Cybersecurity 411: Implementing Governance
A lack of due diligence with cybersecurity can lead to hefty financial penalties, lost business and productivity, regulatory fines and litigation. But cybersecurity starts with executive buy-in. Without it, the program will have no direction to succeed.
by Jeremy Rasmussen
This is the second in a series of articles to inform multifamily professionals of the current cybersecurity threat-scape and recommend best practices for dealing with these issues.
PART II – A Leadership Discussion: Implementing Proper Cybersecurity Governance
Even though I am a technology professional, I can say unequivocally that cybersecurity starts with executive leadership. It can’t be a grassroots program started by the IT department. Without management buy-in, a cybersecurity program has no direction, no funding, no teeth.
The first issue is for a company’s leadership to care about cybersecurity and want to do something about it. Usually, this is driven by the bottom line. As we pointed out in the first of this series, The Value of Your Information, we can show quantitatively that information—especially in the multifamily industry—has great value. A lack of due diligence in protecting it can lead to hefty financial penalties in terms of lost business and productivity, regulatory fines and litigation.
Just waking up to this issue is the beginning, but tackling it can quickly go awry. Once awareness has set in, executive leadership will typically do a couple of things. First, they might call their insurance agent and ask if they have cyber breach coverage. The agent is delighted (or perhaps surprised) to get this call, and might lead them down a path of coverage that will have some caveats requiring certain protections are in place. So, the company creates an ad-hoc cybersecurity road map out of these requirements and attempts to address these. Second, they probably reach out to their IT manager, managed IT services provider, cloud hosting company, software developer, cable technician, or anyone that can spell IT, and ask them how to address the issue.
However, either of these approaches is scattershot and does not adequately address some of the fundamental issues. Neither the insurance agent nor the IT professional is likely a cybersecurity expert and neither is going to be able to provide a holistic view of cybersecurity by considering issues that affect every layer of the corporate computing infrastructure. It’s almost unfair of the executive to levy this burden on someone who is ill-equipped to handle it.
Keep it Separate
With any sizable organization, proper governance dictates that you have two accounting firms—one that does your taxes and another that provides audit. Those two are always distinct for obvious reasons: separation of duties, checks and balances and having another set of eyes. It’s the same way with IT and cybersecurity. In this model, IT is like your tax accountant and cybersecurity is your audit. The two are separate, distinct and never co-mingled.
Cybersecurity is probably not something you want to do on your own. First, you can’t check your own work. Second, the issues are complex and you probably don’t have the in-house expertise to accomplish it. Third, cybersecurity professionals don’t grow on trees. It is estimated that there is a 2-million-person shortage in global cybersecurity personnel.
We find that successful analysts have not only hard computer science skills—such as knowledge of computer architectures, operating systems, networks, databases and web – they also possess specialized critical thinking skills. They like puzzles and are creative problem-solvers. To recruit, train and retain a team that provides 24/7 visibility into network threats would require at least six, if not more, of these highly-specialized analysts. I would challenge even the largest firms in the multifamily industry to assemble such a team.
Another important consideration is that you ought to choose a cybersecurity firm that can do it all. We have run across many organizations that have a “pen-test guy” or a “PCI compliance guy.” While these firms were lucky to find a competent expert or two—again, they are going to run into the issue of a fragmented and ad-hoc approach. A company would do much better to find a trusted partner that can handle any and all aspects of cybersecurity.
If you have to vet a dozen different cybersecurity vendors, each having its niche area of expertise, or if your cybersecurity partner can’t address all of your services, training, outsourced Security Operations Center (SOC) monitoring and solutions needs, then you should consider a partner who can help in all of these areas.
Finally, the time to engage with your trusted cybersecurity partner is not after you have finished building out your network. We often talk to firms who are in a “transition”—e.g., they just hired a new IT manager, they are moving into the cloud, or they are rolling out a new property management software solution. Whereas they recognize a need for cybersecurity, they are just too busy now, and vow to engage with us after they’ve finished their current project.
In other words: “We are going to invest time, effort, and capital into a massive IT project and we’ll call you after we’re done to check it.” Hopefully, the folly of this approach is clear. If you don’t “bake in” cybersecurity to the system from the beginning and try to “bolt it on” at the end, your security controls will be more expensive and ultimately ineffective. The best time to engage with a trusted cybersecurity partner is at the outset of a project, not the completion.
Jeremy Rasmussen is chief technology officer & cybersecurity director of Abacode, a company based in Tampa, Fla., that provides all aspects of cybersecurity for growing organizations and employs global thought leaders and industry experts in ethical hacking, digital forensics and corporate governance.