A look into the emotions and anxieties of the highest levels of decision-making.
Dave Bittner: Hello, everyone, and welcome to CyberWire's "Research Saturday". I am Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly-evolving cyberspace. Thanks for joining us. [ Music ]
Manuel Hepfer: There's actually a story behind that report and it goes back to the research that I was doing when I was still in my PhD at Oxford University. I was exploring how three global companies had responded differently to the same cyber attack. And the cyber attack that I was studying at the time was NotPetya.
Dave Bittner: That's Manuel Hepfer. He's Head of Knowledge and Insights at ISTARI. The research we're discussing today is titled "Make Cybersecurity a Strategic Asset." [ Music ]
Manuel Hepfer: But what I did in each of these three companies was I got pretty good in deep access and I conducted about 15 to 20 interviews in each of these three companies with the IT engineers who went down in the trenches with the CISOs, the CIOs, the CEOs, and in some instances the chairpersons as well. And I was comparing their resilience, I was comparing what works and what doesn't work. And what came from that research was that there's a lot of things that companies do differently in the wake of a devastating cyber attack. And all of these interviews and conversations that I had were quite insightful. But the one type of conversation actually stood out and that was the interviews that I had with the chief executive officers, the three in each of these companies. And they stood out to me because to them, what they had suffered, what they had experienced at the time was something that they had never experienced in their career before. And I remember sitting in the executive office of one of these CEOs in another European country and I still remember two of those things that the CEO had said to me. And the first thing that he said to me was that before the attack happened, it was completely impossible to think that anything can put us out of business. Now, bear in mind this was a multibillion, $60 billion business at the time in revenue so it was a massive, massive business, right? Now, the other thing that he said to me was, "This was the first time in my career that I had no intuitive idea on how to move forward. This was the worst experience in my career." And I thought, well, this is quite strong language from a CEO of another, you know, large global company. And I published a smaller report, a small article in MIT Sloan Management Review on the back of my Ph.D. research that went into some of the findings of what works and what doesn't and what some of the things are that companies have to consider when they respond to an attack. But then I joined this company called ISTARI, which is based in London. And after I had joined it, I joined as a research analyst. And after I had joined, the CEO of that company asked me, she really is a big fan of the research that I was doing at the time of my Ph.D., and she asked me to do another research project that is really difficult to do, that really changes the way that people think about some of these issues in cybersecurity. Now, I took on the task but I reflected on that and, as you know, the cybersecurity domain is a very noisy and very crowded space, and it's really difficult to do something from a thought leadership and research perspective that hasn't been done before. But then I remember the conversation that I had with that CEO, with the three CEOs during my Ph.D., and I actually thought that there is something interesting there because, for years, the cybersecurity world in the community has had this belief that cybersecurity needs to be led from the top, that it's a CEO issue. But to my surprise, and I looked around, no one had actually asked CEOs how they manage cybersecurity risk, and looked into their perspectives in a systematic way speaking to those CEOs who have suffered from an attack in a very systemic and structured way, and I thought that's an opportunity, right? Because despite all of that talk in the cybersecurity community, no one has actually ever done that. So, this is the background story of how the idea of that research project came to life. And what we then did was we had conducted 39 one-hour-long interviews with CEOs of large global companies, nine of whom had suffered a devastating attack. Now, we purposefully sampled those nine because we wanted to compare their voices and their experiences to those CEOs that had not yet suffered a devastating attack. So, that was kind of the quick summary, the quick background story of how that research came to life.
Dave Bittner: It really is fascinating. And I have to say to our listeners, this is a report that is worth your time and worth checking out. One of the things that really struck me was the difference between the CEOs who had been through a major event and the ones who had not. Can you describe to us what you uncovered there in terms of that difference in mindset?
Manuel Hepfer: Yeah, yeah. So, what we discovered was three overarching things. And the first thing is actually in the title of the report. Now, if you look in the title of the report, it doesn't say the CEO report on cybersecurity, it actually says the CEO report on cyber resilience. And that's the first big thing that we found when we compared those CEOs who had suffered an attack to those that had not yet suffered an attack. Because those that had endured a serious attack realized that they and their organizations have to move beyond just hardening their enterprises' cybersecurity defenses to creating organizational resilience to cyber attack. Now, what some of these CEOs have told us was that they had spent years and years of investments in creating cybersecurity defenses but they realized that when they were suffering from an attack that their organization was lacking sometimes even the most basic forms of resilience. And that is a seemingly small change in approach but it has direct and big impacts on the consequences. Now, when you speak to the cybersecurity world, there is a lot of frameworks out there and I'm sure you're familiar with most of them. But I think the most common one, at least in the US, is the NIST framework. And you look at the distribution of these five different domains identify, detect, protect, respond, and recover, all of these subcategories are actually skewed towards the protection side of things. So, 80% of these sub-controls, I think there's 108 of them, are classified in identify, detect, and protect, and only 20% of them are in the response and recovery side of things, which oftentimes is associated with resilience. Now, I think resilience is broader than that. But I think what a lot of organizations realize who have been through an attack is that they had probably over-invested in creating defenses and protective measures and under-invested in creating resilience, right, creating organizational forms of resilience, not just technological backup resiliencies, right? So, that's the first thing that we discovered, right? Move beyond hardening cybersecurity protections to creating organizational resilience to cyber attack.
Dave Bittner: Let me ask you why do you suppose that is, I mean, why was there such a lower emphasis on resilience versus hardening that border?
Manuel Hepfer: I think there's probably two -- at least two reasons for that. And the first reason is that cybersecurity as a domain has emerged from the field of computer science and technology. So, what happened over the last couple of years, and we're seeing less and less of that, is that cybersecurity or IT security is seen as a technological domain and a technological problem that requires technological solutions. Now, when you're suffering from a cyber attack that disables your technology, yes, there is a lot that needs to be done from a technological perspective but there is a lot of things that also don't require technology but that require innovation, that require business continuity, that require organizational ways of continuing to work and recovering that don't necessarily have something to do with technology. So, the first thing is probably the heritage that cybersecurity has because it emerged from this technological domain, right? And the second thing -- or that's a hypothesis that I have -- is that it relates to the cognition or sometimes cognitive biases of people as well. So, there's actually some interesting research that was done that compared how people would allocate investment into risk measures. And it was a controlled laboratory experiment and the investment they could allocate either towards preventive measures or to reactive measures after something had gone wrong, and what came out of that study was that most people tend to over-invest in protective or preventive measures while neglecting some of the responsive measures as well. And I think there is something cognitive to that side as well because what's more cognitively available to you is actually the prevention, right? This is something that you do on a day-to-day basis. Whereas the hypothetical scenario of a response is more cognitively distant to you.
Dave Bittner: You know, one of the things that struck me as I was reading through this was that I can't think of an example of a CEO of a non-cyber company who came up through the ranks from a cybersecurity position within the organization.
Manuel Hepfer: Yeah. I think you're spot on there. And this is also something that we looked at as well. I think there's very few CEOs of non-technology, non-cyber companies who have a technological background but I don't think there's anyone, any CEO right now that has a background in cybersecurity. And there's a danger to that as well because sometimes what happens when you are an executive or a CEO, and that's just the nature of the job, is that there's so many different and competing demands on you that comes to your attention or your resources that sometimes people and executives tend to allocate attention and resources to those things that they're most familiar with. And because cybersecurity is often perceived to be this daunting, difficult-to-grasp domain that speaks with a lot of acronyms that don't mean anything to the normal business executive that means that sometimes cybersecurity receives less attention because it's so daunting. So, I think you're spot on, right? There's only very few people who have moved up through the ranks of technology and I don't think there's any who have moved up through the ranks of cybersecurity at least in these days.
Dave Bittner: Another thing that struck me as I was reading the report was the emotional component of this amongst the CEOs that you interviewed, the ones who had been through a major event. There's a quote in the report where you quote a CEO of a $4 billion US company who says, "Whenever I speak to a group of CEOs to share my learnings from the cyber attack, I start by saying put down your phone for 15 minutes, you want to listen carefully to what I have to tell you." That's a powerful statement.
Manuel Hepfer: Yeah. We were actually surprised or I was surprised by some of the candor and honesty by which the CEOs spoke to us. So, we granted anonymity and confidentiality and sometimes it almost felt like a counseling session, if I'm allowed to say that. Now, if you are a CEO, pretty much the entire company rests on your shoulders. And some of these devastating cyber attacks feel very much existential. Now, there's only very few companies who have actually filed for bankruptcy after a cyber attack but that doesn't mean that their existence while they are happening shouldn't feel existential. So, there's the anxiety of these business leaders that a company is going to die on their watch. And I don't think this is something that people want to go through. Now, we've done some of these interviews after the pandemic as well, so we could compare, and we could ask some of these CEOs how the experience of the cyber attack compared to other kinds of organizational crises. And what we got was that cyber attacks feel much more personal and much more emotional for whatever reason. I think there is a few potential hypotheses about why that's the case. I mean, the pandemic was happening to virtually every organization so there was a sense of collective suffering whereas cyber attacks usually isolate companies and oftentimes they're not fully public. But there is certainly a huge emotional toll when responding to an attack. And I think another reason for that is because there is so much uncertainty about the impact, about the origins, about the attacker. There is -- you know that there is somebody out there who is trying to intentionally create harm and cause damage with you, right? There is a cat and mouse play, there is a game theory like exploration of negotiations when it comes to ransoms, right? So, it feels much more personal as opposed to a fire or a pandemic. And I remember speaking to one of the CEOs of the study who had said like -- I think the quote that he said was the attack felt like somebody was reaching inside of his guts and repeatedly wrenching them out. I think that was somewhat the quote that I have in my mind still. And I think that was a very powerful way of describing that feeling.
Dave Bittner: Well, the report includes what you describe as four mindsets that every CEO should adopt. Can we go through those four items together?
Manuel Hepfer: Yeah. Yeah, of course. So, the first finding that we had was that organizations should move beyond cybersecurity to something that is more organizational resilience. Now, to achieve that, we found that there is two things that CEOs and companies have to do, but in particular CEOs, and the one thing is that they need to change the mindsets. So, they need to change the way that they think about cyber. And the second thing is how they act so change some of that playbooks. But in the report, we outlined four of these mindsets in particular. And the first mindset relates to the idea of accountability. Now, we asked all of the CEOs in our study whether they feel accountable for cybersecurity. And without exception, all of them insisted that they are accountable for cybersecurity. They are in fact accountable for everything that happens in this business. But here's the funny twist. We also asked CISOs in Europe and in the US if they believed that their CEOs feel accountable for cyber. And 50% of the European CISOs said that they don't think that their CEOs feel accountable, and so did 30% of CISOs from the US. So, there seems to be a gap in the perception between accountability between the CISOs and the CEOs. Now, the solution to this conundrum we found by speaking to those CEOs who had been through an attack. And they said it's not enough to just feel accountable for cybersecurity. Actually, what they need to become is co-responsible. Now, that's a seemingly small change of mindset but again, has big impacts. Accountability is often associated with being the face of the mistake after something bad happens. Co-responsibility means ongoing engagement before something happens. And that is a big difference. So, the quote that we included in this CEO report was from one of the CEOs who said, "I am what I call co-responsible." If you ask our CISO whether he feels responsible for cyber, he will say yes, of course. But the CEO said it's important that he as a business leader and CEO also feels co-responsible, not just accountable. You cannot delegate this fully to the expert. If you don't feel responsible, then you don't participate in the dialogue, you don't evolve enough, and then that will weaken your resilience. So, the first mindset shift that we describe in the report is don't just be accountable, become co-responsible.
Dave Bittner: Now, the second one on the list is move from blind trust to informed trust. What's that about?
Manuel Hepfer: Yeah. Now, it's -- trust is an interesting concept. Now, any CEO has to trust his or her management team to do the right things. But there seems to be something different when it comes to cybersecurity. Because those CEOs who had endured a serious cyber attack had somewhat blamed themselves for being not more engaged in discussions around cyber resilience. So, in other words, they had blindly trusted their cybersecurity teams and their advisors that things were going into the right direction. So, they had treated the absence of a serious cyber attack as an indication that their company is on the right track. That they said having been through the attack that they should have stopped blindly trusting what everybody else was just seeing and moved away from that state of blind trust to something that we call informed trust. Now, a CEO will never become a cybersecurity professional. And there is always a big element of trust. But what we call informed trust means that CEOs need to be knowledgeable enough to be able to ask the right questions and willing to engage in an informed dialogue with the CISO and the cybersecurity team. [ Music ]
Dave Bittner: You know, I always hear people recommend that it's up to the CISO to speak to the board of directors and the CEO in a language that they can understand. And typically that means addressing things in terms of business risk. Does that need to be more of a two-way street, in other words, does -- are you saying that the CEOs need to take responsibility for learning a little more of that language when it comes to cybersecurity?
Manuel Hepfer: You're exactly right. The two-way street is exactly how I would frame that. So, I think it's easy to just say to the CISOs you need to speak the language of the CEO and the board, and it's also too easy to say to the board and the CEO to become technical experts, right? I think it's a two-way street here and you have to meet somewhere in the middle. Now, cybersecurity and technology is still a technological domain frankly, right? But CISOs and cybersecurity professionals when they speak with their CEOs and their boards need to do that in a language that resonates with them. And, by the way, what we noticed and I can share this also anecdotally, is that the language of resilience very much resonates with the CEOs. Now, when I started the first three interviews overall of this research project, I started the conversation by going straight into a conversation about cybersecurity. And what that has led to was a lot of discomfort on the other end of the conversation on the CEO side. And the reaction that I got was, "Oh, I've got a great CISO, do you want me to pull him or her in?" And I said, "No, no, actually we just want to have a conversation with you. And it's not too technical." But after these first two or three interviews, I changed my approach. And the first question that I asked was about business resilience. And I asked them questions about how their business had been able to go through the pandemic, what made the business resilient, right, what are some of the things that people have to do, what systems they have in place. And then I moved away from that business resilience to cyber resilience and then we spoke about cybersecurity. Now, that small change has resulted in a completely different dynamic of that conversation. So, I think, again, to what you said initially, it's a two-way street. I think CISOs and cybersecurity professionals can put in a lot of effort to speak the language of the board and the CEO but I think the board and the CEO can also do something to become a bit more familiar with the world of cybersecurity and technology.
Dave Bittner: The third element you emphasized here is embrace the preparedness paradox. That's a fascinating turn of phrase to me. What exactly are we talking about with the preparedness paradox?
Manuel Hepfer: Yeah, so we asked all of the CEOs to rate intuitively their organization's preparedness to respond to a serious cyber attack on a scale from 1 to 10. So, 10 was "My organization is very well prepared to respond to a serious cyber attack" and one was "we're not prepared at all." Now, notice the nuance here. We didn't ask for their protective measures, we asked them how well the organization is prepared. Now, many CEOs admittedly didn't want to answer the question. But of those who responded, a lot of them rated their preparedness relatively high. So, we're an eight, we're a nine, we're a seven and a half. But here's the interesting thing. Those CEOs who had suffered the serious cyber attack acknowledged that they too had previously believed that they were well prepared. And they said that this was one of the biggest misconceptions that they had because this cyber attack showed them that their organization wasn't very well prepared to deal with such a crisis. So, what we said was -- what we discovered was that there seems to be an inverse relationship between the perception of preparedness and the actual organizational resilience. Now, the reason for that is that if you believe that you're well prepared that might lead you to becoming complacent, ultimately lowering the resilience. So, we call this the preparedness paradox. The more prepared you believe you are, the less likely you're to exhibit high forms of organizational resilience. What we're saying is to solve this preparedness paradox is to embrace it, to see or regard preparedness, not as an achievable end state but actually as something that you continually challenge. So, you'll never be fully prepared for something like that, right? But you always need to be ready to respond. And you need to have a set of ongoing processes that should continually challenge the organization's preparedness. And that is the way to solve that preparedness paradox.
Dave Bittner: Well, let's talk about the fourth item here. It's adapt your communication style to regulate stakeholder pressure.
Manuel Hepfer: Yeah. So, the interesting thing here, and we spoke about this already, was that experiencing a devastating cyber attack is a very emotional thing for a CEO or can be a very emotional thing for a CEO. Now interestingly, we also asked all of the CEOs whether they're comfortable making decisions in the area of cybersecurity. Most of them, 72% said no, they're uncomfortable making decisions in cybersecurity. That might be okay in the absence of a cyber attack, but this is becoming a problem when the organization suffers a devastating cyber attack and the CEO is forced to having to make decisions. Now, in that event of a serious cyber attack, there's going to be a lot of pressure from customers, from regulators who will want to come in and investigate, from shareholders, from the board, they all exert pressure on the CEO to demonstrate the resilience. But at the same time, CEOs don't feel very comfortable making decisions in the area. So, what we're seeing is that there's four communication styles that CEOs can use to regulate that stakeholder pressure in a meaningful way. And the first one is that we're calling a transmitter. And as a transmitter, the CEO pretty much just transmits all of that pressure down to the organization. That might be helpful in some instances but not very helpful in others. Now, the other, the second communication style that we outline is what we call the amplifier. And this is especially helpful when the organization is not suffering from a cyber attack. Because as an amplifier, the CEO needs to look around, take some small pressure that's available out there, and amplify it down to the organization to embrace the preparedness paradox again. The third communication style that we outlined is the filter. And as a filter, the CEO only selectively filters through some of the pressure to the organization in a meaningful way. And the last communication style, the fourth one is what we call the absorber. And as the absorber, the CEO absorbs all of that external pressure and doesn't show that to the organization's employees. Now, as an example of that fourth communication style, there was one company that we studied who had suffered a devasting cyber attack, and the day after the attack happened that shut down all of the systems, the CEO hosted a town hall meeting. And he started opening that town hall meeting by saying, "You might be aware that we're experiencing a serious cyber attack. And we don't know what's happened, we don't know the impact of it, but I want all of you to know that this isn't the fault of our cybersecurity or IT team, in fact, they are the ones who are going to get us out of trouble." Now, he said that even though there was a lot of calls from shareholders, from investors, from regulators, and from the board to demonstrate they're recovering and they're going back to business without much loss of revenue or operational downtime. But he didn't let that pressure transmit or go down through to the organization. So, the fourth mindset that we say is there's four communication styles that CEOs can use to regulate stakeholder pressure in a beneficial way.
Dave Bittner: What do you suppose sets cybersecurity apart from the other risks to a business that it strikes me a CEO would not have particular expertise in either? For example, you know, a factory burns down, we don't have an expectation of a CEO having expertise in preventing or fighting fires but we expect the CEO to put in place things to manage that risk. What's the difference here?
Manuel Hepfer: I think there's probably three differences. The first one is that usually some of these traditional crises are geographically confined. So, when a fire happens that happens to one particular location, in one factory but it doesn't happen instantaneously. Whereas in cyber, what we've seen is some of these cyber attacks happen within minutes on a global scale. So, I think that's probably one of those differences to other types of enterprise risks. The second difference is that cybersecurity threats or risks are emerging from the world of digital, you know, it's a digital domain, it's not a traditional physical domain like a fire or a flood which sometimes seems to be different. Now, there's other technological risks out there as well. But they don't necessarily emerge from a malicious actor. So, there is somebody out there intentionally trying to cause harm in that digital space, right? And the third difference I would say is -- relates to the impact versus probability function of risk. Now, with other types of risks, it's fairly straightforward to calculate the impact of something happening, right, a flood in a particular location has a certain type of impact, a fire has a certain type of impact. But before the fact, before the fact, it's really difficult in the domain of cyber to calculate a probabilistic assumption of a specific type of impact. Now, there's a lot that's going on in the world of cyber risk quantification that tries to address that problem but I think it's more difficult in the world of cyber to do that accurately because you don't have years and years and decades of experience and data in that space.
Dave Bittner: So, what are your recommendations then for the CEOs who are out there doing their best to be prepared for this? What sort of things should they be putting in place?
Manuel Hepfer: Yeah, it's a very good question. And I've presented this piece of research to the CEO forum that we run together with our investor Temasek in Singapore. And there's three pieces of advice that I've given to CEOs and chairs. And the first one is a bit controversial, and I'm just the messenger here. But the first thing that I said to these CEOs and chairs was don't just rely on your technology team. And this is controversial but it's advice that the CEOs who had been through attack had given me because I also asked them, "What piece of advice would you give to your peers?" Now, the reason why they said this is not so much to blame the cybersecurity or technology teams that they're doing a bad job, but it's for them to say, well, you should as CEOs become a bit more comfortable in that space and work more closely with the cybersecurity and technology teams, and maybe sometimes also commission third-party audits that report the findings directly to the CEO so they get an unbiased view of what's happening in that company from a cybersecurity perspective. So, the first one admittedly is a bit controversial but a lot of CISOs I have spoken with appreciate that as well because they said, "Well, actually, every third-party validation is useful for us, and any engagement that the CEO has on cyber is useful for us as well." So, the first thing is don't just rely on your technology team. The second piece of advice that I gave was set up a cyber resilience forum and it could be quarterly, there's a few businesses who do that quarterly, but if that seems to be too much, it's okay to do that every six months or even once a year. And the point of that cyber resilience forum that is chaired by the CEO isn't to hold anybody to account and it doesn't sit as part of the formal governance processes of their business. The whole point of it is to create a safe space to exchange your ideas and to discuss problems. And, of course, the CEO would work with the cybersecurity team to create the agenda. But if there's an attack on a competitor that had happened a couple of weeks before, maybe that is the thing to discuss in that meeting and some of the lessons that the competitor or any other business had from that instance. So, the whole point is to create these safe space, it's okay to ask questions, and that should happen in a repeatable way. So, set up a quarterly, six-monthly, 12-monthly cyber resilience forum. And the third piece of advice that I give is pretty simple and that is invite someone with cyber attack experience. So, if you know anybody, another CEO, another business leader who's been through an attack, invite them to come to your leadership team and to present that to the entire leadership team. There is a lot of power in listening to these personal stories and to extracting these lessons that these people have had from having gone through such a serious attack. And this is actually something, the third thing that we're doing now at ISTARI as well that we're providing training and educational services to boards where the whole core of it is that we have found a few of these people, these CEOs and chairs who are willing to share their experiences with other people, all in the benefit of the greater good.
Dave Bittner: It strikes me that one of the challenges that CEOs face is to approach this in a way that doesn't inadvertently put them in an adversarial position with their cybersecurity team, that this needs to be collaborative.
Manuel Hepfer: Yeah. I think this is there's something about collaboration within the company. But then there's also systematic collaboration across companies. So, CEOs need to collaborate with their cybersecurity teams on cybersecurity but also with HR and finance. I mean, some of the companies who had been through a devastating attack didn't know how to pay their employees. So, all of a sudden, it's an HR issue. And the finance people couldn't communicate with their banks because the banks didn't want to receive any email from the company or any other form of electronic communication for fear of being breached as well. So, collaboration needs to happen within the company but also across companies. And we write about it in the report as well. Cybersecurity shouldn't be a domain of competition. There is no advantage to be gained from seeing cybersecurity as a competitive field. It should be a collaborative field, it should be a domain of non-competition even in an industry, even within an industry. And there's been instances where competitors have reached out and sent resources because some other company had suffered from a devastating attack. Now, I am a big believer that cybersecurity shouldn't be a domain of competition but of collaboration even within the same industry. A lot of companies who go through an attack don't necessarily see cybersecurity investment as a lose-lose situation anymore, right? Oftentimes companies feel like if they invest in cybersecurity and they were attacked, they would lose reputation and profit. If their company was not attacked, all of that cybersecurity investment might be wasted and they over-invested in cybersecurity. But a lot of these companies who have been through an attack don't necessarily see that lose-lose situation, they instead see cybersecurity as an opportunity. I'm not seeing it a competitive advantage but as an opportunity to drive business efficiency internally, right? And an opportunity to build deep relationships with stakeholders and key customers and with some of these suppliers. So, and this was the title of the paper that I published after my Ph.D., we actually called it "Make Cybersecurity a Strategic Asset." Don't see it as an operational thing, as an operational expense, but see it as a strategic opportunity. [ Music ]
Dave Bittner: Our thanks to Manuel Hepfer from ISTARI for joining us. The research is titled "Make Cybersecurity a Strategic Asset." We'll have a link in the show notes. [ Music ] The CyberWire "Research Saturday" podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Elliott Peltzman. Our executive editor is Peter Kilpe. And I am Dave Bittner. Thanks for listening. [ Music ]