Sunday, July 19, 2020

How CEOs think

Recently, Twitter was hacked. CEOs who read about this in the news ask how they can protect themselves from similar threats. The following tweet expresses our frustration with CEOs, that they don't listen to their own people, but instead want to buy a magic pill (a product) or listen to outside consultants (like Gartner). In this post, I describe how CEOs actually think.


The only thing more broken than how CEOs view cybersecurity is how cybersecurity experts view cybersecurity. We have this flawed view that cybersecurity is a moral imperative, that it's an aim by itself. We are convinced that people are wrong for not taking security seriously. This isn't true. Security isn't a moral issue but simple cost vs. benefits, risk vs. rewards. Taking risks is more often the correct answer rather than having more security.

Rather than experts dispensing unbiased advice, we've become advocates/activists, trying to convince people that they need to do more to secure things. This activism has destroyed our credibility in the boardroom. Nobody thinks we are honest.

Most of our advice is actually internal political battles. CEOs trust outside consultants mostly because outsiders don't have a stake in internal politics. Thus, the consultant can say the same thing as what you say, but be trusted.

CEOs view cybersecurity the same way they view everything else about building the business, from investment in office buildings, to capital equipment, to HR policies, to marketing programs, to telephone infrastructure, to law firms, to .... everything.

They divide their business into two parts:
  • The first is the part they do well, the thing they are experts at, the things that define who they are as a company, their competitive advantage.
  • The second is everything else, the things they don't understand.
For the second part, they just want to be average in their industry, or at best, slightly above average. They want their manufacturing costs to be about average. They want the salaries paid to employees to be about average. They want the same video conferencing system as everybody else. Everything outside of core competency is average.

I can't express this enough: if it's not their core competency, then they don't want to excel at it. Excelling at a thing comes with a price. They have to pay people more. They have to find the leaders with proven track records at excelling at it. They have to manage excellence.

This goes all the way to the top. If it's something the company is going to excel at, then the CEO at the top has to have enough expertise themselves to understand who the best leaders to can accomplish this goal. The CEO can't hire an excellent CSO unless they have enough competency to judge the qualifications of the CSO, and enough competency to hold the CSO accountable for the job they are doing.

All this is a tradeoff. A focus of attention on one part of the business means less attention on other parts of the business. If your company excels at cybersecurity, it means not excelling at some other part of the business.

So unless you are a company like Google, whose cybersecurity is a competitive advantage, you don't want to excel in cybersecurity. You want to be average, or at most, slightly above average. You want to do what your peers are doing.

It doesn't matter that this costs a lot of money due to data breeches. As long as the cost is no more than your competitors, then you are still competitive in your markets.

This is where Gartner comes in. They are an "analyst" firm. They send analysts to talk to you and your competitors to figure out what all of you are doing, then write up reports about what your industry average is.

Yes, yes, it's all phrased as "best" practices, but it's really "average" practices. CEOs don't want to be the best in their industry at cybersecurity, they all want to be slightly above average.

When things hit the news, like this week's Twitter hack, CEO's look for a simple product to patch the hole precisely because they don't want to excel at it. A common cliche in cybersecurity is that "security is not a product, but a process". But CEOs don't want a process they have to manage. This would requiring competent leadership, and excelling at cybersecurity, and all the problems with this approach that I describe above. They want to either plug the hole with a quick fix, or let the hole keep leaking. As long as everyone else in their industry has the same problem, it doesn't need to be fixed.

What CEOs really want to know is "What are our peers doing?". This is where Gartner comes in, to tell the CEOs what everyone else is doing about the Twitter hack.

It's not just the Gartners of the world, who are primarily "analysts", but Big Consulting in general. CEOs listen to cyber consultants from the big accounting companies (e.g. Ernst and Young) and the big tech companies (e.g. IBM). Since the consultants work for a wide variety of clients, they are therefore trusted barometers of what peers are doing in the industry.

They are also trusted because they are outside of internal corporate politics. Outside consultants often end up saying the same thing you do, but are trusted whereas you are not. CEOs listen to the outsiders because they have no hidden political agenda.

There is a flaw in how CEOs think here.

One flaw is that "outside" consultants are steered by those skilled at corporate politics. The consultants know which faction hired them, and thus, tilt their "unbiased" advice toward that faction. Having been a consultant myself, it's the hardest ethical question I face: how do I maintain my own integrity in the face of the client trying to spin/tilt my reports?

The second flaw is that CEOs are measuring their companies against equally conservative peers. All of them resist some innovation that could reduce costs because none of them have tried it yet. Thus, there's obvious things that all the techies can see, and yet, the organization resists because none of their peers have tried it yet. Yes, CEOs don't want to excel at cybersecurity, to be the leader in their industry with the best cybersecurity, but this thinking stops them from being even slightly above average.

The third flaw is that consultants are dumb as rocks. They are just random people who have gone through some training who don't have to be responsible for the long term consequences of what they do. They don't reflect the best practices that the industry is doing so much as the dumbest. Most times an organization hires outside consultants there's smarter people inside the organization fighting against the dumb things the consultants are doing.

All this means that instead of getting the "average" or "slightly above average" out of these outside consultants, CEOs are getting the "below average". Their IT (and cybersecurity) is slowly sinking, except for the insiders who fight against this.

Thus, we have the fight the tweet describes above. The CEO has an extraordinarily broken view of cybersecurity.

A case study of this is Maersk being nearly destroyed by notPetya. What we techies could see several years ago is that ransomware has become an "existential risk" to the entire business. I saw a business destroy by mass ransomware two years before notPetya, so that such things can happen is not a surprise.

What most organizations see is that occasionally a desktop computer here and there gets ransomwared. They simply wipe it and restore from backup. It's a cost, but a small cost, and not one worth getting concerned about.

The problem they don't see is the difference between average users getting infected and domain admins. When a domain admin gets infected, then it can take down the entire enterprise. This means all the desktops and all the servers get infected. It means a massive loss of data and operation, as you realize that not everything was backed up, and that not all servers can be restored to their same operating condition.

That's what happened to Maersk -- all their computers got infected because a domain admin got infected. EVERYTHING got infect, except for one server in Africa that happened to be turned off at the time. That's what happened to the cities of Atlanta and Baltimore. That's what's happened to numerous companies that haven't hit the news. 

The solution is fairly simple. Microsoft has good guidance on this. It means changing how "domain admin" works so that one person doesn't hold the keys that'll wreck the kingdom. Lots of organizations follow Microsoft's advice and are fairly secure against mass ransomware. Yet still the average for most conservative industries is to not follow this advice -- none of their peers have, so why be the first? They are all basically waiting for one of their peers to be destroyed by ransomware, hoping it's not them, before they take action.


So as an average techy in the industry, I appreciate the above tweet. CEOs and their reliance on magic pills and outside consultants is a pox on our industry. At the same time, their thinking is sound from the point of view of running a business. To fix this, we have to understand their thinking, which hopefully I've communicated in this document.

As for CEOs reading this document, well, learn to listen to your techies. Yes, they are also broken in their thinking. But at the same time, they can help you be slightly above average for your industry, and make it so you are the last to be mass ransomwared in your industry rather than the first. If you want to know more about this Twitter incident, then find a techy in your own organization to explain it to you rather than an outside consultant or product vendor.


2 comments:

Nic said...

I was with you 100% until this part:

"The solution is fairly simple. Microsoft has good guidance on this. It means changing how "domain admin" works so that one person doesn't hold the keys that'll wreck the kingdom. Lots of organizations follow Microsoft's advice and are fairly secure against mass ransomware. "

In principle yes, if you're building from scratch. But fully implementing MS best practise inside a live enterprise environment is clearly not simple.

The same principles of your blog apply here as well though, maybe you don't need to implement the whole guidance, things like privileged access workstations etc., but it's difficult to know where to draw the line.

From my perspective, the difficulty is that this is unlike other topics where security and IT come together to push for a change. This is an issue where it's often IT vs Security. You're asking IT teams to change how they work, commit to structural changes on probably the highest value/risk infrastructure in the environment, for no obvious/appreciable benefit. IT teams will almost always know this landscape better than a security team and will be able to push back against this change with arguments around risk, cost, downtime etc.

Keeping that relationship intact, finding a suitable compromise and actually getting the project accomplished is no mean feat.

But it will do more for your security that any shiny new security tool.


Unknown said...

Nice article in that you exposed just about every Fortune 500 Company to a business crushing cyber event. Being average our slightly above average means your just trying to hide your weaknesses amongst many targets. This is where the old adage that states that for cyber defense to be successful it has to be spot on 100% of the time and the hacker only need be spot on once to be successful. I think if you ask CEOs of companies who in fact experienced a significant breach that it was more costly that all the money saved taking the risks. Cyber security is about mission or business assurance and therefore is a competitive advantage even if your company’s core competency isn’t cyber.