Many factors play into a company’s cybersecurity strategy, but to be truly effective, it all has to start in the CEO’s corner office. That’s according to a former vice chairman of the Joint Chiefs of Staff, who is now helping Georgia Tech teach cybersecurity lessons to leading Atlanta’s Fortune 500 firms and founders trying to launch startups.
“The very high-profile (security) incidents that have occurred have put CEOs and CSOs on the skyline and maybe cost them their jobs,” said Ret. Adm. James A. Winnefeld, a professor at Georgia Tech’s Sam Nunn School of International Affairs. “An important characteristic is the deep involvement of senior leadership, both in establishing a good culture in cybersecurity and being active in decision making.”
Those factors, plus heightened liability and compliance requirements for data security, prompted Winnefeld to establish the Cybersecurity Leadership Program, which recently completed its first week-long course for 38 company executives and organizational leaders. Five Georgia Tech schools and institutes took part in the program in addition to the Nunn school: Georgia Tech Professional Education, Georgia Tech Research Institute, the Georgia Tech School of Public Policy and the Institute for Information Security and Privacy.
Winnefeld joined Georgia Tech’s faculty last year after a distinguished military career that included leading the U.S. Northern Command and the North American Aerospace Defense Command (NORAD). He said the program’s goal is to provide a crash course of sorts in the latest technological aspects of cybersecurity and its policy, legal, and human aspects. “Obviously, cybersecurity is increasing in importance to business and government, and it seems clear to us that a lot of executives rising to be senior executives are uncomfortable with their knowledge even as they’re taking more responsibility for cybersecurity,” he said.
There’s also the “big swirl of information” that’s available involving data security, “all the way from the tactical level of what companies are trying to do, to the laws and risks and policies. We thought it would be wise to put together a program appealing to the next generation of C-suite people, and we could bring people together with some considerable expertise that Georgia has in all those disciplines.”
That roster included Russell Eubanks, vice president and chief information security officer, Federal Reserve Bank of Atlanta; Dimitri Alperovitch, co-founder and chief technology officer of CrowdStrike Inc., and Dr. Wenke Lee, professor of computer science and co-director of the Institute for Information Security and Privacy at Georgia Tech.
What kinds of questions did this roster of experts and Winnefeld hear from the inaugural class? Many attendees wanted to know if their knowledge was keeping pace with the state of the art in cybersecurity, he said. There also was interest in legal and policy issues that are “becoming more complicated. It was a very attentive audience with lots of good questions. We think we’re hitting a good chord here.”
The last few years of data breaches and attacks have forced companies to educate themselves quickly on cybersecurity initiatives. Georgia Tech’s 2016 Emerging Cyber Threats Report found that data security mentions in SEC filings jumped 74 percent over the last four years. PwC’s 2016 Global Survey on Information Security reported a 38 percent increase in incidents last year, and intellectual property theft was up 56 percent from 2014.
As it turned out, real life offered up a valuable teaching lesson for the first Cybersecurity Leadership Program. The inaugural class gathered the same week as the 2016 Democratic National Convention, which was reeling over an email hack that cost DNC chair Debbie Wasserman Schultz her job. Security experts say the hack may have originated in Russia.
Winnefeld said the news illustrated the obstacles facing executives as they try to protect their customer’s data. They have to comply with laws and personal privacy issues and restraints on what the government can do. “You’re up against a set of adversaries that don’t have those restraints at all. They can deny it, use surrogates to do it. There is an asymmetric problem here. On top of that is the incredibly fast-paced and dynamic nature of the cybersecurity business.”
As the risks mount, the role of businesses large and small in the private sector takes on more importance. Yet many are still in the denial phase; “it’s not going to happen to me,” Winnefeld said. “Other more farsighted businesses have recognized that they may not feel like they’ve been hacked, but may have been and don’t know it. They’ve recognized vulnerabilities in their businesses and are taking steps to try and fix those vulnerabilities. The really insightful companies out there realize this is a journey, not a destination. They’ll never have complete cybersecurity, but they need to strive for it every day.”
Smart companies aren’t just relying on one aspect of cybersecurity, such as their perimeters, but also securing their data and ensuring they can detect malicious players within their networks. “We’re spending a considerable amount of attention on human performance,” he said.