Michael D. Moberly December 6, 2010
Given the well warranted attention of late to ‘cyber security’ and ‘cyber warfare’ there absolutely should be no debate nor question about the risks and strategic (cascading, infrastructure) chaos and havouc that such deliberative (cyber) attacks could cause.
As an information asset protection practitioner however, it appears the narrative is being rather narrowly framed or perhaps overly influenced by a cyber (IT, computer) security orientation leaving little or no recognition or resources for protecting critical information that’s often misperceived as existing solely in electronic bits and bytes formats.
By framing (public, private sector) information protection – security policies and practices primarily through a cyber security and/or attack lens, which, make no mistake are indeed serious and warrant attention, offers insufficient attention, in my view at least, for the economic fact that today, 65+% of most company’s value, sources of revenue, sustainability, and ‘building blocks’ for growth lie in – are directly linked to intangible assets such as a company’s proprietary know how, intellectual property, competitive advantages, brand, reputation, image, goodwill, etc. In other words, a company or organization’s most valuable information and intellectual capital-based assets may not be found in computer-IT systems.
Information protection policies and practices with a dominant IT – cyber (risk, threat) orientation can serve to minimize, if not undermine, the equally important message (reality) for companies and organizations operating in the knowledge-intangible asset based economy, which is, everyone has, not only those in corporate IT – cyber security units, responsibilities for safeguarding proprietary mission critical information, regardless of the format that it exists or how it is stored.
Today, information asset protection and cyber security policies and practices must be collaborative and cross-functional initiatives. As information security specialists know, proprietary – sensitive business information often percolates throughout a company or organization and is not strictly confined or limited to what is accessible solely through one’s laptop, desktop, or ‘from the cloud’. In other words, mission essential and value/revenue producing (intangible) assets exist as intellectual, human, and structural capital and organizational capability.
To be sure, information security policies/practices that infer, by having a dominant IT – cyber security orientation, i.e., all valuable, important, and proprietary information (a.) evolves from, (b.) is stored in, and/or (c.) is backed-up by an IT system, can send a misleading, if not erroneous message to employees which is, ‘if the company’s IT system is proclaimed to be secure, then the company’s sensitive, proprietary and competitive advantage information must also be secure‘. But, in today’s increasingly predatorial, globally competitive, and winner-take-all business environment, that’s an assumption (message) no company can afford to convey, inadvertently, or otherwise.
For the unconvinced, try listening to cell phone conversations in hotel lobbies and airport lounges, glance at the laptop screen of the person seated next to you, or view social media pages and profiles of key
employees. The ‘roadmaps’ to a company or organization’s crown jewels which an adversary can hear or observe in these, and many other circumstanes that are well outside the conventional cyber (computer/IT) security realm is genuinely astonishing.
It is certainly not my intent to be dismissive about our capability to rapidly identify, assess, and successfully and consistently thwart the very real risks and threats posed by cyber attacks which, as most realize, can target specific centers’ of the U.S. infrastructure, i.e., banking, healthcare, transportation, energy, etc. Having effective defenses against cyber attacks are an essential ingredient to our national and economic security and sustainability.
But, its also important to recognize that both (cyber) terrorist organizations and economic/competitive advantage adversaries can acquire, with varying degrees of ease, a single company or organization’s most valuable and treasured trade secrets and competitive advantages and literally wreak economic and market havoc, one company or one organization at a time. As former FBI Director Sessions is credited with saying, ‘our economic security equates with our national security’.