If you’re going to write a playbook around cybersecurity best practice, as a leading executive of one of the major security companies, then it may be a wise idea to deal with any skeletons in the cupboard before dispensing the pellets of wisdom.
Thankfully Allison Cerra, senior vice president and chief marketing officer at McAfee, does so in her new book with integrity, grace, and no little wit.
In April 2017, as reported by IB Times among others, McAfee’s LinkedIn page was defaced, with the alleged attacker having links to the OurMine hacker group. In the first chapter of The Cybersecurity Playbook: How Every Leader And Employee Can Contribute To A Culture Of Security, titled ‘The Time I Ruined Easter’, Cerra outlines the event and mitigating steps taken.
While Cerra quips that it is all laid out in chapter one so readers can get their money’s worth straight away, the primary reason for the mea culpa was to show business leaders that yes, it will happen to you and no, don’t think your company is too grand/small/niche – delete as appropriate – for hackers to be interested in it.
“McAfee alone detects five new online threats per second,” Cerra tells Enterprise CIO. “This truly is a volume game and the numbers are on the side of the adversary. Not only do hackers get the benefit of striking first, they only need to be right one time, whereas defending organisations must be right 100% of the time.”
Cerra uses a baseball analogy to paint the picture of this ‘simply not realistic’ goal. Yet as companies realise the odds are stacked against them, a defensive stance naturally takes shape. This should not be so, as the book outlines. “There’s far more reason for organisations to be emboldened to act than to surrender in fear,” says Cerra. “When you realise there is plenty that every employee can do to take up arms in the battle, the cyberthreat problem becomes far more manageable.”
Taking up arms is great, but bringing muskets to a gunfight is less so. The attack surfaces continue to proliferate and accelerate, with the rise of emerging technologies such as the Internet of Things (IoT) – and the millions of newborn devices – and artificial intelligence (AI). With previous experience as VP marketing at Intel and HP among others, Cerra has seen the convergence of technologies, from cloud to mobile and AI, first hand.
“There is no question that the acceleration of technology is also expanding the attack surface for organisations,” says Cerra. “As companies move to the cloud, they not only unlock new potential for business transformation [but] also increase their exposure to cloud-native cyberthreats.
“To be clear, we can’t stop progressing as a society by avoiding technology advancements. That simply gives bad actors another win,” Cerra adds. “But we must be mindful of how new technologies increase risk and we must build in cybersecurity from the onset to mitigate risk effectively.”
This mindfulness is a key feature of the book’s layout. The end of each chapter outlines the WISDOM – which stands for ‘what I’ll say (and do) differently on Monday’ – learned so readers can collaborate more effectively. It also shines a light on how McAfee’s executive team functions, as it is a concept taken straight from the boardroom.
Cerra says the practice, which she learned at her current employer, has been of benefit. “It really helped me process how to take information and make it actionable for what I would personally do differently to improve in any given area,” she says. “I wanted the book to be just as practical; cybersecurity is a very complex topic and, too many times, those of us in the industry unintentionally make it even more so.”
As the cybersecurity strategy has to come from the top down, so the C-suite and its makeup is especially important. The position of chief information security officer (CISO) is relatively recent, and so opinions differ in the industry. A study from Wipro published in September found that one in five CISOs polled said they reported directly to the CEO, a number which is gradually rising.
While each chapter’s WISDOM is primarily aimed at a particular department, be they finance, HR, marketing et al, Cerra dedicates a chapter to how CISOs need to speak the language of the boardroom.
“Boards are generally concerned with growth, profitability, and risk management – [and] cybersecurity is the latest risk management discussion,” says Cerra. “CISOs can help board members understand how to mitigate risk with a sound cybersecurity posture. Of course, the challenge for CISOs is to speak the language of the boardroom and avoid the technical jargon that can once again overcomplicate an already complex topic.
“I think every major company or public organisation benefits from having a CISO in the boardroom,” Cerra adds. “CISOs are the unsung heroes of our organisations. They keep us safe from a never-ending onslaught of cyberthreats – and they do so without taking the limelight.”
So what is the secret to success? The answer, of course, lies in the book’s pages, but according to Cerra it’s all about employee education; adopting a culture where employees understand how to incorporate sound practice day-to-day would mean hackers would ‘need to work that much harder to land a devastating attack.’
Cerra is also quick to note the pride she has in working in her current field – and the pride you could have too if looking at a career change. “If you truly want to make a difference in your organisation, pursue a job in cybersecurity,” she says. “It’s among the most challenging and rewarding fields of work; and speaking on behalf of the employees you would ultimately defend, we desperately need you in this fight.”
The Cybersecurity Playbook: How Every Leader and Employee Can Contribute to a Culture of Security by Allison Cerra (published by Wiley, 2019) is available for purchase now.
Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, Cyber Security & Cloud Expo and 5G Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.