geopolitics, cyber threats, the CISO, and the Board
As Carl von Clausewitz said, “War is merely a continuation of politics by other means”, so state actors naturally look to influence and exert their power and domination, as they always have, in Cyberspace as well, first through (cyber geo) politics and later, if necessary, through (cyber) wars.
In laypeople terms, cyber geopolitics deals with the study of cyberspace as a field where political power struggle and efforts to maintain hegemony take place. Naturally, then, state actors will seek to exert power and influence in it through the use of economic pressure, diplomacy, negotiation, the domination of strategic sectors, and cyber conflicts. It is ultimately a competition for land, energy, and resources taken into the network of Cyberspace.
But, what would be the equivalent of land, energy, and resources in Cyberspace’s power struggle? Cyber Geopolitics is very closely linked to big data. Collection and leverage of data, information, knowledge, and wisdom grant you power (at least in theory), making Big Data the new oil. Cyberspace offers a unique and whole new cyber oil field to be exploited.
Among the usual suspects, we have cybercriminals, hackers, and state-sponsored actors, the last ones are by far the most dangerous ones, given that they have the capacity and resources to perform what is called APTs or Advanced Persistent Threats. APTs are long-term, stealthy, and highly complex and targeted cyber-attacks that used a powerful combination of different techniques and tools.
As big data is the new oil, information continues to be the main pillar of decision making in any enterprise. Information is power, says the old adage. The more of it you can get your hands on, the better the decision making, in theory. Consequently, state sponsor actors pro-actively seek to capture valuable data, which in most cases is -not so well guarded- in the hands of businesses and companies. This is why a CISO needs to be aware of the cyber geopolitical environment and context in which her company operates.
In his book Cyber Threat, Cyber Geopolitics and Security expert MacDonell Ulsch explains it clearly: “The cyber threat is a board of directors’ issue. Yet when some senior executives and board members hear the word ‘security’ or ‘technology’ there is a disconnect. They think it’s not their issue. Let the technology people deal with it. Let the security people deal with it. Although there is evidence that this perception is changing, we have a long way to go. The word ‘cyber’, they are starting to get.”
“How do you get people in the workplace to pay attention to information security? Answer: Make it personal and tell them what’s in it for them. The question may then be asked: how do you get the board of directors and executive management interested in information security? The answer is much the same. Make it personal and tell them what’s in it for them. Effectively managing risk is personal. Information security is personal. We don’t always interpret it that way, but it is.”
“The Chief Information Security Officer (CISO), in tandem with others, will have to create this momentum, along with the general counsel, chief risk officers, and others. “The focus of information security and cyber risk management is heading in the right direction.” according to M.J. Vaidya, CISO for Americas at General Motors and an adjunct professor at New York University’s School of Engineering. “The role of the CISO is clearly changing and growing, “ he says. “The CISOs of today have to embrace ambiguity, focus on risk, build relationships throughout the organization, gather intelligence, and consistently innovate.” from the book Cyber Threat. MacDonell Ulsch