board to demonstrate that they're recovering and going back to business without much loss of revenue or operational downtime.
But he didn't let that pressure transmit or go down through to the organization.
So the fourth mindset that we say is there is four communication styles that CEOs can use to regulate stakeholder pressure in a beneficial way.
What do you suppose sets cybersecurity apart from the other risks to a business that it strikes me a CEO would not have particular expertise in either. For example, a factory burns down. We don't have an expectation
of a CEO having expertise in preventing or fighting fires, but we expect the CEO to put
in place things to manage that risk. What's the difference here? I think there's probably three
differences. The first one is that usually some of these traditional crises are geographically
confined. So when a fire happens, that happens to one particular location, one factory, but it
doesn't happen instantaneously. Whereas in cyber, what we've seen is some of these cyber attacks
happen within minutes on a global scale. So I think that's probably one of those differences
to other types of enterprise risks. The second difference is that cybersecurity threats or risks
are emerging from the world of digital. It's a digital domain. It's not a traditional physical
domain like a fire or a flood, which sometimes seems to be different.
Now, there's other technological risks out there as well,
but they don't necessarily emerge from a malicious actor.
So there's somebody out there intentionally trying to cause harm in that digital space.
And the third difference, I would say, relates to the impact versus probability function of risk. Now with other types of risks,
it's fairly straightforward to calculate the impact of something happening, right? A flood
in a particular location has a certain type of impact, a fire has a certain type of impact,
but before the fact, it's really difficult in the domain of cyber to calculate a probabilistic
assumption of a specific type of impact. Now, there's a lot that's going on in the world of
cyber risk quantification that tries to address that problem. But I think it's more difficult
in the world of cyber to do that accurately, because you don't have years and years and
decades of experience and data in that space.
So what are your recommendations then for the CEOs who are out there doing their best to be prepared for this? What sort of things should they be putting in place? Yeah, it's a very good
question. And I've presented this piece of research to the CEO forum that we run together with our
investor, Tomasek,
in Singapore. And there's three pieces of advice that I have given to CEOs and chairs.
And the first one is a bit controversial, and I'm just the messenger here. But the first thing that
I said to these CEOs and chairs was, don't just rely on your technology team. And this is
controversial,
but it's advice that the CEOs
who'd been through an attack had given me
because I also asked them,
what piece of advice would you give to your peers?
Now, the reason why they said this
is not so much to blame the cybersecurity
or technology teams that they're doing a bad job,
but it's for them to say,
well, you should, as CEOs,
become a bit more comfortable in that space and work more closely with the cybersecurity and technology teams.
And maybe sometimes also commission third-party audits that report the findings directly to the CEO.
So they get an unbiased view of what's happening in that company from a cybersecurity perspective.
So the first one, admittedly, is a bit controversial, but a lot of CISOs I've spoken with appreciate that as well,
because they said, well, actually, every third party validation is useful for us. And any
engagement that the CEO has on cyber is useful for us as well. So the first thing is don't just rely
on your technology team. The second piece of advice that I gave was set up a cyber resilience forum.
And it could be quarterly.
There's a few businesses who do that quarterly.
But if that seems to be too much, it's okay to do that every six months or even once a year.
And the point of that cyber resilience forum that is chaired by the CEO isn't to hold anybody to account.
And it doesn't sit as part of the formal governance processes
of their business.
The whole point of it is to create a safe space
to exchange ideas and to discuss problems.
And, of course, the CEO would work with the cybersecurity team
to create the agenda, but if there's an attack on a competitor
that had happened a couple of weeks before,
maybe that is the thing to discuss in that meeting and some of the lessons that the competitor or any other business had from that instance.
So the whole point is create a safe space.
It's okay to ask questions, and that should happen in a repeatable way.
So set up a quarterly, six-monthly, 12-monthly cyber resilience forum.
And the third piece of advice that I give is
pretty simple. And that is invite someone with cyber attack experience. So if you know anybody,
another CEO, another business leader who's been through an attack, invite them to come to your
leadership team and to present that to the entire leadership team. There's a lot of power in listening to these personal stories
and to extracting these lessons that these people have had from having gone through such a serious
attack. And this is actually something, the third thing that we're doing now at Estari as well,
that we're providing training and educational services to boards where the whole core of it is
that we have found a few of these people, these CEOs and chairs who are willing to share their experiences with other people,
all in the benefit of the greater good. It strikes me that one of the challenges that
CEOs face is to approach this in a way that doesn't inadvertently put them in an adversarial position with their cybersecurity team,
that this needs to be collaborative?
Yeah, I think there's something about collaboration within the company,
but then there's also systematic collaboration across companies.
So CEOs need to collaborate with their cybersecurity teams on cybersecurity, but also with HR and finance.
I mean, some of the companies who had been through a devastating attack didn't know how to pay their employees.
So, all of a sudden, it's an HR issue.
And the finance people didn't communicate with the banks because the banks didn't want to receive any email from the company or any other form of electronic communication for fear of being breached as well. So collaboration needs to happen within the company,
but also across companies. And we write about it in the report as well. Cybersecurity shouldn't be
a domain of competition. There is no advantage to be gained from seeing cybersecurity as a competitive field.
It should be a collaborative field.
It should be a domain of non-competition, even in an industry, even within an industry.
And there's been instances where competitors have reached out and sent resources because some other company had suffered from a devastating attack.
because some other company had suffered from a devastating attack.
Now, I am a big believer that cybersecurity shouldn't be a domain of competition,
but of collaboration, even within the same industry.
A lot of companies who go through an attack don't necessarily see cybersecurity investment as a lose-lose situation anymore, right?
Oftentimes, companies feel like if they invest in cybersecurity
and they were attacked, they would lose reputation and profit. If the company was not attacked,
all of that cybersecurity investment might be wasted and they overinvested in cybersecurity.
But a lot of these companies who've been through an attack don't necessarily see that lose-lose
situation. They instead see cybersecurity as an opportunity.
I'm not saying a competitive advantage,
but as an opportunity to drive business efficiency internally, right?
And an opportunity to build deep relationships
with stakeholders and key customers
and with some of these suppliers.
So, and this was the title of the paper
that I published after my PhD.
We actually called it,
Make Cybersecurity a Strategic Asset.
Don't see it as an operational thing, as an operational expense, but see it as a strategic opportunity.
Our thanks to Manuel Hepfer from Astari for joining us.
The research is titled, Make Cybersecurity a Strategic Asset.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Thank you. of cybersecurity teams and technologies. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilpie.
And I'm Dave Bittner.
Thanks for listening.