Companies need to embed cybersecurity into the DNA of their organizations to combat potentially disastrous cyber threats by state actors and individuals. This is the message that Richard Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-Terrorism for the United States, gave cybersecurity executives at CISOs Connect San Diego 2019.

Clarke told CISOs attending the conference about the chilling impact of cyberwar by state actors such as Russia, Iran, North Korea and China which are focused on causing “disruption” to Western states. This might range from getting access to power grids so they can cause mayhem by switching off power, to infiltrating into weapons systems as well as attacking private corporations. 

Clarke said the biggest security threats facing the United States and other Western countries were from cyber threats by state actors. Clarke is about to publish a book on his research called The Fifth Domain: Defending the Country, Our Companies, and Ourselves in the Age of Cyber Threats. In this book, he studied companies that fell victim to hackers but more importantly companies that withstood cybersecurity attacks. He found that companies that withstood cyberattacks all had three common features that all companies could adopt. These were governance, funding and a cyber aware culture.

In terms of governance, Clarke said that companies that withstood attacks all had the CISO reporting directly to the CEO, the CFO, or the Board. He said there was a natural conflict of interests between the KPIs of a cybersecurity unit and the KPIs of a CIO role As a result, companies that took cybersecurity seriously should have their CISO reporting to the C-suite or board. 

“The governance part sounds untechnical. It sounds trivial. I think the governance part is key. The key difference between the companies that succeed and the companies that don’t is who the CISO reports to. If a CISO is reporting to the CIO then you are in trouble,” he told leading CISOs at CISOs Connect, a knowledge sharing and thought leadership conference run by Security Current.

“A CIOs’ interests are in keeping up the network, keeping everything easy to use. That is inherently in conflict with cybersecurity,” he said. 

Clarke added that it was essential for cybersecurity to be embedded into the culture of the organizations. This involved designing cybersecurity into company strategy and operations from the onset,  to a security mindset from the board level all the way down to the trenches.

“It is possible (not to be hacked). You have to get the governance right. You have to create a culture of security that starts at the board level and goes all the way down. Every company needs a culture of security, the right governance model and the right spend model,” he said. 

He said that cybersecurity spending should probably be around eight percent of the IT budget. For many companies, the cybersecurity spend might only be three percent, an amount which Clarke said was insufficient for combatting cyberthreats. Oftentimes, cybersecurity spending was in double digits after a company was hacked. “Companies are not paying enough to stop cyberthreats,” he said, warning that it was ultimately cheaper to spend more for a robust cybersecurity policy from the outset than having to spend after a breach. 

“They pay when they are hit, but they do not pay enough to defend it before they are hit. The amount of money you pay to stop a breach is a fraction of what you pay if you are hit,” said Clarke, who said that companies with a strong cybersecurity budget, or in some cases an open checkbook were less likely to be hacked based on his research. 

Clarke finished off his address to some of the U.S.’s leading CISOs by saying that companies cannot rely on governments. He said governments can do R&D and they can handle regulation. However, there is no replacement for a company implementing its own aggressive cybersecurity policy by acknowledging from the onset that a cyber breach is not a nuisance but a potentially disastrous outcome. 

He reminded the conference attendees that companies need to understand also that cybersecurity is a moving target as the technology changes as do the threats. “Companies need to design cybersecurity from the start.” 

CISOs Connect is the United States’s leading cybersecurity conference bringing CISOs together to share knowledge and best practices. It is run by Security Current and takes place twice every year with this year’s conferences taking place in Miami and San Diego.