Recently, my agency, Prosek Partners, hosted consultant and former National Security Agency deputy director John Chris Inglis at an April Corporate Communicators Roundtable luncheon in New York.
Inglis, who spoke about how companies can cope with the cybersecurity challenges of today and tomorrow, said that while there are many false assumptions regarding cybersecurity, but the most dangerous is the belief that it’s merely a technology problem.
“Think about the movie ‘The Imitation Game,’” said Inglis. “People think that Alan Turing defeated the Germans’ Enigma Box. But he never truly figured out a way to beat a properly configured box. What he defeated were the Germans who didn’t use the box right.”
Inglis says companies should think of cybersecurity in three parts: people, processes and technology, with each link in the chain being progressively stronger. Therefore, companies looking to protect themselves should think less about the technology and more about the operations behind the technology.
“True security is not possible,” Inglis said. “The best you can do is make your system defensible and well-defended.”
This means companies should think hard about what they put online and why. Has your company moved so much of its operations online that it is now more vulnerable? Is critical data segregated from other data? Is there two-factor authentication to access this data?
Next, look at the people. Companies should know who is on their network at any given time and make sure those people have a reason to be there. They also should make sure employees understand at least the basics about how their company’s network operates so they know how to minimize vulnerabilities and what they are accountable for.
“Instead of trying to defend the perimeter as the main effort, companies should focus on defending the data,” said Inglis. “The data is the embodiment of the wealth and treasure, corporate capabilities, and business viability. It doesn’t matter if the perimeter is ‘secure’ if the data is at risk.”
“Study behaviors that are interacting with your data, then act as soon as you see an anomaly,” Inglis continued. “Mandiant, a security consultant, says it typically gets called in more than 200 days after a breach. That’s like calling the fire department after the fourth alarm has already gone off.”
As the second-highest ranking official at the NSA when Edward Snowden leaked secret information about the agency, Inglis experienced what it’s like to deal with a data breach firsthand. His advice to companies dealing with their own security breaches is to be transparent with the public and employees and stay focused on the broader mission.
“One thing I didn’t expect was that people were so willing to believe the worst about us,” said Inglis. “The information Snowden leaked showed that we were following the law and doing exactly what Congress authorized us to do. But that’s not the message that came through.”
Inglis blames this on the NSA’s low profile prior to the leaks.
“We weren’t out there telling our story,” he said. “No one knew anything about us, and this allowed someone else to take control of our narrative.”
The NSA was more successful internally, where the agency’s leadership was able to clearly explain the context around the leaks and remind employees of why they chose to work for the agency in the first place.
It’s interesting to note that while the threats that face companies are evolving faster than ever, the tenets for preserving reputation in the face of those threats remain the same: Know what your brand stands for, deliver on that promise daily, and be transparent with your stakeholders through good and bad.
* * *
Hal Bienstock is a senior vice president at Prosek Partners.