Hello INNOVATEwest Community,
This article was originally posted to the SAAS NORTH blog on January 19, 2023.
Your cyber team is there to empower your mission—but they can’t if they’re treated like security outsiders who kill all growth. Instead, CEOs should engage with cyber leaders as part of the due diligence and innovation process. Speaking with INNOVATEwest, Ismael Valenzuela Espejo, the Vice President of Threat Research & Intelligence at BlackBerry, explained the three things he wishes all CEOs know about innovation and cyber risk.
Key takeaways:
- The goal of cyber is to identify the prevention, detection, and reaction mechanisms necessary to keep your business safer as it grows.
- Cyber plans need to be custom, so CEOs should explain what matters most to the organization, who has access to that core asset, and how data flows in the org.
- There is no risk-free option; instead, CEOs should ask cyber leaders for different pathways forward with the risks associated with each so they can make an informed decision.
Dave Tyldesley
Co-Founder/Producer SAAS NORTH & INNOVATEwest
Editor INNOVATEwest PULSE
Cybersecurity is part of innovation. But it doesn’t always look that way.
While many CEOs deeply care about cybersecurity from a protection perspective, it’s often assumed to limit innovation rather than empower it.
Ismael Valenzuela Espejo, the Vice President of Threat Research & Intelligence at BlackBerry, has seen the other side—where minding cybersecurity helps foster innovation.
Speaking with INNOVATEwest, Ismael explained the three things he wishes CEOs knew about cybersecurity and innovation.
1. It’s about prevention, detection, and reaction
When talking about cyber planning, Ismael wants CEOs to think of a jewelry store.
“Would you put the safe with your jewelry and gold close to the front door, where anybody could pass by and access it? Of course not,” said Ismael.
First, you need to take preventative measures, such as putting the safe behind walls and doors. Second, a detection mechanism, such as a camera pointing at the safe door or motion sensors in the safe room. And finally, a reactive layer of trained human or technology response if someone breaches the safe.
Rather than telling the jewelry store not to have jewelry, it’s about identifying the multiple levels of security necessary to continue doing business and continue growing.
“The cyber security world is the same thing [as a jewelry store],” said Ismael. “We have to invest in prevention, detection, reaction mechanisms, and do it in the right combination. And that’s specific to every business.”
2. Map threats to find high-impact solutions
While cyber will involve technology tools, you can’t find the right mix of prevention, detection, and reaction without understanding your organization’s unique context.
To get there, cyber leaders wish CEOs would help answer three key questions:
- What matters most to the organization? This is likely IP, rather than laptops or photocopiers—confidentiality of that will be “paramount,” said Ismael.
- Who has access to the data? This is specifically about people and the risks that can befall them such as phishing scams, credential stealing, SIM swaps, malware, and more.
- How does data flow? This is when you think about the devices data moves to and from.
When you have these three questions answered, you can begin to develop contextual cyber solutions for your organization.
“We are here as cybersecurity experts to support the mission of the business,” said Ismael. “That involves making risk assessments, threat modeling, and determining ‘What is the impact of [an initiative, goal, or tactic]?’”
3. Ask for safer pathways
When you have all three questions, cyber leaders can come up with a plan to stay safer while doing business, rather than cyber telling the CEO to stop something.
But there is no risk-free decision.
Instead, cyber leaders can help CEOs understand the pathways in front of them, with corresponding risks and mitigation opportunities.
For example, let’s say you want to acquire a company to launch into a new geographic region.
Beyond typical risks such as business integrations, customer data privacy, and ongoing cyber threats in your industry, you’ll need to consider geopolitical implications.
“When we talk about threat intelligence, it’s not just an IT or a security operations thing,” said Ismael. “Cyber threat intelligence is about informing [leaders] about the risks of conducting business.”
The power of cyber is anticipation
From his role, Ismael knows that attackers regularly have the upper hand in cyber incidents; you may not know when someone will attack you (or how), but they do.
Rather than being a call for concern, though, Ismael wants this to be a call for innovation.
To join in what Ismael calls the “arms race” of cyber defense, it’s imperative for business leaders to think about what they can do to anticipate attacks, strengthen responses, and even surprise the attacker with multiple levels of security.
“What can we do as defenders to create something new that they’re not expecting so we can catch them earlier, extend the protection time, or reduce detection and reaction time?” said Ismael.
STAY IN THE LOOP