Don’t let the headlines fool you. While the 60-day cybersecurity report emphasized that the White House should take the lead in strengthening cyberspace, the private sector shares full responsibility for that effort. Mark Gerencser, senior vice president at Booz Allen Hamilton and author of Megacommunities, puts it more bluntly. “You can’t wait to follow,” he says, “we all have a responsibility.” What’s needed, he adds, is a megacommunity in which organizations join together. So, how can your organization take the first step? ExecutiveBiz recently brought that question to Gerencser himself. Here’s his five-step action plan.
Five steps to a megacommunity
The past seven months have been a watershed period for cybersecurity. First came the Cyber Strategic Inquiry ‘08 conducted by Business Executives for National Security (BENS). Around the same time, CSIS released its own report addressing cybersecurity for the 44th Presidency. Now comes the 60-day cybersecurity review. “A common theme across all of them is that the public-private relationships need to be extended and re-crafted,” says Gerencser. Here’s how you can help:
1.) Know your vulnerabilities. Companies, particularly with ties to DoD and other branches of the government, should get a handle on their security posture, says Gerencser. “Start with the CIO but it should ultimately be on the CEO’s agenda, and even the board’s agenda,” he says. The issue centers on more than network and data protection; it’s about understanding your operating model, your people, your culture, and your business partners. For instance, you may not outsource your IT today, but what about tomorrow? Ultimately, it’s essential that you take stock of your overall business model when assessing your current security infrastructure.
“You can’t wait to follow.” — Mark Gerencser
2.) Remember no company is an island. “We need to evolve from thinking about maximizing our own interests to thinking about how we can optimize the whole [e.g., defense industrial complex, etc.],” says Gerencser. He cites an example from systems theory. “Systems theory tells you that if all subsystems are running at their peak performance, the overall system will not be at its peak by definition,” he says. “If we look at ourselves as components of a larger entity, like the US national security infrastructure, we also have to realize we are not operating within ourselves for ourselves … we are trying to optimize how we all work together,” he adds.
3.) Do a stakeholder analysis. Moving forward with a megacommunity requires a knowledge of the stakeholders’ objectives, capabilities, and limits. Perform a stakeholder analysis early on. Stakeholders would be the defense industrial base, relevant government agencies, the military services, certain non-profits, academic institutions — anyone with a vested interest in the topic or problem, says Gerencser. Begin the analysis by asking yourself: “What are my customers most worried about? What are my partners or suppliers most worried about, what are they doing about it? How do their efforts fit with my own?” An effective way to get answers is through roundtable sessions, cooperative workshops, and even war games.
4.) Abandon convention. The BENS Cyber Strategic Inquiry showed that the existing legal foundation is not adequate for the US to achieve the level of cybersecurity we need as a nation. Many of the laws on the books today were crafted long before we had knowledge of or an understanding of cyberspace. The inquiry also demonstrated that current public-private partnership constructs are too limited to work effectively in an ever changing cyber environment. Gerencser suggests, “We must require that the lawyers shift gears and take on more of a facilitation role. We need them to define the right frameworks, policies, and laws that best serve our needs.” When everyone realizes and understands overlapping vital interests, it will be easier to get people committed to action. “Once we have the proper legal foundation we will be less encumbered,” says Gerencser. “Then all we need is an effective way to work across public and private sector boundaries as a megacommunity, so we can all mobilize in a powerful and aligned way,” he adds.
5.) Pool resources to achieve resilience. “We, in industry, are part of the challenge; hence, we can’t think of cybersecurity as solely the government’s responsibility,” says Gerencser. Which means it’s time for industry to align, work together, and pool resources. It’s the only affordable way to get there. Industry is already starting to take steps in that direction. About a year ago, approximately 15 large defense companies agreed to a common set of security protocols as part of the Defense Industrial Base (DIB) Critical Infrastructure Partnership Advisory Council (CIPAC). “The DIB CIPAC can be the beginning of our cyber megacommunity … as a matter of fact being a part of this community may become a requirement in the future to contract with the defense department,” says Gerencser. “What I hope, though, is that it doesn’t become a checklist just for bidding eligibility … we’ve got to do this because we must protect all our vital interests … we are all interconnected and this is a great first step in the right direction.”
What is your company doing to be part of a megacommunity to strengthen cybersecurity? Share your comments here.