WARNING!

The United States Federal Government is coming for you. When you fail to properly protect your data, you can and will be sued or fined. As we’ve seen, no company is immune from cyberattack or data breach. Some states are also holding companies accountable on top of Federal punishments. If you’re clueless about cybersecurity, it may not be your fault. But, you are still wearing a target.

Ask Timothy Brown, Chief Information Security Officer (CISO) for SolarWinds. He, along with SolarWinds, is being sued by the US Security and Exchange Commission (SEC) for fraud stemming from the cyberattacks on their product in 2019 and 2020. Read more here. (Link)

In 2023, Blackbaud, Inc. paid nearly $50 million in government fines for a 2020 ransomware attack that affected more than 13,000 of its customers. They were required to clean up and correct their policy and technology to lessen the chance of future attacks and breaches. Read about it here. (Link)

Publicly traded companies are not the only targets. The US Department of Health and Human Services (HHS) settled with non-profit New York hospital Montefiore for $4.75 million dollars for HIPAA violations from a 2015 data theft. The HHS also forced an unknown amount of “corrective action resolution” to ensure the company’s policy and Information Technology (IT) systems remained secure. Read the story here. (Link)

Clueless But Accountable

State and Federal regulators intend to hold every company, publicly traded and private equity, accountable for cybersecurity failures through fines and lawsuits and insurance won’t cover those. Cybersecurity likely was the least of the issues facing leaders of these companies. They probably believed their Vice Presidents and technical staff when told they were secure. Except they were were not. They were susceptible and vulnerable.

The C-Levels take the brunt of failures, but is there any job less desirable today than CISO? If you have not designated your CISO as a Section 16 Officer under the Security Exchange Act (1934), your CISO is NOT covered as an Executive or Officer by insurance. Who would want such a public job where you become a litigation target personally? How do you prevent this in your organization? Who do you trust?

Knowledge Gap

Should anyone expect the Chief Information Officer (CIO), Chief Technology Officer (CTO), or CISO to have hands-on technical understanding of all the technology in their organization? Not likely. Yes, it would be wonderful if your technical C-Levels started in the corporate IT Help Desk and worked their up the corporate ladder. They would have institutional knowledge and a better understanding of policies and processes an outsider simply wouldn’t. This is extremely rare.

Would anyone expect the technical VPs to have hands-on technical knowledge and certifications? Again, not likely. On whom then is the corporate leadership expected to lean to protect the company, investors, employees, vendors, customers, and data against cyberattacks and breaches?

Who The Clueless Trust

Experience tells you who cannot be trusted. Will you trust the salesperson who stands to earn a six-figure commission? Will you trust other C-Levels based on what worked for them at other companies? Will you trust your own non-technical judgment based on cost? Will you trust your IT Manager who constantly complains about the lack of funding?

Do you need the latest software protection? Better firewalls? Outsourced 24/7 security monitoring? Maybe more training for everyone in the company from the top down? Polices? Of course! Penetration testing and cybersecurity insurance? Yes, you need them all and more. But you need trusted inside expertise more to avoid being clueless.

Directors To The Rescue

The gap between the technical and business operations of any company is filled by its Directors. A secure company may have several Directors covering Customer Experience, general IT, or Cybersecurity. The Director MUST stay abreast of the latest threats and technology while keeping their fingers on the pulse of company policy. They are the glue of the secure organization.

Directors are handed the corporate vision and roadmap by leadership. This, of course, requires the company to have written policies. Directors translate between corporate vision and technical reality. Leadership skills are expanded and the basics of corporate politics are honed. The Director works with others on her level to mitigate issues and conflicts to shield Executive involvement from daily concerns. They should be considered upper management in training.

Far too many corporations include excess positions between Directors and C-Levels. There are a myriad of managers, VPs, and liaisons swallowing budget and clouding judgment. Like a game of telephone, the Director’s professional recommendations are twisted at each level until the messages received in the boardroom lack technical merit.

How The Military Does It

Let’s use a military analogy. We will call the technical staff Enlisted and the upper management Officers. In the military, you cannot go from Enlisted to Officer without extensive training. You can be an Officer with college-level training, bypassing the Enlisted route. I’m willing to bet most CEOs and CFOs started at the bottom somewhere, a mail room or an accounting office. You didn’t start where you are and if you did, you have no connection with the employees and struggles within your company.

For the Army, as an example, no Officer could manage their Enlisted resources without a strong, tested Sergeant. Sure, an Officer can bark orders from a bullhorn, but it is the role of the Sergeant to ensure orders are followed as the Officer expects. Sergeants say the Officers they respected most were ones that stood where they were as an Enlisted soldier at one point. The experience of being there yourself helps you understand what you are asking of the Enlisted.

Today, unfortunately, most hiring managers forget Directors are not born or made in a factory. If you hire your Director because they have a Masters degree and professional certifications, you will get someone with no technical experience. If you hire one from another company with years of experience as a manager or Director but no technical expertise, you bought a paper tiger. There isn’t an effective technical leader with no hands-on technical expertise, unless they stood on the heads of their engineers.

Technically Not Clueless

Would you allow a mechanic to repair your Mercedes just because they passed a certification exam? Would you hop on a plane with a pilot who only flew simulators? What about hiring an electrician to wire your house with only an electrical engineering degree? Well, the law prohibits electricians from practicing without serving under a Master Electrician and receiving years of practical, hands-on experience. One industry has it figured out.

You hire a Director from another company with ten years of experience. What are her technical specialties? She has a Masters degree from Georgetown in IT Management. Great! How much practical hands-on IT experience did she receive at Georgetown? None. Short of learning the bare basics of a few different programming languages, there is ZERO relevant technical experience anywhere in academia. I’ll cover that in a future blog post.

Even if you find that unicorn that rose from the ranks and somehow made it to Director from the Help Desk, odds are they are not familiar with the technology at your company. But you don’t need an expert at everything. A strong Director only needs to know how the technology works in reality, not theory.

How Other Industries Manage

Your long-term solution is a farm system, just like baseball, or the Master-Apprentice model. I commend the few companies I know that run these programs. They find bright, talented people in the lower positions and place them on what some call the “Leadership Track”. This is great for those who aspire to manage. Notice I sad Manage, not Lead. A real Leader would never refer to herself as a Leader. 

Not all technical people want to be in management. Many brilliant engineers and programmers would make terrible managers. In fact, the abhorrent practice by companies to deliberately remove highly paid IT engineers for costs savings or promote based on tenure is self-destructive. A balance must be struck to find the individuals that offer both technical expertise and the ability to lead.

What if you outsource your entire IT department and only want a Director to wrangle your vendors? Learn about pitfalls of too many vendors here. (Link) Your Director must then be MORE technical, not less. No single vendor can provide all services a company needs without breaking the bank.

You will have a stack of different vendors each handling a sliver of your technology. Without clear delineation of duties, vendors will simply point fingers at one another. You need a strong technical Director to cut through the baloney.

Vendors don’t care about customer service beyond metrics. They also are less likely to take the time to understand workflows or familiarize with your employees. IT isn’t just problem resolution. It requires “deskside” manner, similar to bedside manner for medical professionals. Directors are the voice of the user to vendors who barely meet or fail to meet customer satisfaction.

Artificial Intelligence (AI) will not save you. Most “AI” isn’t actually AI. Read about what AI is and isn’t here. (Link) No one wants to talk to a computer or be dismissed as just another ticket. Talk about a morale killer!

I am a huge proponent of outsourcing, especially in cybersecurity. Don’t do your own taxes or defend yourself in court. Don’t attempt cybersecurity without the proper resources. You cannot expect to outsource everything with any level of success. Systems may stay up but how will it affect employee opinion of leadership? Corporate IT requires both psychological and financial considerations.

Clueless, Careless, & Liable

Then there are those C-Levels reluctant to fund cybersecurity. If you aren’t running an IT framework or compliance structure, you are clueless, careless, and liable. If you don’t complete an annual Risk Assessment, a common first step of most frameworks, how can you possibly know what is important to protect in your company? Risk Assessments also provide target spend amounts to protect your systems.

If your SalesForce database produces $100,000 per day while online, how much should you spend to ensure Disaster Recovery (DR) and Business Continuity (BC) when, not if, it goes offline? Easily millions. What? Millions? Yes. If you aren’t willing to spend the money to protect your revenue, you shouldn’t be in business. And, you likely won’t be for very long. You cannot plop your head in the sand and pretend equipment failures or cyberattacks will not happen.

When the IT Director tells you a process or application is needed, why don’t you trust her? If the Clueless Information Officer said it with no technical experience to back it up, you would believe him. Why? Looks like the whole boardroom is Clueless. Trust but verify. Don’t trust the salesperson making commissions. Don’t trust the executives who have only seen a PowerPoint on the subject. Trust the subject matter experts you confidently hired as your liaisons between management’s vision and IT’s reality.