One fairly large company we worked with, for instance, had a few thousand staff and a few hundred million dollars in turnover. They had a huge enterprise resource planning (ERP) system that was integrated with their production—nothing worked without it. The ERP was mission critical, but there was no replication, no redundancy, and no backup system. If the system broke, physically or otherwise, they were shut down until they could fix it and make it work again.
Several people at the company knew about this, but management didn’t register it as a major risk. They didn’t do anything about it for many years. Why? Maybe they weren’t so interested in the company’s operations. Maybe they were more interested in their own sales. Maybe they didn’t worry about it because they thought the ERP had been there for twenty years and worked just fine, so why would it break down now? Maybe they just had higher priorities. If you asked management in that company what the biggest risks to the continuity of their business were, they probably wouldn’t tell you that the ERP was one of them. All the while, the company’s existence depended on the efficient functioning of the ERP system. These types of risks—risks that could cause the company to go bankrupt—need to be identified first.
Lesser risks might be those that cause the company to lose efficiency or spend extra money or effort to operate certain systems or machinery. For example, IT is often perceived by management as a way to do things more efficiently than the competition. When the computers go down and the company loses the benefits of IT, their margins erode and their advantage over the competition is reduced, but they don’t go out of business right away.
This is the language the cybersecurity manager needs to use when talking about IT security and systems downtime. The cybersecurity manager shouldn’t suggest that the IT systems will never work again. They need to focus on the margin issue: the company will get slower at serving its customers or might not be able to serve them at all until the system is back up and running. Learn to speak the business language. Explain your security issues in terms of money, resources, and time so management will understand it’s not just about security—it’s about running a company profitably.
Focus on the Most Relevant Risks
If the cybersecurity manager wants to be influential at their company and relevant in their work, they need to focus on the risks that are most relevant to that business. The CEO understands the specific risks the company faces. Whatever the CEO considers important is equally important to and must be understood by the cybersecurity manager. That doesn’t mean the CEO is always right; the cybersecurity manager may need to educate the CEO (or CTO or CIO), but achieving alignment is essential because the cybersecurity manager needs the high-level support. We can think of the CEO as an internal customer—the customer is not always correct, but they must be understood. cybersecurity managers should listen a lot at first, ask many questions, and learn how leadership perceives the situation. If the cybersecurity manager achieves alignment with the CEO and acts accordingly, the cybersecurity manager will be successful.
If there’s no communication, that alignment is unlikely. In one case we witnessed, a security manager tried to buy a physical security access control and burglar alarm intrusion-and-detection system for the company’s offices. The first offer the cybersecurity manager got was four times more expensive than the cheapest system. The cybersecurity manager, who was focused on the risk of a physical break-in, decided it was worthwhile to buy the more expensive system. The CEO, on the other hand, considered this purchase a way to be in compliance as inexpensively as possible. He preferred the cheaper system. In this instance, the cheaper one probably met the company’s expectations and requirements better. In the end, the CEO decided to go with the cheaper option.
In this case, the cybersecurity manager did not adequately understand the goals and objectives of the CEO. The CEO’s objective was compliance, while the cybersecurity manager’s goal was optimal security. They’re different. cybersecurity managers can take a simple lesson from this: they must communicate with company leadership and discuss risks internally. The cybersecurity manager should always investigate the company leadership’s priorities.
Fallout from Risks
When cybersecurity managers begin to identify risks, they should think about what category of risk they’re dealing with. Is the company worried about losing the secret sauce, the data, the trade secrets? Or is their main worry an interruption in the manufacturing line? If the process stops, how big of a problem is that? Is it a financial risk? Is it a legal risk?
Sometimes the staff or teams will not be able to articulate their biggest risks. Discussing examples with them can help them identify risks that apply to their company or their department.
Here are examples of risks and how they materialise:
Any company that manufactures goods knows the risk of the line shutting down. When the line stops, that costs money. There are myriad examples of production interruptions that can cause complicated problems up and down the supply chain and lead to massive losses.
Or if a company manufactures industrial paints, what happens when they need to print shipping labels for all the places the paint is going—and the printers fail? If the printer doesn’t spit out the labels, nobody will know which lorry to load the paint onto. They could wind up with empty lorries waiting outside and a full warehouse of paint inside since production doesn’t just shut off immediately. They need some kind of redundancy or backup plan.
Manufacturing interruptions come in all shapes and sizes. But almost all of them are time-critical.
Logistics is a risky business on a good day. Companies deal with constant deadlines, uncontrollable weather conditions, mechanical malfunctions, and a thousand other risks every day.
Let’s say a logistics company has to deliver parcels for a client. The package someone sends to their friend goes through a huge automated facility where the parcels are sorted and put onto lorries, with lorries always coming in and out.
Now let’s say a design error in the network and a DDoS (distributed denial of service) attack hits the network. It prevents not only external data communications but internal channels as well because the same network was handling both internal and external traffic. The system is at capacity and cannot handle any more data.
That plant can’t run. Nobody can deliver parcels. But lorries will keep arriving. They keep offloading parcels into the facility. Meanwhile, automated sorting lines won’t run, and machines won’t sort. The lorries are full but can’t leave. Within hours, the facility is overflowing. Now imagine if that one facility handles about 70 percent of all parcels in that small country. It could be a major disruption to the economy.
This nightmare scenario is not unusual in logistics. The risks in logistics are high, and backup plans are critical.