Cybersecurity as an Organizational Strategy an Ethical and Legal Perspective

Cybersecurity as an Organizational Strategy: An Ethical and Legal Perspective

Cybersecurity as Organizational Strategy

Across the board -- in business, society, and government -- the promise of cyber capabilities are matched by potential peril. The cyber environment is never static, but it is perhaps most agile in response to the continual stream of emerging cyber threats and realized cyber attacks ("PCAST," 2007). Cybersecurity must be agile. The challenges that must be met in order to secure the cyber realm for all of its legitimate constituents are enormous. Cybersecurity issues are organic, adapting to an evolving environment with the sensitivity and responsiveness of an invading microorganism. Though not to abuse the parallel to medical science, the best defenses against invading cyber threats are information and preparation. As such, cybersecurity can be characterized as technology plus network security plus information assurance ("Booz Allen Hamilton," 2011).

Strategic integration of cybersecurity efforts is measured by the degree to which it is integrated into enterprise risk management (ERM), overall mission assurance activities, and any associated internal and external security strategies (Bodeau, et al., 2010). The level of integration is typically expressed as follows: (a) No integration, in which each business process or program articulates its own security strategy; (b) consistency, in which the cybersecurity authorities with oversight for a different business units, missions, or risk domains work to ensure the implementation of cybersecurity strategy in their own arena and do not preclude implementation of cybersecurity strategy in any other arena; ( c) coordination, in which the authorities who are responsible for different cybersecurity strategies collaborate to execute the planning in order to more effectively leverage the resources of the enterprise; and, (d) full integration, in which there is an overarching and enterprise-wide mission assurance strategy that includes every domain of the enterprise mission, and is also effective across the larger critical infrastructure in the sector of which the enterprise may be a part (Bodeau, et al., 2010). As such, strategic integration refers specifically to the degree with which an enterprise's cybersecurity strategy aligns with, is informed by, or otherwise relates to other risk management strategies in the organization (Bodeau, et al., 2010). Typically, these cybersecurity strategies address the following: acquisition management, architecture, business continuity, mission assurance, and program management (Bodeau, et al., 2010). In the section of this paper entitled "Practical recommendations for cybersecurity strategy," integration is recommended as a key factor in effective cybersecurity strategy (Bodeau, et al., 2010).

Cybersecurity as an organizational strategy. The execution of cybersecurity is complex and multi-dimensional -- and, for many enterprises today, it is key to competitive strategy ("PCAST," 2007). Organizational cybersecurity solutions must be multi-faceted, capable of enhancing enterprise readiness and response while maintaining a robust focus on risk mitigation ("PCAST," 2007). The literature on cybersecurity spans a wide array of organizational types, including those in civil and commercial sectors of finance, energy, health, and technology, the defense industry, and national security agencies ("PCAST," 2007). This discussion will primarily present information related to cybersecurity as an organizational strategy.

Legal, ethical, and technical cybersecurity considerations. The legal aspects of cybersecurity are complex, so complex, in fact, that there are multiple categories that must be coordinated and eventually harmonized into a functioning legal framework (Schjolberg & Hubbard, 2005; Spinello, 2011). These categories include several types of governmental action: legislative efforts, judicial efforts, and criminal enforcement efforts. Under the legislative considerations of cybersecurity, there are additional legal categories, including substantive, procedural, mutual legal assistance, and protection of individual rights (Schjolberg & Hubbard, 2005; Spinello, 2011). The federal government and individual states may also enact laws that address cybercrime (Spinello, 2011).

At an international level, a number of official stakeholders have directed efforts to combating cybercrime through harmonizing and coordinating their efforts on a global scale (Schjolberg & Hubbard, 2005). The cybersecurity issue has become a focus for the following international organizations: United Nations (UN), International Telecommunications Union (ITU), Organization for Economic Co-operation and Development (OECD), European Union (EU) and Council of Europe (CoE) (Schjolberg & Hubbard, 2005).

Many professional organizations have codes of conduct for their members (Baase, 2008). ACM and IEEE-CS have developed the Software Engineering Code of Ethics (Baase, 2008). It is important to recognize that professional ethics are just part of the job (Baase, 2008). It is important to be honest when working with client -- or when conducting professional duties -- about capabilities, safety, and limitations of software (Baase, 2008).

While the cybersecurity industry is itself subject to innumerable laws and ethical considerations, research in the area of cybersecurity must conform to additional legal and ethical layers of regulations and laws (Schjolberg & Hubbard, 2005). In fact, the legal environment constrains cybersecurity research by enacting specific and outright prohibitions and also ambiguous uncertainties that make the entire prospect seem too costly and scientific sharing of outcomes risky (Schjolberg & Hubbard, 2005). The laws dealing with communications privacy have established social barriers and sanctions against violating data confidentiality (Schjolberg & Hubbard, 2005). The fit between social expectations and network privacy in practice is not a good one, a problem that underscores the need of many network providers to avoid granting access to researchers -- the potential legal risk, reputational risk, and overall expense appear prohibitive (Schjolberg & Hubbard, 2005).

IT, cybersecurity, and organizational performance. Government agencies are not the only entities threatened by adversaries determined to disrupt operations or steal military intelligence. Business enterprises are also targets of competitors that seek to steal intellectual property, penetrate financial databases, and breakdown competitive advantage ("PCAST," 2007). The economic viability of business enterprises strongly depends on the ability to look beyond communications and information technology management and assume a broader view that, pointedly, indicates an ability to move beyond reacting to cyber attacks and effectively anticipate new threats ("Lynch, 2011). An effective cybersecurity effort will be characterized by the following: (a) Establishment of layered defense against threats; (b) Fostering a complete recognition of the enterprise's vulnerabilities; ( c) react to, constrain, and cripple cyber attacks that do get through; (d) evolve in response to compliance requirements; and (e) establish quick, deep learning from experience ("PCAST," 2007). The role of IT can be as essential as providing the support for an operational surge or providing the flexibility to rapidly deploy new technology (Lynch, 2011).

As with any continuous improvement initiative an enterprise might adopt, enterprises must prepare to evolve their learning through experience, but preferably through the best available intelligence in the industry. An enterprise must be positioned to effectively protect its assets, its competitiveness, its financial viability, and its competitiveness (Lowell, 2011). Enterprise stewardship requires the discipline to prioritize expenditures and investments, of which, cybersecurity must be carefully positioned in the list of considerations due to the enormity of its potential impact on the organization ("PCAST," 2007). Increasing dependence on communications and information technology (CIT) for ordinary enterprise activity points to a greater reliance on enterprise cybersecurity defenses. Certainly a degree of resources must be diverted from direct revenue production when an enterprise determines to invest in mature cyber diagnostics and to strengthen the organization's cybersecurity position and posture (Gordon, 2010). Yet, a proactive stance that enables anticipating and preparing for cyber events can avoid more costly and damaging post-cyber attack recovery (Gordon, 2010). The costs of insufficient preparation for inevitable cyber events and/or a lack of investment in cybersecurity can be devastating to an enterprise (Gordon, 2010). The impact of successful cyber attacks will vary depending largely on an organization's dependence on technology (Gordon, 2010). Essentially, this means that not all organizations will commit to the same degree of cybersecurity investment (Lowell, 2011). Nevertheless, an enterprise must determine how to integrate the elements of their cybersecurity initiative in order to: (a) Identify vulnerabilities; (b) provide quick and effective responses to mitigate cyber events; ( c) utilize cyber diagnostics that help to generate risk insights; (d) develop a cybersecurity plan that results in an evolved and enhanced organizational cybersecurity posture; and, (e) provide for the opportunity of evolutionary remediation strategies (Gordon, 2010).

It is essential for enterprises to think about cybersecurity spending in much the same manner that they assess other costs and benefits (Gordon, 2010). It is entirely appropriate to apply an economic framework to cybersecurity expenditures so that enterprises may arrive at spending levels that are within budget. To take this tack will essentially force business to consider and prioritize resource allocation for the greatest possible impact and efficiency (Gordon, 2010). It is unfortunate that most organizations do not take an economic tack to cybersecurity expenditures, driven as they are by the exigencies of the environment and marketing rhetoric (Gordon, 2010). It is difficult for enterprises to recognize that cybersecurity is not necessarily a special category and that normal economic principles do apply to cybersecurity decision making (Gordon, 2010). Businesses mistakenly assume that the benefits and drawbacks associated with cybersecurity expenditures cannot be quantified or monetized (Gordon, 2010). Gordon asserts that, "[w]hen it comes to national security, this 'nonquantifiable benefits argument' is especially deafening -- and flat-out wrong" and that while it is arguably "difficult to quantify the benefits derived from cybersecurity initiatives, but that is not a valid excuse for failing to try" (Gordon, 2010). An effective strategy is to develop the best possible benefit approximation of benefits and assign a monetary value to those benefits (Gordon, 2010). This exercise provides a platform for allocating funds that can be monitored for needed reallocations at some future time (Gordon, 2010). A more cool-headed approach to resource allocation for cybersecurity will enable enterprises to examine how they are spending money rather than just focusing on an amount that has been committed to cybersecurity (Gordon, 2010).

The development of informational technology requirements must align with the business demands throughout the enterprise, with the aim of ensuring that IT systems will be resilient, reliable, and fit with the organizational mission ("PCAST," 2007). The bottom line is that "technology is about engineering and implementing solutions that are modular, interoperable, scalable, and can be integrated in a cost-efficient manner" ("Booz Allen Hamilton," 2011). Fundamental to enterprise security and long-term performance is the selection of the right technologies, ranging from security for cloud computing, communications and information technology (CIT) access and identity management, and service-oriented architecture (SOA) ("Booz Allen Hamilton," 2011). It is important to remember that a business really only has one opportunity to get cybersecurity right in order to preclude substantive damage and, ironically -- crucially -- that one opportunity comes time and time again due to continual developments in the capacity of cyber threats and in the cybersecurity industry.

Diffusing organizational cybersecurity strategy. The ability to leverage resources, avoid redundancy, reduce conflict and move an organization forward to meet long-rage cybersecurity goals, comprehensive policy must be integral to the effort ("Booz Allen Hamilton," 2011). Effective policy must inform and motivate the complete cybersecurity structure, such that tasks, activities, roles, and lines of authority are logically related and clear ("Booz Allen Hamilton," 2011). Cybersecurity policy must not only provide direction, guidance, and perspective to those within an enterprise, it must also promote strategy development that encourages exploration of means -- primarily options and alternatives -- to meet policy ends ("Booz Allen Hamilton," 2011). The translation of policy into a strategic operating model requires multidisciplinary mapping of the people, process, and technology functions toward a coherent whole -- an enterprise mission ("Booz Allen Hamilton," 2011). A fully formed strategic operating model will ensure that enterprise leadership "delivers a coherent and consistent decision- making structure, clarifying decision rights and a model that avoids decision ambiguity and 'paralysis by analysis'" ("Booz Allen Hamilton," 2011).

Enterprise leadership must be able remain focused on the mission so that resources are aligned with enterprise strategy and organizational goals (Goodman, 2011). This requires that leaders hold a perspective large enough to encompass the many end-solution tactics that others within the organization will put forth as exigencies (Goodman, 2011). An overarching goal for enterprise leaders must be to develop a culture sensitive to the need for coordinated effort to safeguard high-impact investments and assets (Goodman, 2011). Moreover, this cybersecurity-centric culture must ensure that employees across the enterprise are knowledgeable, rehearsed, and mindful of cybersecurity policies and practices.

Enterprise risk management must today be characterized by many layers of defense within the enterprise and by many partners across the cyber ecosystem (Goodman, 2011). It is not enough for the layers of defense to be focused on technology alone. There is broad recognition of just how deep vulnerabilities may be in an enterprise (Goodman, 2011). While insider threat is a real and burgeoning problem in the cybersecurity realm, it is critical to understand and address the linkage of insider threat to process, operations, management, and policy areas of an enterprise (Goodman, 2011). Cybersecurity must evolve within each individual enterprise from an information technology issue focused on protecting networks to that of an enterprise-wide concern that addresses all risk areas (Goodman, 2011). This evolution in enterprise cybersecurity can best be achieved when leaders work to strengthen the organization and establish dynamic and proactive capabilities (Goodman, 2011). A vigilant organization must operationalize an integrated management strategy that leverages people, technology, operations, and policy (Goodman, 2011). For leaders to manage cybersecurity and cyber capabilities, the independent elements must be brought to the fore in an integrated fashion (Goodman, 2011). This begins with leadership that can harness these critical independent elements to: (a) Manage risk; (b) monitor assets; ( c) monitor supply chains; (d) train employees; (e) provide for resiliency and recovery; (f) ensure program oversight; and, (g) ensure performance of business-critical functions (Goodman, 2011).

Practical recommendations for cybersecurity strategy. One of the most commonly faced issues in the development of a cybersecurity strategy is addressing fragmentation ("Booz Allen Hamilton," 2011). While cyber threats rage and evolve, enterprises often grapple with outmoded acquisition and procurement driven by fiscal concerns or legacy issues ("Booz Allen Hamilton," 2011). Investments in technology may be adequate or even proactive in an enterprise, while full integration flounders and training needs go unmet ("Booz Allen Hamilton," 2011). Even after the last residual of organizational silos appear to have been eliminated, strategists may still tend to work independently of one another. An ad hoc orientation can mean that as one problem is dealt with, another one pops up.