Cyber Strategy Surprise!

There’s a difference between having something and receiving its intended benefits. We may have workout equipment in the basement but we don’t automatically begin to lose weight or get in shape because we have the equipment.  This applies to gym membership also. It’s easier to know we’re not getting the benefits in the physical example because we can see the benefits. But when it comes cyber, well..that’s a different story.

 We know we have something but we may not know if we’re getting the desired benefits. The absence of evidence is not necessarily evidence of absence.

Likewise, when it comes to cyber risk strategy, an organization may have one; with all the required risk mitigating functions but it doesn’t automatically mean these functions are working adequately to provide the intended benefits of mitigating risks. We may know we have a cyber risk management strategy and therefore we know we have risk management functions that are operational. What we may not know is whether or not critical functions are functional. That is, are these functions actually doing what they’re supposed to be doing. 

Why? Well sometimes, actually often times, as busy executives and leaders we may not know what we don’t know. Case in point. In the fall of 2022, a CEO engaged an outside firm to do an assessment/audit of his organization’s cyber security posture at the request of the board. He knew the organization had most of the right mitigation controls in place  but thought it couldn’t hurt to have an assessment done. 

We know we have all the right mitigation controls (firewalls, endpoint security, security monitoring, etc) from our outsourced managed services provider was a statement by the CEO to the outside firm at the beginning of their assessment. However, he also noted that he didn’t know what he didn’t know. 

Imagine the surprise when the outside firm informed the CEO that they didn’t have true security monitoring from their provider. In other words, if a bad actor was exfiltrating sensitive data (e.g. PHI) from the organization, they wouldn’t know about it. The CEO thought they had cyber security monitoring in place since they had been paying for it for years and was shocked to discover otherwise. Apparently her definition of security monitoring and the provider’s definition were very different. 

This is a cautionary tale for us all to clearly and humbly realize that sometimes we don’t know what we don’t know.  The CEO and board were ultimately glad that they finally discovered what they didn’t know even though it initially came as an unpleasant surprise

So what can CEOs or other leaders without deep cyber domain knowledge) do to address this strategic challenge of not knowing what they don’t know?  We have a cyber leadership practice guide to help