An ongoing perfect storm of major challenges is forcing company departments to work together better than ever – and as new partnerships are drawn, a former FBI investigator and resiliency expert warns, it’s crucial that you know when it’s time to fire your CISO.
Bushfires, the COVID-19 pandemic, widespread flooding and the Ukraine conflict have made the past few years “a wakeup call”, former FBI agent and intelligence division head Tracy Reinhold told Information Age, as the pandemic elevated vaccine policy to the board level and companies were forced to quickly change strategies in areas such as remote work and supply chain resilience.
Although many companies adjusted to delivery-based business models or adapted to supply chain issues, others had struggled after years of ignoring resilience in the quest to boost revenues.
“A lot of organisations,” said Reinhold – who now works as chief security officer with critical response specialist Everbridge – “simply because they didn’t have that posture before the pandemic, actually did not survive.”
Many survivors did so by overhauling internal collaboration to ensure department heads, executives, and workers were on the same page – a ‘fusion centre’ approach, popularised in government but making its way into the private sector, that speeds disaster response, information sharing and decision-making by bringing together representatives of relevant agencies.
“It’s about how we look across the organisation from HR to legal, finance, product development, engineering, and so on,” Reinhold explained. “That’s how you establish and maintain resilience.”
Cyber security’s heightened profile had made security expertise key to a successful fusion centre – but for the strategy to really work in companies where security has long been “stovepiped”, Reinhold said, “security needs to be more business-minded.”
Secuirty expert Tracy Reinhold. Photo: Everbridge
CISOs “need to be able to build a business case that resonates with non-security professionals, and they need to be honest about the risk that the organisation is facing,” he said.
“And if a CISO says to the board that they are 100 per cent protected against cyber threats, they should probably be fired – because that is an impossible standard to meet.”
“It’s about managing the risk that’s known, doing everything that’s possible to prevent it, and being able to develop a response plan that mitigates the damage.”
Building national resilience
That system, which delivers disaster updates straight to the mobiles of affected or potentially affected residents in a given area, “will ensure we are well prepared to keep communities informed and get vital information out as quickly as possible,” Victorian Emergency Management Commissioner Andrew Crisp said as the system was being tested in 14 rural Victorian areas last year.
When building a nationwide resilience strategy, Reinhold said, governments need to step back and ensure that its system could adapt to whatever threats faced the country – a flexible approach that businesses should also emulate.
“What we don’t want to do is to focus on yesterday’s threats,” he explained. “We need to be open to the idea that we can expect the unexpected, which means developing the ability to respond or to identify, respond and recover from a disruption regardless of what that disruption is.”
Disruptions never come one at a time, of course, with businesses now facing a many-faceted assault from pandemic-induced staff shortages, increased cyber security risks and supply-chain interruptions caused by Russia’s invasion of Ukraine.
Such interruptions often have unanticipated consequences: the Ukraine invasion, Reinhold noted, has even affected the worldwide manufacture of electric vehicles because “certain components that were made in Ukraine are no longer available”.
“How do we identify potential disruption and pivot to a new supplier that we have waiting in the wings?” he asked.
Quickly evolving strategy was also crucial as Everbridge was engaged early in the invasion to help evacuate many Ukrainians, and found the process increasingly difficult as commercial airspace closed down.
“The teams had to get more creative in how they were doing it,” Reinhold explained, with team members calling on specialised partners and contractors to provide particular capabilities they required to ensure the response could continue.
More than two decades with the FBI taught Reinhold a lot about what can go wrong – and best managing it, he said, requires strong and ongoing partnerships at every level.
“Governments are always behind the public sector when it comes to technology, so part of that resilience from a country perspective has to be the partnership between the public and private sector.”
“Fusion centres, collaborative cooperation, and trust are important – and if you can fix those three, the rest will fall into place.”