Edison recently held its 4th annual CEO Summit in Atlantic City, and while some details from Atlantic City must forever remain in Atlantic City, insights from a group of 60+ growth-stage CEOs must be shared. We hosted five 'sausage-making' sessions, which are all recapped here on the Edison Blog. My favorite: Are You at Cyber-Risk?
Are You at Cyber-Risk?
To start, nobody likes talking about cyber security, except eSentire CEO J.P. Haynes, but that’s not really fair now, is it? If you ask a tech CEO if they think they’re at risk of being hacked, expect your question to be received in one of the following ways: 1) “Yeah, I don’t really know, and I don’t really care, to be honest” or 2) “SHHH! Are you crazy?! Why would you ask me such a terrifying question so freely and loudly?!”
While greatly exaggerated, these two reactions aren’t quite as far from the truth as you might think. As for the first, indifference is occasionally warranted. If you’re not storing sensitive data and your exposure is vastly limited as a result, then you probably have more pressing concerns. However, for the vast majority of companies, you have no choice, but to store and utilize such data, and protecting yourself from the accompanying risk can be rather daunting. So let’s simplify things a bit, take a step back, and examine five key cyber-risk themes that were discussed by our CEOs.
1. IT’S NOT A MATTER OF “IF” BUT “WHEN”
Hackers are absolutely everywhere and your company, at one point or another, is going to be a Target (pun intended). This sort of ‘everyone’s out to get you’ mindset coupled with the belief of a hack’s inevitability is imperative in crafting a strong security practice. Such an approach will not only better protect you from future attacks, but more importantly, it will better prepare you for how to respond once an attacker has bested you.
Because attacks are becoming more and more prevalent, responses to such an event can carry even more weight than the event itself. Beyond ensuring the preservation and protection of your customers’ information, ensuring the survivability of the company in the event of an attack should be one of the major goals set forth when instituting your company’s security practices.
2. PLAN EARLY AND PLAN OFTEN
Despite the significant level of concern that most of our CEOs displayed about security, the overwhelming verdict was that handling the issue internally was simply too expensive. As a result, our companies fell into three buckets:
- Those that handle everything internally (most expensive)
- Those that outsource everything (cheapest)
- Those using some combination in the middle
Further, there were only two variables that really dictated which bucket a company would fall into:
- Company size
- Type of data at risk
Those companies at the extreme end of either of spectrum found themselves in the first bucket. Predictably, those on the lower end of either spectrum found themselves in the third bucket. And as you might guess, the vast majority found themselves smack dab in the middle.
While there is no problem with sequencing your security approach to move at the pace of the company’s growth, few CEOs could definitively describe the inflection points that should trigger such a change in security practices. With that being said, it became apparent that there was no “one size fits all” approach. So, when designing and instituting your methods, make sure to always err on the side of caution, but most importantly, make sure to define the sequencing and inflection points early on.
3. FAKE IT UNTIL YOU MAKE IT?
One question that was posed was, “how much of this is really just for show?”
When crafting your security practices and processes, are you truly concerned about building out your security prowess, or are you really just concerned with inflating the public perception of your security? This is a fair point, especially with the various certifications that are required across industries. Many companies simply treat these certifications as a checklist item and, therefore, can use them as an excuse to only do the bare minimum.
The same CEO that originally posed this question likened the situation (of simply meeting checklist standards) to placing an ADT sign in your front yard; you’re warning potential wrongdoers to go elsewhere, but who knows what is actually stopping them should they attempt to enter. Have you found yourself merely treating security as a checklist item, or have you truly made it a priority?
4. SECURITY DOESN’T HAVE TO BE A DRAG
Despite the angst expressed by our CEOs when discussing security, a number of them shared fascinating examples of ways they had addressed the issue head-on and with full force. They did so by doing just the opposite of what was described in the third topic.
Instead of treating security as a necessary evil and doing the bare minimum to remain compliant, they decided to make it one of the core features of their product/service. In doing so, they were able to differentiate themselves against their competitors as they created an entirely new selling point for their company.
One of my favorite examples of this approach comes from Mint.com founder Aaron Patzer. While garnering feedback from customers, he learned that many distrusted the reliability of Mint’s security. So to combat this, he redesigned a section of the company’s site to state that Mint uses “bank-level data security”
By emphasizing the words, “bank level security,” he experienced a dramatic shift in customer sentiment. While this simple approach is commonplace now, it was novel at the time and made a significant difference in growing their user base in the company’s earlier days. Even to this day, post-Intuit acquisition, Mint still displays similar phrasing. So while security is often a headache waiting to happen, you can use it as an opportunity to differentiate your product/service, making security an additional feature instead of just a requirement.
5. “100% PROTECTION IS 100% IMPOSSIBLE”
This point goes hand-in-hand with the first theme above. While you have to take a near-paranoid approach when it comes to security at your company, you also need to understand that it is absolutely impossible to be 100% secure. And just to really hammer in that fact, the above quote comes from eSentire CEO, J.P. Haynes, whose product/service is…you guessed it, security.
You have to accept the fact that you will not be able to patch everything. Instead, define what your key assets are and monitor the heck out of them. Most importantly, you must make sure that the CEO, CTO, and CSO aren’t the only ones concerned with security. A sense of paranoia needs to be instilled within every employee at every level of the organization, as they are often the entry point for an attack. Coupling this sense of company-wide paranoia with the understanding that attacks are inevitable will help you to ultimately position your company as close as it can be to 100% secure.