Fire Hydrants in the Forest - Business Leadership in Cybersecurity

By Philip Reitinger


Cybersecurity risk is real. Ransomware, theft of confidential information, and disruption of your smart devices like thermostats are not merely threats to your networks and information, they are threats to your business. Like most businesses you are probably struggling to survive in a world beset by a pandemic – you can’t afford another significant loss.

There is both good and bad news here. The bad news is that you do have another worry, that the risk from things like ransomware is growing and you can’t completely prevent damage to your business. The good news is that you as a leader can do very significant things to reduce your risk, and you don’t have to spend a whole lot of money or be a cyber expert to be successful.

To be successful protecting your business from cyber threats, you simply have to be a leader. A business can mitigate cyber threats by using people, processes, and technology but using only one of these tools won’t work. People who aren’t careful can avoid any cybersecurity technology. Your business requires a sustained effort to use your team to help secure your operations, to implement enduring processes, and to deploy technical protections (which can be free), but none of these will be sustained without leadership commitment. Your people, whether you have five employees or 50,000, take their cue from you. All of your business functions roll up to you as well, whether people, process, or technology.

This is undoubtedly why the first Cyber Essentials toolkit from the U.S. Cybersecurity and Infrastructure Security Agency focuses on the Essential Element: Yourself, the Leader:

Being a cyber leader does not require technical expertise, but rather an ability to change the culture of your organization. Reducing your organization’s cyber risks requires awareness of cybersecurity basics. As a leader, you need to drive your organization’s approach to cybersecurity as you would any other hazard (e.g. how you identify risk, reduce vulnerabilities, and plan for contingencies). This requires an investment of time and money, as well as the collective buy-in of your management team. Your investment drives actions and activities, and these build and sustain a culture of cybersecurity.

Most important, you as the business leader have the best insight into your risks and needs. At the end of May I was walking in a U.S. national park, Wolftrap Farm Park. I ran across this fire hydrant in the middle of the park surrounded by woods.  It seems excessive – is the footbridge worth the cost of putting the hydrant here? The answer: probably not, but the park is bordered by homes. And inside the park is a venue called the Filene Center, a beautiful, large wooden facility that burned down in 1982. Is reducing that risk, even a little, worth the small cost of a few fire hydrants in the woods? I think so.

But what I think doesn’t matter, especially not to your business. What you think matters. You have the best understanding of where to put the cyber fire hydrants, in the woods or not. You have the ability to focus the attention of your team and devote resources to mitigating risk. Of course, you have limited resources but assigning those in the best manner is one of the things a leader does. You have help, both through CISA’s Cyber Essentials and through tools such as the GCA Cybersecurity Toolkit for Small Business, which includes free tools you can use to help address the Cyber Essentials recommendations (available in English, French, Spanish and German), as well as the Cyber Readiness Institute’s Cyber Readiness Program to help small businesses be cyber ready.

You can do this.

The author, Philip Reitinger, is the President and CEO of the Global Cyber Alliance. You can follow him on Twitter @CarpeDiemCyber.