Inspiring conversations at my kitchen table
By Rick van Rijsewijk
Many years ago I was helping the security officer of a young Dutch tech company with a global risk assessment. They were going through a phase of hyper growth, which meant that a lot of basic stuff just wasn’t in order, including security. What we uncovered was so bad that we concluded that the lack of rigorous and well-planned security measures constituted an existential danger to the business. And we needed to make the founder and CEO aware of this.
I will never forget that meeting; it was a defining moment in my career.
It already started when we entered his office; he shook hands with the security officer and said something like: “So, you are from the dark side of the organization”. He sat down, rubbed his hands across his face, took a deep breath and with a desolate look on his face surrendered: “Ok then, go ahead, let’s discuss security”.
Like he was going to the dentist: -I know I have to do this but I am not looking forward to it-. And for the next 45 minutes we were drilling in the holes, telling him about all the threats and vulnerabilities we uncovered and vividly describing all kinds of terrifying scenarios that could happen to his business that they were not prepared for. He was looking more and more depressed; it was not a pleasant experience.
Then we ended the meeting by explaining to him what needed to be done to fix all this, including the costs. The one-hour we had with him ended and he had one last question for us: “Guys tell me, will this increase our sales?”
An uncomfortable silence followed, we were not prepared for this question. We mumbled something meaningless about reputation and he quickly ushered us out of this office.
His last question was a mind bullet. I now understood why security is never high enough on the agenda of executives and why the security officer will never be the most popular person in the organization, to say the least.
That set me on a path of discovery. I wanted to understand how to have engaging conversations around cybersecurity in the boardroom. I called our global cyber leader in the US and got his support to fly all over the globe to talk to the CEO’s, CFO’s, CIO’s and CISO’s of our biggest clients to listen to them and develop this story. It was both professionally and personally an enlightening experience.
One of the biggest insights from these meetings was that all of the executives we talked to were quite aware of the problem, including the CEO. They all knew that the organization is completely depended on technology which will only increase, that this technology is getting more open and connected so more vulnerable for attacks and they hear about the latest cyber-attacks in the news and know that the threats are increasing.
Furthermore they told us, in no uncertain terms, that there is nothing more annoying than an outsider walking into the boardroom telling them how big the problem is. We do that constantly when we talk cyber! As a security professional it is tempting to use fear to get the attention you want. And when they are scared enough, you can only hope you get all the resources you need to get the job done.
But this strategy will backfire on you. First of all it is not attractive, you run the risk that they will not invite you back for another chat. And something like a reversed psychology will kick in; blowing up the problem to large proportions automatically invites the listener to play it down: it can’t be that bad. This leads to the false impression that they are not aware of the problem so you inflate it even more. It’s a vicious circle.
Not only in the boardroom but most of the dialogue around cyber risk leads to fear. It focuses on the adversaries and the threats they pose, the many vulnerabilities we have with all kinds of examples where things went horribly wrong. It is not only un-attractive, this narrative leads to the wrong approach. Fear leads to an intuitive response to lock things down. But that will hinder innovation, the free flow of information and empowerment.
Organizations and society are struggling with what I call the “digital dilemma”: what makes digital technology so valuable, open and connected, makes it at the same time vulnerable to attacks.
The Internet is a delicate dance between freedom and total control. On the one hand we have the promise of the free flow of information, the ability to connect across boundaries and cultures, a world where everything is connected and nobody is in charge. Kumbaya!
On the other hand we can enter a world of perfect control and total surveillance. A big brother on steroids; George Orwell had no idea about the technology we have available today to control people. If fear is our guide we could end up in a very dark place. What we need is trust in a digital world. And if trust is what we want, we should stop spreading fear.
There was an imperative to change the narrative by focusing on the upside of cyber risk; on how to embrace uncertainty and dare to be vulnerable. To talk about how to be open and connected, and therefore vulnerable to cyber risk, but with utter confidence. I wrote my book “Cyberrisico als Kans” and started to have talks and conversations about cyber risk with a different paradigm, exploring the upside of cyber risk.
I certainly don’t have all the answers, but the questions are so worth thinking about.
I would like to continue the conversation by inviting inspiring people at my kitchen table to discuss the upside of cyber risk and how to create trust in a digital world. And in every issue of this magazine I will share with you what we talked about and what we have learned. I hope you will join us.
Roel van Rijsewijk is a Director of Deloitte with almost 20 years of experience working for technology enabled businesses in the field of risk management. He is Senior Fellow of Deloitte’s Centre for the Edge, a research facility that helps senior executives make sense of and profit from emerging opportunities on the edge of business and technology.