We all know the names: Target, Equifax, Sony, Yahoo, Marriott. If you were directly affected by those cyber breaches, you might even remember where you were when you first learned about them.
My first education about the scope and breadth of cybersecurity came in preparation for sharing the stage with Governor Tom Ridge at an investor conference in 2015. Governor Ridge, the former Secretary of Homeland Security, spoke to a large, rapt audience about cybersecurity in a way that many – including me – had never heard before.
In an era when cybersecurity dogma was focused on prevention, Governor Ridge admonished those in attendance that cyber breaches were 100 percent inevitable.
The real challenge, he said, was resilience.
During the ensuing three years or so, I didn’t hear anyone else speak in such a stark, authoritative manner about cybersecurity, until I met Ray Rothrock at an event in San Francisco. Like many who reside in Northern California and are in the investment business, I certainly knew of Ray and his successful track record of providing venture capital to cybersecurity companies.
A few minutes into our conversation, he described a book he had just published that was focused on resilience within the context of cybersecurity.
I’m sure the expression on my face changed immediately when he said that word, and I told him about my time spent with Governor Ridge. A few weeks later, Ray was kind enough to send me his book, and I’m really glad he did.
Rothrock’s Digital Resilience: Is Your Company Ready for the Next Cyber Threat (Amacom, 2018) is spread over eight chapters and approximately 230 pages, and begins with a deft foreword by Richard A. Clarke:
“…a dollar spent on efforts to preemptively mitigate the damage is money better spent than a dollar spent trying to prevent network penetration altogether.”
I often find that books about technical subjects can get so mired in “techno-speak” that they are not only cumbersome to read, but nearly impossible for lay people to apply.
Fortunately, Rothrock’s book couldn’t be more user-friendly.
The great strength of Digital Resilience is that it’s laid out in a “handbook” style, with scores of “action items” and “takeaways” that foster a pragmatic tone versus an academic one.
In short, it’s the kind of book that will end up covered with a lot of post-its and margin comments, and will likely be referred to over and over again.
Some poignant excerpts:
- “A network can only be secure or efficient. It cannot be both.”
- “Resilience is a matter of reducing the volume and severity of damage and loss as well as staying in business or on mission. In such a reduction is the possibility not only of survival and recovery, but even of continuing to operate without interruption.”
- “Security is about security. Resilience is about business. A resilient business provides degrees of access that promote productive access to data crucial to promotion, presentation, and transaction while jealously guarding access to prized intellectual property and sensitive financial data.”
- “Because it is both a key to the survival of the enterprise as well as a feature of its value proposition, digital resilience must become an integral aspect of the culture of the organization.”
- “Top leadership, including board members, should receive the same instruction in basic safe computing practices that all employees receive.”
From the perspective of a former institutional investor, Digital Resilience is an alarm bell. It’s an example-laden warning shot across the bow for any business, but particularly for those businesses poorly prepared for cybercrime.
In time, the buy-side is going to get wiser about evaluating the likely resilience of pre-IPO and publicly-traded companies by asking officers and directors questions far beyond boilerplate legal disclosures.
After all, cybercrime isn’t just about theft of data. It can impact a company’s trading volume, access to capital, ability to attract and retain high-quality employees, and the interest levels of prospective acquirers.
Fortunately, the first and most important step you can take as a business leader isn’t to spend millions of dollars on intrusion software – it’s more about changing the way you and your organization think about cybercrime.
One way to do that – start by reading Rothrock’s book.