In this Q&A, CREATe.org CEO Pamela Passman interviews Shinichi Yokohama, Head of Cybersecurity Integration for the NTT Corporation about his new book: Business Management and Cybersecurity – Digital Resilience for Executives.
Q/ You introduce your book with a discussion of the WannaCry ransomware attack which infected 200,000 computers in 150 countries and impacted a broad range of organizations, most notably Britain’s National Health Service (NHS) in which the ambulance service was interrupted and surgeries were cancelled in more than 20 hospitals. Why highlight this cyber attack?
A/The 2017 WannaCry attack is important to highlight in that it illuminates the complexity of the cybersecurity challenge. It highlights vulnerabilities in the technical underpinnings of our global business – from networks to software and digitized systems. It shows the impact of the international political environment and criminal activities by overseas bad actors. It also features the role of companies and their approach to implementing internal controls and extending those across their enterprise to subsidiaries, business partners and remote workers. While this example is daunting and it seems an impossible challenge to overcome, I suggest that senior management need not understand the totality of cybersecurity to effectively address it, and instead, consider it from a management perspective.
Q/ At CREATe.org, our work in helping companies address trade secret protection led to our research into cybersecurity. We often discuss the importance of “people, processes and technology” as critical to effective cybersecurity. In your book, you focus on cybersecurity as a business management issue. Can you elaborate?
A/ Over the past several decades, value-added corporate assets such as trade secrets and other intellectual property has become digitized and as such, easier to compromise. Maintaining cybersecurity means management of digitized corporate risk, and is inseparable from management strategy. The success or failure of cybersecurity management will differentiate business competitiveness within the digital economy.
There is good reason that leading companies today address cyber threats as part of an overall enterprise risk management (ERM) strategy. A cyber incident can impact businesses in a number of ways: it can threaten business continuity, impact stakeholder trust and hamper innovation and corporate growth. In order to manage digitized corporate risk, a transformative effort which is different from a conventional compliance-based approach is needed.
Q/ As you mention, cybersecurity is complex. What steps should senior management take?
A/ I believe that business executives should take three imperative actions to build cyber readiness. First, businesses must identify the core function of operations and the most critical assets that, if compromised, would yield greatest damage to the businesses. This will help prioritize objectives for protection and inform the levels of controls that need to be in place for effective defense.
Second, your team should look at ways to ensure that there are systems in place for early detection and response when attacks do occur (and they will) and plans to promote rapid recovery. Actions in this phase should include putting in place a right set of technologies that meet your priorities (e.g., system back-ups, monitoring tools); encouraging an open and swift “flag-raising” mindset through the training of employees, pseudo attacks and exercises; and implementing an incident response planning-process among stakeholders.
Finally, senior management should review key cyber readiness preparations periodically at board and executive management meetings. Techniques for layered defense, and early detection, rapid response and recovery can be left to the operational site or related managers, but prioritization and risk-based judgments should be recognized and promoted by top management.
# # #
Thank you for sharing some insights from your new book. It also features a range of interesting case studies, the global management of cybersecurity and ways to collaborate with other companies and governments. For those interested in downloading the book, visit this link.