Michael D. Moberly March 24, 2012
Information asset protection and cyber security policies and practices must be collaborative and cross-functional!
The attention the private sector and government agencies give to ‘cyber threats, security and warfare’ is well warranted. There should be no question about the cascading effects and infrastructure havoc that deliberate and massive cyber attacks could create. Identifying the best strategy and/or practices companies and governments should engage to address this challenge, is, of course, where much of the debate still lies. That is, the U.S. remains somewhat distinctive from most other countries because our key pillars of infrastructure are generally privately owned and operated, apart from direct government control.
From an information asset protection practitioners’ perspective however, the narrative on such an important and potential catastrophic subject is being, in my view, too narrowly framed and perhaps overly influenced by an IT – computer security orientation. Doing so, leaves little or no recognition for protecting critical – sensitive (private sector and/or government) information that exists in formats other than electronic bits and bytes. This, seemingly prevailing, but misunderstood perception about where and how valuable/sensitive/classified information is housed and safeguarded with respect to critical pieces of U.S. infrastructure creates its own sets of challenges.
By framing (public, private sector) information protection – security policies and practices primarily or solely through a cyber-attack lens, which, make no mistake, is serious and warrants our full attention, in my judgment tends to give short shrift to the economic fact that 65+% of most company’s value, sources of revenue, sustainability, and ’building blocks’ for growth evolve directly from (information-based) intangible assets today, e.g., a company’s know how, intellectual property, competitive advantages, brand, reputation, image, goodwill, etc. In other words, an organization’s most valuable information assets exist as intellectual capital and thus may not be necessarily found or housed in computer and IT systems.
Information protection policies and practices dominated by an IT or cyber (risk, threat) orientation tends to minimize or even over shadow the reality that most organizations today operate in an extraordinarily competitive and predatorial knowledge-intangible asset based global economy. In such an irreversible global business (transaction) environment where information is acquired, processed, and disseminated in nanoseconds, safeguarding and securing valuable information-based intangible assets should not be conceived nor practiced solely through an IT – cyber security perspective. Instead, responsibilities for safeguarding proprietary, mission critical, and/or classified information to counter and/or sustain reasonable infrastructure operation normalcy must be embedded in our respective orientation, regardless of the format which that information exists or how it is stored which increasingly is in the form of intellectual capital.
Today, information asset protection and cyber security policies and practices must be collaborative and cross-functional initiatives. As information asset protection specialists know all too well, proprietary – sensitive business information generally percolates throughout a company or organization and is not strictly confined or limited to what is accessible solely through one’s laptop, desktop, or ‘from the cloud’. In other words, mission essential and value/revenue producing information-based intangible assets exist as intellectual, human, and structural capital and organizational capability, most of which are necessarily conducive to being reduced to electronic bits and bytes.
Information safeguard policies and practices that infer, by having a dominant IT – cyber security orientation, i.e., all valuable, important, and proprietary information (a.) evolves from, (b.) is stored in, and/or (c.) is backed-up by an IT system, can send a misleading message, e.g., if an organization’s IT system is proclaimed to be secure, presumably the organization’s valuable, sensitive, proprietary and competitive advantage information ia also be secure, which we know is not the case. Unfortunately, in today’s increasingly predatorial and incessently thirsty global environment for information that’s a message no organization – company should accept carte blanc.
For the still unconvinced, try examining the numerous, readily accessible, and quite simple (online) ‘roadmaps’ to an organization’s crown jewels, e.g., listening to cell phone conversations in hotel lobbies and airport lounges, glancing at the laptop screen of the person seated next to you, or view social media pages and profiles of key employees and/or their families. In these venues, an economic, competitive advantage, and/or national security adversary can hear, observe, and analyze content, much of which is outside the conventional cyber (computer/IT) security arena. .
It is certainly not my intent to be dismissive about the absolute necessity to rapidly identify, assess, and successfully and consistently thwart the very real risks and threats posed by cyber-attacks which, as most realize, can target specific pillars of the U.S. infrastructure, i.e., banking, healthcare, transportation, energy, defense, first responders, etc. Having effective defenses against cyber-attacks are an essential ingredient to our national and economic security and sustainability.
But, it’s equally important to recognize that both (cyber) terrorist organizations and economic/competitive advantage adversaries can acquire, with varying degrees of ease, a single company or organization’s most valuable and treasured trade secrets and competitive advantages and literally wreak economic, market, and thus a comparable level of infrastructure havoc, one company or one organization at a time. As former FBI Director Sessions is credited with saying, ‘our economic security equates with our national security’!