By Byron Love
As the executor of my late mother's estate, I was concerned when SunTrust Bank notified me that her account information was included in a data breach. As a cybersecurity professional, however, I was not surprised.
In April 2018, SunTrust Bank announced the theft of names, addresses, phone numbers and account balances of 1.5 million customers.
“We apologize to clients who may have been affected by this. We have heightened our monitoring of accounts and increased other security measures,” Bill Rogers, SunTrust chairman and CEO, said.
Cybersecurity professionals need to be right thousands of times a day, but threat actors need to be right only once. In this case, the rogue insider stole important information, but critical personally identifying information such as social security numbers, account numbers, PINs, User IDs, passwords, and driver's license numbers were protected.
Leaders are responsible for providing the long-term objectives, resources, and decision making that protects and defends their organization's capability to perform its mission and realize its vision.
While the breach was unfortunate, SunTrust demonstrated the ability to protect critical data, and to detect and respond to cybersecurity breaches. As a customer, I feel their response inspires confidence in their ability to learn from this incident, increase cybersecurity protections, and prevent future breaches.
Sound Strategies Produce Sound Outcomes
The dictionary definition of strategy is “a plan of action or policy designed to achieve a major or overall aim.” SunTrust’s response is evidence of the execution of a cybersecurity strategy designed to respond to inevitable breaches.
The Project Management Institute's Standard for Program Management promotes best practices for aligning programs with enterprise strategic plans and for establishing governance to ensure that this alignment continues throughout the program and into operations. This alignment connects team members to the organization's vision and purpose.
COBIT 5 states that the understanding of the business strategy and the identification of gaps between business and cybersecurity strategies is a information security management responsibility, while communicating IT strategy and direction, to include resource allocation, is a CEO, CIO, and business executive responsibility. Executives define and communicate the organization’s vision.
Weak Strategies Leave Organizations Vulnerable
In an April 2018 report entitled "Interior Incident Response Program Calls for Improvement," the US Department of Interior Inspector General highlighted an incident detection failure in the agency's cybersecurity program. According to the DOI IG’s report, an incident that took place in October 2014 where an attacker moved through the Office of Personnel Management network and into the Interior Department through a trusted connection. The attacker entered a DOI human resources database, replete with personnel data. DOI did not discover the breach until April 2015.
DOI did not have an effective strategy for detecting and responding to breaches. One of the DOI IG’s recommendations to the Office of the CIO was to “develop a Department-level incident response plan and procedures that incorporate: strategies and goals, to include metrics for measuring effectiveness; incident response team structure; and communication plans.”
SunTrust was breached and their response demonstrated strategic alignment between business and cybersecurity operations, communicated from the highest level in the organization. DOI was breached, and their response demonstrated a lack of mission and cybersecurity alignment, communicated in a scathing IG report.
Without a comprehensive cybersecurity strategy, the DOI is vulnerable to future attacks and continued poor incident response performance.
The Challenge of Thinking Strategically
Strategic thinking is both art and science, and not everyone is an artist or scientist. According to experts, 90% of managers have never had strategic planning training. As a result, cybersecurity functions and business/mission functions are often misaligned, yielding cybersecurity programs that are ineffective.
Budget alignment is a key indicator of strategic alignment. “Cybersecurity budgets typically come from IT budgets, and as a result, staffing is then run out of an IT organization,” MedSec CEO Justine Boone told Becker's Hospital Review. “The problem that comes from this is that the massive risk management challenge of cybersecurity does not gain exposure at a business management level where the attitude remains, ‘Is it fixed yet?’ In fact, cybersecurity is a risk management function that is never complete.”
How can cybersecurity leaders effectively advocate for cybersecurity strategy integration and the required funding when they and the business executives operate in different spheres with different taxonomies and lexicons?
Become a Strategic Cybersecurity Asset
Organizations that equip their cyber leaders with the knowledge to think and act strategically improve their chances for long-term success. Is your organization capable of responding as well as SunTrust or is it doomed to the fate of DOI? Has your organization integrated cybersecurity strategy into its business strategy?
Expecting managers to implement effective cybersecurity programs without understanding strategy is like expecting students to perform calculus without understanding algebra. Organizations have the responsibility to provide their employees the professional development needed to equip them to contribute to the organization’s mission. Cybersecurity practitioners should obtain strategic thinking skills that increase their value to the organizations they support and their professional net worth.
If you are interested in this career area, programs like EC Council’s Certified Chief Information Security Officer (C|CISO), ISACA’s Certified Information Security Manager (CISM), and PMI’s Program Management Professional (PgMP) provide leaders with the tools needed to develop and implement an integrated cybersecurity strategy.
Whatever route you choose, take the proactive and strategic first step toward gaining valuable strategic thinking skills for yourself and your organization.
About Byron Love
Byron Love has over 33 years of experience in information technology. A retired Air Force Major with 21 years of active duty and Reserves service, Byron is a program manager at AlphaSix Corporation, where he leads a $60 million cybersecurity program for a large government agency.