With an increased emphasis on cyber security and the resultant expenditures for additional personnel, software, and hardware, many leaders believe they are exercising the necessary due diligence to adequately secure their enterprise. Modern day CEOs or Military Commanders are not oblivious to threats posed by cyber criminals, market competitors, or battlefield adversaries. Any senior leader can tap into multiple media sources and see a plethora of weekly, if not daily, examples of cyber criminals stealing information, raising their concern for the protection and security of the enterprise for which they are ultimately responsible.
Modern leaders, many of whom are digital immigrants, have realised the host of benefits achieved by harnessing technological advances that allow us to store, process, analyze, and share information at unprecedented rates. They also realise these benefits come at a cost and securing their technological "backbone" has rightly risen to be a major concern. This is no easy task given the highly technical and constantly evolving nature of digital threats, along with the rapid pace of globalization. The surprising fact is that the previously established roles and responsibilities for Executives supporting the CEO and Commanding General may actually inhibit the implementation of full spectrum protection that modern organisations require.
In an effort to gain efficiency and effectiveness, most organisations streamlined responsibilities when it came to delineating threats to the organisation. The titles and areas of responsibility are now common place in Corporate America and the military: Chief Operations Officer (COO) and corresponding G3, Chief of Operations for the military; the Chief Information Officer (CIO) or corresponding G6/CIO for the military; and the Chief Security Officer (CSO) and/or the Chief Information Security Officer (CISO) whose military equivalent is the G-2, Chief of Intelligence and Security.
While efficiencies and effectiveness may be gained by managing organisations in this fashion, the seams or gaps in protection this can create may provide the greatest weakness to modern organisations. Simply put, this is the Achilles Heel , which allows an adversary to cause the most amount of damage by exploiting the least protected areas. Due to our current organisational structure within both Corporate America and the military, our mutually unprotected areas may be where the operational roles of the Chief officers do not "seamlessly" overlap, but instead, create weak points in organisational security.
The digital revolution introduced dramatic changes to the corporate and military landscape reminiscent of those created during the Industrial Revolution. Whereas the industrial revolution allowed companies to mass-produce products and capture markets on an unprecedented scale, it also provided nations the ability to field extremely large armies composed of uniformly equipped soldiers each wielding previously unparalleled weapons straight off the assembly line. The result was the birth of modern corporations who could mass produce products for global consumption and the ability of armies to cause destruction on truly extraordinary levels. The increasingly complex nature of business and warfare lead to the formalisation of the military General Staff and the establishment of corporate officers. Personnel occupying these positions were each responsible for executing specific functions of the enterprise based upon the CEO's or Commanding General's guidance and instruction.
The Digital Age may now give us pause on how well the Industrial Age compartmentalisation of responsibilities best serves the CEO and Commanding General. Thousands of emails are sent and received weekly, organisational websites continually visited and updated, and copious amounts of files are exchanged electronically around the world. Combine these facts with the nature of threats to the network and the previously drawn boxes that defined the responsibilities of Chief Executives may need to be updated and refined.
The almost instantaneous ability to communicate and share data around the world makes it difficult to determine which specific electronic exchanges and under which circumstances are technically within the domain of Operations, Security, or the CIO. When information was primarily in paper form, the responsibilities were relatively easy to define and the inter-relationships between the Chief Executives well established. The Digital Age has blurred those lines and many organisations have yet to refocus and adapt to the change. However, the one paramount tenet left unchanged is that with responsibility comes accountability.
But with so much information being exchanged within every facet of the organisation, who is ultimately accountable to the CEO/Commander when the organisation loses a competitive advantage? If the data is in electronic in nature, is the CIO/G-6 to blame regardless of the circumstances? Is the CSO/G-2 to blame due to a potential lapse in security, perhaps by not checking references on each employee or allowing our "allies" access to our sensitive systems? Is the problem within the COO/G-3, which shared information with a trusted partner, who subsequently leaked it to another party? With millions of dollars and possibly lives at stake, which Chief Executive should be held accountable if the roles and responsibilities are so clearly defined and stove-piped within the organisation?
This leads us to question if the stove-pipe approach is still applicable in the Digital Age, where data and thoughts now move at the speed of light. The time has come to re-examine the roles of the COO, CIO and CSO to provide an environment in which collaboration and coordination occurs naturally, versus a task that "has to be done." Segmented staff elements do not promote collaboration and coordination, thus they do not offer an environment conducive to proactively combating digital threats.
Consider this example, the COO preparing to introduce a new prototype product, which is expected to increase the company's market share and revenue. How much collaboration is occurring with the CSO to determine which competitors will aggressively target the proprietary product information? When the threats are identified, how much coordination is occurring between the CSO and CIO to protect the information in digital form? Without the coordination and collaboration between these chief executives, gaps in protection are almost pre-ordained.
The Navy has taken this concept of "protecting the seams" to heart through the establishment of the Navy's Cyber Command. This new Command combines the Navy's CIO/G-6 and the CSO/G-2 into one entity. In these early stages, this combination doesn't necessarily make things more effective and efficient, but it may promote the coordination and collaboration so desperately needed to enhance the protection of Navy information.
Another way to establish collaboration and coordination may be through the use of Tiger Teams or Joint Operations Centres that have sprung up across the military establishment. In these Tiger Teams, representatives from the COO, CIO and CSO would be collocated in the same facility, sitting side-by-side and working on the same mission: network, data, and organisational protection. Personnel would still focus on their assigned functional area, but also collaborate and coordinate with the other elements to combat the problems occurring in the digital realm, which show no signs of abating.
To close the loop on collaboration, teams should have a direct link to their respective department heads, as well as the CEO or Commanding General. This line of communication promotes information sharing at a moment's notice without fear of repercussion, retribution or protocol issues. In years past, threats moved only as fast as their engines or feet could carry them, and changes in their tactics took time to formulate. That is no longer the case. Digital threats move at the speed of light from a plethora of locations and variety of actors. In the past, we had hours to respond to threats; now we may only have seconds. Creating and utilizing teams from across organisational hierarchies may be better suited to act in a matter of minutes, rather than relying on rigid interdepartmental notification and collaboration procedures which may take hours or days.
The military and private sector have shifted paradigms in the past, and it is essential they adjust to this new reality. Collaboration and coordination amongst each other, as well as with leadership, is absolutely vital to gain the digital high ground once again.
One breach of information, be it concerning the next generation microprocessor for cell phones or composite armor for tanks, can shift the competitive advantage to the adversary. This loss of information could have disastrous impacts to the organisation in the form of lost revenue, or a diminished battlefield advantage. Viewed from this perspective, organisations must adapt or perish. Are you and your organisation morphing to meet the digital threats head-on--or do you think it can wait for another day?
About the authors:
Jeffrey R. Jones currently serves as the lead for the Cyber Threat Intelligence Program and the Chief of Information Protection for the US Army Materiel Command G2. He holds a Master of Science in Computer Science - Information Security from James Madison University.
Ryan Averbeck is a senior intelligence analyst at the Army Aviation and Missile Lifecycle Management Command, and specializes in research and technology protection (RTP). He was previously the Program Manager for the NASA RTP program and an Assistant Director at the Army RTP Center at the Pentagon. He is currently a Ph.D. Candidate at Northcentral University.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.