During recent conversations with several executives from cybersecurity business consultants that support the US Government, I asked who they’d hold accountable for a breach of their own business’ network. I was not overly surprised bythe number one answer, “I don’t know,” followed by, “not me,” and finally (at least one had a plan) the “Chief Executive Officer.”
In my response, I modified a commonly used cliché from the vernacular of the network security trade, “eating your own dog food,” when making the point that you must be willing to apply the same standards to your company’s network as you would when making a recommendation to a client. So with this serving as my underlying intent, I responded to each that, “You’ll have to be able to eat your own cyber dog food, and failing that, you’ll find your business on the wrong side of a hack or breach.” To their credit, they took my "cyber dog food challenge" seriously and went to work setting about the process to implement several internal looking actions to refocus their business governance.
The following are some examples of simple, yet effective practices that can improve your business’ internal cybersecurity posture.
First, “C-coded” executives are key cybersecurity decision makers when it comes to identifying important data and/or applications that define and drive their security posture. If this role is delegated to the “C-Coded Geek” on the executive bench, businesses may find themselves questioning how and why their limited IT funds have been expended on services and/or capabilities that aren’t aligned with corporate priorities. Simply put, if you are in charge, be in charge.
Second, leadership sets the tone for effective cybersecurity governance by ensuring established business priorities match the cybersecurity resources aligned to meet those priorities. Lead by setting the expectation that a business’ cyber governance body be stood up with clearly defined roles and responsibilities, and that core business units are represented within the governance body. This becomes the basic ingredient to your cyber dog food.
Third, within the governance body, define and prioritize your cyber terrain. Take the time to establish the importance and priorities of capabilities, processes, or data stores that are key to the business’ survival and their customer/client interests. Again, key leadership must be involved across the organization and should vote when establishing cyber terrain priorities.
As an IT geek myself, I’ve discovered certain systems or database files that are no longer in use and should have been archived and removed from general access. Much worse, I’ve discovered (“first heard”) a business unit’s data that was of significant importance left exposed, or with minimal security features protecting it.
True, you’d assume that this this kind of review process is part of most mature business’ basic blocking and tackling—but you should not assume too much when your cyber dog food is at stake. The tried and true mantra of “inspect what you expect” will keep you out of the cyber dog house.
Fourth, realize organizational resources are limited and the “never enough” mentality drives the use of risk management decision making methodologies. This in turn guides executives when making informed cybersecurity expenditure decisions. Simply put, the person responsible for buying the ingredients for the cyber dog food gets to decide what to buy and when. That said, they also assume the risk for the decision making.
Be prepared to recognize that in some instances, the vulnerability and probability of an exploit of a critical segment of your system may require new resources—lots of new resources, and senior executives need to make that risk decision. Don’t be tricked into falling into the “low hanging fruit” trap, and fix the easy stuff first unless you are simultaneously aligning or finding the resources to find and fix the hard stuff too.
Fifth, the most dangerous cyber threat is from inside the business. Be creative and establish ways to reward good stewardship and punish the foolish and/or criminal. Incentivize individual security good stewardship by establishing echelons of cyber and physical security awareness training and credentials. Pay for it, too.
Finally, recognize when you’ve been attacked, and be prepared to fight through it—fight hurt! Build a team that sets a high standard in the defense of business cyber resources and your customers’ expectations for continuity of operations. If you catch a cyber dog eating your cyber dog food, respond with sufficient force to protect yourself. If the dog food is gone by the time you’ve discovered it missing, then respond decisively by having pre-planned, codified options. This plan should include a reporting procedure, asking for legal and/or governmental help in the investigation, and possible disciplinary action against the offending cyber dog.
In the end, we can’t expect the offending dog to stop eating our cyber dog food unless someone with appropriate authority responds. But, in the meantime, those of us in the cybersecurity consulting business need to practice what we preach and "eat our own cyber dog food."
J. Kinder is General Manager, Cyber Operations and Tactics at MetroStar Systems in Reston Virginia. He recently retired from US Cyber Command after 30 years of US Naval service. He’s a recognized cyber security expert whose unique perspective focuses on cyberspace as the newest warfighting domain.