In May 2014 senior executives and boards everywhere were served a very public notice that the game had permanently changed with regards to cyber security.
US retail giant Target had suffered a massive data breach just under five months earlier, which resulted in up to 40 million payment card accounts being accessed by hackers.
Previously this may have lead to a flurry of negative headlines and the chief information officer taking the hit. But this was different.
One of the world’s top retail executives was forced out of his job because of a technology problem, one he had probably never heard of before it occurred.
The event crystallised a shift that is playing out, not only in businesses, but also in government departments everywhere.
The realpolitik of risk: execute or be executed
The days when tech executives used to gather at roundtables to bemoan their lack of relevance at a boardroom level has long since passed.
Today leaders of all flavours – technical or otherwise — find themselves in a world where digital transformation is the main game.
If organisations in fields as varied as banking, retail, health and human services all now consider themselves to be technology-powered organisations – and equipped with ‘digital by default’ mandates — then those at the top necessarily stake their own necks on their systems being secure.
“Information technology is no longer a backroom internal function for supporting the business of government,” says Ovum’s lead government technology analyst Kevin Noonan in the analyst firm’s recent report Cyber security for digital government leaders.
“Increasingly, technology is becoming core to the way the business of government is conceived, legislated, delivered, enforced and measured … Just as information technology has come out of the back room, so too must cyber security.”
Cyber survival: what counts
Noonan says that while cyber security skills are becoming increasingly specialised and highly technical, it’s not sufficient just to have people with the technical knowledge around the building.
Senior executives must become engaged in clearing the path to ensure good outcomes.
This was very publicly borne out by the Australian Census of 2016. Today the data is flowing as it should. Yet the label #CensusFail endures like a bad tattoo. It’s almost in the dictionary.
The national population study, once a shibboleth of public data trust, was brought down following some relatively minor suspected denial of service cyber attacks.
What the subsequent autopsy revealed was that executive involvement in the strategic cyber planning needs to be there from the outset, be informed and decisive. Despite the best intentions, a tech-led restoration was allowed to drag on for agonising, public ridicule-filled days.
Hindsight is a gift. But it doesn’t stop the pain. And bad news usually adheres to the laws of gravity.
Staying on top
Of course it is now appropriate for transforming government agencies to conduct their major operations digitally. It’s not just public expectation, but a mandated imperative for many agencies.
What public failures teach us is how not to walk in front of a moving bus. That means public sector leaders need to champion a new culture of organisational risk.
See the brake lights and adjust accordingly. Check your blind spot before changing lanes. Anticipate the consequences of erratic or poorly coordinated responses. And be prepared to respond quickly as required.
In the past it may have been feasible to have set-piece movements to action to signals of a security breach. But let’s face it. When cyber becomes strategic rather than tactical you need a dynamic and timely approach.
Proactively driving cyber resilience is an acquired, and not one you want to learn the hard way.
Learning to flex
In today’s cyber reality, no government agency can afford to be an island. Cyber threats have never respected boundaries, and never will. That makes cyber-synergies all the more important, especially when suppliers become a source of situational intelligence.
Today’s cyber context makes it even more important that key settings are worked out alongside relevant technology partners, especially when more frequent risk assessments and strategic calls are required.
The need for a dynamic, responsive security plan is clear when any organisation looks at the reality of its people within it trying to do their jobs as quickly and as effectively as possible.
Yet the reality getting things done doesn’t always fit within a rigid, pre-ordained IT security master plan.
Healthy balance
In its recent report “Securing Digital Healthcare Organisations,” leading technology firm Cisco highlights a culture among health workers, who are naturally motivated to provide the best possible care to their patients.
Often, when faced by unwieldy systems, these workers seek more practical workarounds to get the job done more efficiently.
The Cisco report observes such workarounds can inadvertently lead to insecure behaviours such as the use of so-called “shadow IT,” whereby unsupported and unsanctioned applications that are often cloud-based become widely used.
Although well intentioned, shadow IT potentially exposes health providers to breaches in data protection regulations for health information, an all too real scenario now being investigated in Australia by not only police but special ministerial inquiries.
There’s also a tangible risk of infection from malware and loss of data. The consequences of ransomware attacks on health information systems are literally enough to make you sick.
Make security enable, not obstruct
With the repercussions of public breaches in mind, executive leadership cannot afford to be ignorant of how their increasingly digitally savvy workers are getting the job done.
“Instead of blocking this sort of behaviour, it is important to first understand the business need that is not being met by current solutions and then develop a secure, sanctioned method for achieving the desired outcome,” Cisco’s report says.
“Furthermore, it is important to foster a culture of security within the organisation that extends beyond an annual training effort and includes the introduction of security champions to act as local points of escalation and sources of best security practice.”
Kevin Noonan’s Ovum report reaffirms this unfortunate truth that people, however well-meaning, are often the weak link in the security chain.
Noonan cautions even the best security systems can be circumvented by leveraging the back-door exposures available to internal staff, suppliers or clients.
As such cyber security leadership is as much about leading people as it is about introducing new technology and tools.
Lead by example
Ovum’s frank report highlights the example of an unsuccessful attempt by a government department to curtail the use of shadow IT in the form of unapproved cloud services, which fell outside of its security parameters.
Management decided to send out an ‘all-staff’ email instructing people to stop using the service — but had not put in place any alternative approved system to provide similar functionality.
The email just served as an advertisement for the unapproved service and led to more staff using it, having not realised it existed before.
“In this organisation its governance was weak and impractical, and staff knew very well how to circumvent its internal bureaucracy,” Noonan says.
“What appeared to the organisation as shadow IT, was actually internal innovation looking for some better leadership.”
Satisfied users stray less
From a technology point of view organisations must, as a matter of course, be built on a resilient digital architecture. Even so, it still pays to embrace for ‘risk-smart’ thinking that pre-empts the temptations of shadow IT.
In times when digital transformation is a demand, not a request, staff in departments must be encouraged and empowered to innovate — but they must be educated on the real danger of being a loose cannon on deck.
This puts it down to the executive team in agencies and departments to find practical ways to strike a balanced approach to technology leadership. Here, consistency and performance is power.
Staff cannot be encouraged to think differently in a briefing by the chief digital officer, only to go to their next meeting with the chief information security officer and get yelled at for breaking the rules.
Noonan explains that while the executive leadership team should not be bogged down in the technical detail about how cyber security tools work, they must be able to lead and guide cyber security outcomes across the organisation.
What it takes
Based in its Australian research, Ovum advises a balanced scorecard approach, whereby public sector executives can question and rate their policies, rules and approaches in a context of what they are trying to achieve in digital transformation.
“Increasingly, the community is looking at technology as a normal part of the processes of government. Good government should be competent, predictable, trustworthy and open,” Noonan says.
“If a government enterprise can deal with cyber security in a way that meets community expectations, then the overall standing of government is enhanced.”
To find out more, read Ovum and Cisco’s whitepaper Cyber security for digital government leaders.