CISO Freebook Final
CISO Freebook Final
CISO Freebook Final
C) Introduction
I’m often asked, “What is the most important thing about being a Chief Information
Security Officer (CISO)?” Interestingly, over the years, the answer has changed,
just like the field of information security.
Twenty-five years ago, I would have listed technical expertise. Most of us were
one-person shops with a focus on antivirus and firewall rules. The threats were
fairly slow moving, as was technology. Over the years as the job has changed, I will
now unequivocally tell everyone that leadership is now the most critical attribute.
The CISO is now one role in an effective security group. Don’t get a big head, I
didn’t say the most important, just one of the jobs.
A seasoned CISO understands the value of hiring people technically smarter
than him or her. You need all sorts of tools and talent to be successful; you can’t do
it all yourself. Your job is to lead the program with skill, not dictate. Information
security is a war of attrition, and leading your staff is like training the team to run
a marathon. You can’t do it by running on their heels and barking commands. You
must give them something to run toward. The way you do it is by exhibiting strong
leadership and having a crystal clear strategy. Be transparent and honest. You hired
smart people; let them do their job. Remember, even though you undoubtedly
worked hard to achieve the CISO title; don’t get too wrapped up in your own self-
importance. Being the leader is a job that is only needed if there is a team. Value
and nurture them.
If you follow information security and stories of breaches, you’ll notice as I did
that every year lately is referred to as the year of the breach. We are seeing unheard
of numbers of records being breached, and the reports of breaches are coming faster
and faster.
As I said, we are in a war of attrition with the criminals. The professional crimi-
nals are well organized, well trained, and well compensated. When I first started,
the typical hacker was a loner, or a teen with too much time on their hands. The
5
6 ◾ The CISO Journey
typical attack was a nuisance attack, more of an irritant than anything. We used to
refer to a large portion of them as “ankle biters.” Don’t worry, this will not turn into
a yearning for the “good old days” discussions. The world of today is what it is. We
have no control over the bad guys, we can only control how we respond and react.
There is no silver bullet; if there was, we would all know about it. In fact, I propose
that focusing all your efforts on searching for a technology solution will ultimately
hurt your security stance.
The best security solution for a business is a balance of People, Process, and
Technology controls that is tailored to the business need and mission. Throughout
this book, you will see me reference the People, Process, and Technology model.
Putting too much emphasis on only one segment weakens the whole model. Your
job is to be the visionary that maintains the balance. There are security frameworks
and control structures we can reference, but I’m sad to say there is no cookie cutter
approach that guarantees security.
Much of what we do as CISOs or security professionals is based on our experi-
ences and the lessons we have learned over the years. Mentorship is a critical part of
the development of our skills. In my case, I was lucky to have an excellent mentor
named Rick Jacek who taught me as much about human behavior as technology.
Rick was the Technology Troubleshooter for the company. If there was a technol-
ogy product headed south anywhere in the global company, Rick was sent in to
fix it. It was from him that I initially learned about the importance of People,
Process, and Technology, as it was never just one component that put the project
at risk. He was also keenly aware of the effect of culture, particularly outside of the
United States. I remember a discussion with a business unit manager in a South
American company recently purchased by the firm for which we worked. Rick had
to convince the manager that keeping a pile of cash in his desk drawer to “get things
done” was no longer an acceptable operating model.
I also learned from various mentors that Information Technology is in place to
serve the business, not the other way around. Computers are just a tool that allows
us to do what we are in place to do: serve the customer. This was made clear to
me in my first “Data Processing Manager” role for a manufacturing firm. My job
was to run systems that supported the end goal of getting product on the shipping
dock at the end of the day. If I did anything to jeopardize that goal, my job was at
risk. I knew my job was less important than the people who built and shipped the
product. A lesson I’ve kept till this day.
We have to constantly rethink our strategies and approaches. It’s clear that the
“build big walls” strategy of the past is not working. Technology companies would
have us believe that if we buy the latest, greatest product, we will be safe, but com-
mon sense tells us that is simply not true.
We are also at a significant crossroads in the evolution of the CISO role. The
image of an ass-kicking, hard-charging, and damn the torpedoes, barely legal cyber
cowboy must die. While I still see many of my peers hanging on to that stereotype,
it is absolutely the opposite of the C suite executive. We must become business
Learning from History? ◾ 7
people, able to protect the business while showing the value of what we are doing.
We all remember the FUD factor: Fear, Uncertainty, and Doubt? In the past, we all
used it at least a little to scare the business into making critical security investments.
Well, put it away, it doesn’t work in the long term anymore. You need to be a busi-
ness partner, an advocate of the business, and build the critical alliances necessary
to strengthen the security culture of the organization.
The other stereotype that must die is what I call the “secret police.” While it is
true that CISOs have many tools at their disposal that can monitor user activity,
they must not be used for fishing expeditions or to instill a “big brother” mentality
at a business. Ultimately, that will destroy security goodwill and culture. Watch
for the security folks who like to wear fobs or toys from law enforcement. Watch
for the people who say if they had to do it over again they would join the CIA or
Secret Service. CISOs must investigate, but must do it within the bounds of cor-
porate policy and culture. Like many people, I am a Dilbert fan. One of the char-
acters that turn up from time to time is “Mordac—The Preventer of Information
Services.” Trust me, you never want to get pegged as that person. If people assume
your answer will be no, they will look for ways around you. Your job is to say
“how” to do it securely. Work with the business, be part of the solution, don’t be
the problem.
For most of us, we are charged with protecting the information entrusted to the
company by its customers. We don’t own it, and we are bound by professionalism
to build and maintain a balanced security structure to protect it. It has taken me
years of experiences to build an approach to security. While it is impossible to cover
30 years in a short book, I’d like to share some of the major lessons and rules I’ve
developed. Around those lessons, I will try to inject some of my current thinking
on the issues.
Have I done everything right? Hell no. The one thing I do wish is that I’d had
a dedicated CISO mentor, but since that wasn’t possible, I gleaned information
from some great mentors over my career. My hope is that you take my experience
and thinking, and find at least a couple of good ideas that will help you in your
“Journey.”
Spoiler Alert: Since every business is different, and the threats morph quickly,
there is no silver bullet. You will have to find your way, build your alliances, and
become the great CISO that the industry needs going forward.
Chapter 3
9
10 ◾ The CISO Journey
me from his perch in the neighbor’s yard. It had become personal. That little rat
with a fuzzy tail was messing with me, an official Boy Scout.
The daily war continued for a couple of weeks. I was more irritated; the squir-
rel was fatter. Finally, one day, our neighbor, who was a retired farmer, sensed my
frustration and came over with some sound advice. He said, “I see your problem,
and you will never beat that squirrel!” “Why?” I asked, trying to be polite. He took
a puff on his pipe, looked at me wisely and said, “You spend maybe an hour a day
trying to keep that squirrel out of your feeder, but that squirrel spends 24 hours a
day figuring out how to steal your bird seed. If you are not prepared to make the
same effort to keep him out, you will lose.”
At that time, I thought I had learned a lesson about bird feeders and squirrels.
But, as I progressed in my career, I realized that it was about dealing with adversar-
ies of any type. In the cybersecurity world, we are no longer dealing with part-time
hackers, we are dealing every day with organized, well-funded, effective groups of
“squirrels” intent on stealing our corporate “bird seed.” These cyber criminals also
communicate well and share information freely among themselves. Interestingly,
this is contrary to the culture we have bred in the information security profession.
We tend to keep ourselves and our organization’s information locked up in a silo;
we have been taught that sharing vulnerabilities and problems we have experienced
is a bad thing. The actuality of the situation couldn’t be further from the truth.
Through this book, I will share experiences, something we must all learn to do if we
are to keep pace with our adversaries. The journey from good to great is not enough.
Unfortunately, our adversaries are already great at being bad.
Later in my career, I took a job where I had to live in New Jersey for a couple
of years. When I shared this story at a local conference, an attendee told me that,
in Jersey, they would have had a different approach to solving the squirrel story.
He told me that he “knew a guy who knew a guy that could make the squirrel
disappear—If you know what I mean…” Ah, what a difference cultures bring to
problems. The diversity of solutions to a single problem (in this case, tongue in
cheek, hopefully) shows that we must be open and ready to embrace many sugges-
tions and solutions.
the room where all the drawings were kept. If you were authorized to enter the print
room, you could check out a drawing, signing a log to acknowledge your actions.
All revisions or changes you made to the design were noted on the drawing, and
the drawing was eventually checked back in. If needed, you could make a copy
of the drawing. All critical drawings were microfilmed and the copy was kept off
site in case of disaster. Simple, manual, and easy to understand. And…we always
knew where the data were and if they were secure. I like to refer to this as the “good
old days” from a security perspective. However, it had productivity problems, and
needed to change to meet new business demands and the pace of industry in general.
Computerization came charging into engineering. As we began to explore
Computer-Aided Design, we realized that even though we printed out the draw-
ings (and locked them in the print room), we now had an electronic version of the
drawings that somehow had to be secured. We started with one generic sign-on for
all the engineers with no password, and slowly worked our way into each person
having a unique account name and password. By the way, once we had the design
on the computer, we printed it out and put it in the print room. Paper was still the
official copy and archive.
As always happens, business continued to change. Production needs to build
products faster and more flexibly drove the development of computer-controlled
equipment, which was electronically linked to the digital designs. While the early
machines kept the programs on rolls of black paper tape with ASCII format holes
punched in them, it was only a matter of time until the business wanted online stor-
age. As an engineer, one of my early projects was to connect production machines
via a thick coax-based cable to a central PC-based server. Today, that is about a
two-hour job to connect and format the equipment. I’m almost embarrassed to
say I spent six months on the project. Now, we had connectivity from the “office”
to the “factory floor.” With the changes in manufacturing such as Kanban and
Just-in-Time, the business also wanted the inventory levels linked real time to the
manufacturing processes.
Because of the dynamic environment, we had to look at setting up a type of file
level security to put a “wall” between production and designs, which were still in
development. Multiple levels of folders with unique access control lists soon came
around, and eventually we needed someone who specialized in this file level access.
At this time, there was no Internet: Securing the electronic frontier was simply a
matter of unplugging the modem we used for file transfer. There were good tools
from the computer companies to manage access to files and manage user IDs. No
distributed computers or PC networks, but that was all about to change.
The Internet hit us all. A project to create the first company website was a major
project driven by high-priced consultants. We put in our first firewall in about
1990. It was not very sophisticated; it was simply a packet filter. Packet filters acted
by inspecting the “packets” that are transferred between computers on the Internet.
If a packet matches the packet filter’s set of filtering rules, the packet filter dropped
it. It was simple and effective, but just a beginning.
12 ◾ The CISO Journey
Business and academia drove continuous change. More features and function-
ality brought additional risks. The cycle continued to spiral. Interestingly, in the
early days of my career, I thought the job would be more of an administrative func-
tion. The primary job was to design and administer access to information to protect
the information from loss or accidental corruption. How wrong can one guy be?
Over the years, I developed rules of Information Security. I adopted some from
peers, learned them through sometimes-hard lessons, and noticed that they were a
recurring theme at every turn. They are as follows:
Rather than walk through my entire life, I am going to organize the next sec-
tion in line with my rules of information security. In each section, we will discuss
the circumstances that prompted me to add a rule, and discuss current industry
best advice on the subjects.
My hope is that I can pass on some advice, lessons learned, or stories that will
strike a chord with you. Enjoy my life experiences and cyber stories. Good luck in
your career!
2
THE B USINES S OF
B EIN G CISO
The office of the CIO is large—one of the largest I’ve ever seen.
The couch on which I am sitting is comfortable enough to sleep
in. The view outside the window is impressive, and somewhat
distracting. We’ve been here for a little while discussing why, in
particular, this Fortune-500 executive should bother with bring-
ing me on as a consultant to help with, of all things, enterprise
security. And we’re talking because the case being made is that the
help is needed, not necessarily on a technical or operational level,
but in terms of the company’s business strategy.
In other words, I’m not here to configure firewalls.
It’s actually going surprisingly well, even though I am admit-
tedly somewhat intimidated. I only incorporated my “company”
earlier that year, after a few years of operating under my individual
banner. The custom-tailored suit I’m wearing is the most expensive
article of clothing I have ever owned, which is good, but my shoes
in this company show their off-the-shelf origin, and it shows.
For heaven’s sake, why am I thinking about my shoes?
Concentrate, Barak!
I have already decided that no matter what happens, the CIO
is one of my favorite people ever. Gregarious, smart, witty, hilar-
ious—I can’t help but like him as we go through an increasingly
uncomfortable vivisection of my career experiences and the rea-
soning behind why he should allocate a budget to this effort, then
rapidly switching to favorite war stories, clearly a trust-building
experience.
There’s a pause in the conversation.
25
26 W H Y CIS O s FA IL
Visibility
Plateau of productivity
Slope of enlightenment
Trough of disillusionment
Technology trigger Time
Figure 2.1 Gartner Research’s Hype Cycle diagram. (From Jeremykemp at English Wikipedia,
https://commons.wikimedia.org/wiki/File:Gartner_Hype_Cycle.svg; Gartner Hype Cycle, https://
creativecommons.org/licenses/by-sa/3.0/legalcode.)
laptop and mobile devices), localized (the office networked file sys-
tem), co-hosted in some data center usually belonging to somebody
else, or (increasingly) virtually in the cloud. Today’s big advances that
aim to disrupt and enhance the mechanisms of business creation and
growth are the cloud, big data analytics, mobile computing including
BYOD (bring your own device, also known as the bane of IT depart-
ments everywhere), and Internet of things (IoT)—a term which is set
to become the number one term used in security product marketing
in 2017.
Or somewhere close to it, anyway. It is, after all and on top of being
a fascinating technology development, a very handy bogeyman.
Whereas in that incredibly distant past of the late twentieth cen-
tury, a top executive could limit access to sensitive information simply
by locking it in their office safe, thereby also guaranteeing, more-or-
less, that unauthorized access is at least pretty noticeable, today they
must rely on an army of people (the IT folks) to manage a kind of
digital safe whose keys are not even in that executive’s pocket. He
or she can simply access it like anybody else. The keys are in the IT
department.
And not only are those keys not physical (passwords aside), they are
often practically impossible to understand.
Heck, when I write security policy these days, which I occasion-
ally still do (what can I say? embrace the weird), I always find myself
28 W H Y CIS O s FA IL
For example, the following answers may all be true at the same time.
typing behind the screen, and it’s already possible to ask your fridge to
read your corporate emails aloud to you while you cook.
Such expansion, while terrific for the IT department’s ability to
successfully master and scale ever-more complex business needs and
environments, can introduce many headaches to the security orga-
nization. Not only is data now stored and handled elsewhere, it is
often very difficult if not impossible to draw clear boundaries, not
just around the data itself, but also between the various responsibili-
ties around management of the associated infrastructures, which in
themselves are virtual.
In our practice, we see this all the time, especially when we work
with cloud-based service providers. Take, for example, the issue of the
“invisible NOC.”
Isn’t it fascinating?
Of course, in the context of business liability, the enterprise coun-
sel’s answer to that is “the cloud provider is represented by the SaaS
34 W H Y CIS O s FA IL
vendor.” Good luck with that line when the cloud gets broken and all
you have for a remedy are the very limited resources, warranties, and
embarrassingly small (if any) cyber-insurance coverage of that vendor.
They’ll probably go bankrupt first, anyway.
side effect of what the customer instructs the platform to do, and, even
then, have no real concept of the nature of the data that traverses the
system boundaries. Heck, the best ones will insist on not implement-
ing any direct data control that implies knowledge of the underlying
data, if for nothing else than for (liability) self-preservation purposes.
Put another way, a PaaS vendor doesn’t know what data the customers
push through their platform, and doesn’t care about it, either, because
they rightly consider it to be none of their business (what I like to call
the “we don’t know, we don’t care” principle).
It is, in fact, the same exact principle that the cloud provider itself
(e.g., Amazon) follows. We give you a platform, but what you do with
it is up to you.
It’s just one more level of abstraction.
The transformations themselves also take place on somebody else’s
systems, that is, the cloud vendor. Faced with questions about data
protection, it can become difficult, even impossible, to answer them
in a satisfactory way, without some level of absurdity. For example,
how does this hypothetical PaaS vendor answer the question “do you
protect sensitive data at rest?” Why is this such a challenging ques-
tion? Because the vendor is fundamentally unaware of any distinction
between customer data, that is, sensitive and not sensitive. Further,
to add a capability to do so will, by necessity—since it would involve
the vendor becoming aware of sensitive customer data in order to
make a determination with respect to the application of security con-
trols—ultimately lower the overall security posture of the platform for
the customer. This is for a number of reasons, but I’ll mention the
most obvious: it violates the basic yet important principle of “need
to know.”
The PaaS vendor thus has to take a viewpoint, and will often find
that an actual attempt to be honest and discuss the very nature of a
public-cloud-based PaaS only leads to legal and sales barriers, even
when the truth is that they just treat all data the same way, and (hope-
fully) give customers additional security controls (such as encryption
key management) to apply to their data in any manner the customer
finds appropriate.
In other words, it is in both the vendor and the customer’s best
interests that the vendor provides controls and the customer applies
them as necessary. But the security questionnaire will practically
36 W H Y CIS O s FA IL
never account for this subtlety, and the enterprise legal department
even less so.
This expanded and highly abstracted sphere of data control is
probably the biggest overall security issue in the modern world of
cloud. These issues are rarely resolved in actuality in contract, at least
not without a very delicate and informed touch, and that requires a
significant amount of knowledge on the side of the enterprise counsel
and their security chief, as well as the vendor’s security leader, who
must be able, knowledgeable, and experienced enough to support
legal negotiations to a successful resolution that will not introduce
hidden risk and liability down the road.
With that said, there are some useful open-ended questions that
should be asked by any enterprise of every cloud vendor that they are
considering. Note that this is intentionally short and open-ended, since
the goal here is to get an insight into the security mindset of the vendor,
rather than dictate by implication a list of expected security controls.
Short Essay
Basic Questions to Ask Your Cloud SaaS/PaaS Vendor
Only 16% of
CISO’s say
Security breaches are growing:
employees are
11% increase in the last year,
held
67% increase in the last 5 years
accountable for
cybersecurity
$13.0m Average
People-based aacks have cost of
increased the most cybercrime in
(Malicious insider & 2018
Ransomware) 72% increase in
the last 5 years
$4.0m Cost of
business
disrupon Business consequences are
$5.9m Cost of expensive
informaon
loss
Accenture 2019 Cost of Cybercrime Study: 355 companies, 2,647 senior leaders, 11 countries in 16 industries
Internet
[Email attachments, pirated software, DNS/Routing modifications]
Trusted Insider
[Rogue employee, subcontractor, break-in, dual use software]
Physical
[Infections of Media (USB, CD), infected and malicious IT equipment]
Trusted Channel
[Stolen VPN credentials, Hijacked cell communications, P2P tapping]
External
[Mass vulnerability exploits, co-location exploitation, Rogue WiFi]
Heartland Payment
100+ million May 2008
Systems
potential avenue of attack for all of the virtual assets that it is held
accountable for. And ten years of data loss makes it crystal clear that
we are getting worse at the task, not better (Figure 1.4).
1. EY Global Informaon Security Survey 2018-19 (GISS); 2. Chronology of Data Breaches, May 2019, hps://www.privacyrights.org/data-
breaches; 3. DarkReading, 26 April 2018, New Phishing Aach Targets 550M Email Users Worldwide; 4. Ninth Annual Cost of Cybercrime Study,
AccentureSecurity; 5. Ponemon Instute’s 2018 Cost of a Data Breach Study, 18 Sept 2018; 6. EY Global Informaon Security Survey 2019-19
(GISS)
There are two highly credible types of attacks that are unavoid-
ably part of the overall attack surface: human and physical exploits.
The willingness of an organization to ignore these plausible lines of
attack will preprogram failure into the protection mission. Current
research shows that electronic exploits constitute less than one-third
of the threat. The rest of the protection problem involves such real-
world factors as insider threats and social engineering or even natural
complications like fire or flood. So, the question remains, who should
be responsible for deploying and coordinating a defense against those
types of exploits?
In many organizations, human or physical types of threats are
often not included in traditional cyberdefense planning. Most active
cyberdefense solutions do not even consider the need to embody
tightly integrated, well-defined, and uniformly applied behavioral
controls as a fundamental part of the overall cybersecurity process
(Laberis, 2016). As a result, well-executed attacks against the non-
electronic attack surface are almost certain to succeed. The question
is, what is the reason for such a clear disconnect in our planning?
The goal of the adversary is to break into the system, not use it. And
those adversaries are not constrained by conventional rules of engage-
ment. Besides the traditional task of ensuring that the system operates
as intended, system developers and administrators are now expected
to ensure that its day-to-day functioning is fully safeguarded from
any foreseeable kind of malicious exploitation. In the case of a deter-
mined adversary, the scope of the protection perimeter is now opened
up to any means necessary to achieve the ends of a wide range of
hacker types. If the adversary’s aim is to subvert or acquire a vir-
tual asset, then the easiest way to accomplish this would be through
the path of least resistance (PRC). As far back as the 1970s, Saltzer
and Schroeder codified this as the Work Factor principle (Saltzer and
Schroeder, 1974). In essence, the adversary will adopt the approach
that is the easiest to execute and the most likely to succeed. Sun Tzu
characterized this thinking best when he wrote, “Attack weakness not
strength.” Or in practical terms, the form of the hack will be dictated
by the shape of the soft spots in the cyberdefense.
8 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E
…feels …feels
like a …feels like a
snake! like a tree!
wall!
Professional Societies
cybersecurity was also required. Thus, the societies once more orga-
nized a Joint Task Force to formulate the first set of globally accepted
curricular recommendations for cybersecurity education (CSEC,
2017). The guideline is entitled the, “Cybersecurity Curricula 2017,
curricular volume,” or CSEC2017. The aim of CSEC2017 is to be,
“The leading resource for comprehensive cybersecurity curricular con-
tent for global academic institutions seeking to develop a broad range
of cybersecurity offerings at the post-secondary level.” (CSEC 2017
Mission Statement, p. 10).
The recommendations of the CSEC2017 body of knowledge pro-
vide educators and their students with an authoritative understanding
of the complete set of knowledge elements for the field of cybersecu-
rity. The CSEC2017 document is specifically dedicated to providing
an authoritative overview of the elements of the field of cybersecu-
rity for a broad array of educational applications. It should be noted
that the CSEC2017 thought model is authoritative, in the sense that
the computer societies have made the commitment to make them so.
Within that thought model, the knowledge elements that are speci-
fied for the discipline can be explicitly tailored to the teaching and
learning process. Therefore, the CSEC2107 has practical educational
application in every curriculum and classroom.
from the problem of diffuse identity. Thus, the role of the societies in
clarifying the appropriate features for the study is critical to the long-
term development of the field.
Separate Identity Is Important: Each computing discipline has
its own identity. Therefore, the second purpose of CC2005 was to
acknowledge and clarify the individual identities of each of the com-
ponent disciplines that contribute to the shared identity of computing.
Although there are different views of the field, this does not exclude
any one of those views from the overall solution. All education has
to have a focus, but the different focuses have to be integrated into a
single concept in the larger sense. The value of the individual disci-
plinary lens is that it provides the depth of understanding necessary to
ensure complete mastery of a given essential topic.
Everyone Needs to Understand the Contents of the Report: It
was acknowledged that most of the people who read the report would
not be computer educators. Thus, the CC2005 report was tailored
to address a range of constituencies who might want to understand
the contents of a comprehensive academic computing degree. So, it
was not technical in any way. Therefore, it must be understood that
CC2005 is a social manifesto of sorts. It doesn’t so much make rec-
ommendations about what needed to be taught in each field, as much
as it explained the variation in computer education programs as a
whole.
Distinctive Knowledge Elements: The report essentially cata-
logues every knowledge item that would be germane to the study of
computing. This is one of the two groundbreaking aspects of this proj-
ect and it is the consideration that links CC2005 with CSEC2017.
The CC2005 report ignores the usual teaching and learning issues
and focuses instead on the definition of a set of standard learning ele-
ments. The fact that CC2005 essentially catalogues and presents all
of the necessary learning elements for the effective study of comput-
ing makes it groundbreaking. It is the focus on the appropriate set
of standard elements for the study of cybersecurity that is the chief
contribution of CSEC2017.
Combining the Common Learning Elements into a Single Body
of Knowledge: The lack of a common understanding of the diverse
elements of the practical process of the study of cybersecurity is at
the heart of our failure as a society. Thus, the earlier synthesis of the
22 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E
The Data Security knowledge area is the perfect area to lead off with.
Data Security defines what needs to be known in order to ensure the
security of data assets either at rest, during processing, or in transit
(CSEC, 2017). This is a well-accepted and commonly understood part
of the current discipline and there is no disagreement about its impor-
tance in the overall protection of electronic assets. Chapter 3 focuses
on the knowledge elements associated with data security protection
24 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E
The System Security knowledge area begins the move off of the
technology and into the area of standard organizational processes.
Chapter 7 focuses on the System Security knowledge area, primar-
ily on those common embedded organizational practices that ensure
the articulated security requirements of systems, which are composed
of interconnected components and connections, and the network-
ing software that supports those interconnections (CSEC, 2017).
Consequently, the knowledge elements in this area embody recom-
mendations that spell out the necessity for a holistic approach to
systems, the importance of security policy, as well as organized iden-
tification and authentication management processes; this area also
contains recommendations for system access control and operational
26 T H E CY BERSEC U RIT Y B O DY O F K N O W L ED G E
Conflict
Management
Resilience Reasoning
Verbal and
Attention to
Written
Detail
Communication
Cybersecurity
Accountability Skillset Teamwork
Competencies
Public Policy
Enterprise
Procurement
Architecture
Applicaon
Areas of the
CSEC2017
Operaonal Framework
Management
Security
Soware
Research
Development
Chapter Summary
Keywords
References
Accenture Security, “Ninth Annual Cost of Cybercrime Study”, 2019. www.
accenture.com/_acnmedia/PDF-99/Accenture-Cost-Cyber-Crime-
Infographic.pdf#zoom=50, accessed October 29, 2019.
Association for Computing Machinery (ACM), “Curricula Recommenda-
tions”, 2018. www.acm.org/education/curricula-recommendations,
accessed 18 December.
Association for Information Systems, “About AIS”, 2018. https://aisnet.org/
page/AboutAIS, accessed December 2018.
Brasso, Bret, “Cyber Attacks against Critical Infrastructure Are No Longer
Just Theories”, Fire-Eye, 29 April 2016. www.fireeye.com/blog/
executive-perspective/2016/04/cyber_attacks_agains.html, accessed
December 2016.
CSEC2017, Joint Task Force (JTF) on Cybersecurity Education,
“Cybersecurity Curricula 2017, Curriculum Guidelines for Post-
Secondary Degree Programs in Cybersecurity, a Report in the
Computing Curricula Series”, ACM/IEEE-CS/AIS SIGSEC/IFIP
WG 11.8, Version 1.0, 31 December 2017.
Cummins, J., and Pollet, J., All Hazards Approach for Assessing Readiness
of Critical Infrastructure. 2009 IEEE Conference on Technologies for
Homeland Security, Boston, MA.
Ford, Gary, “A Progress Report on Undergraduate Software Engineering
Education”, Software Engineering Institute, CMU/SEI Report
Number: CMU/SEI-94-TR-011, May 1994.
Hatchimonji, Grant, “Survey Results Reveal Both IT Pros’ Greatest Fears
and Apparent Needs”, CSO Online, 18 September 2013. www.csoon-
line.com/article/2133933/strategic-planning-erm/survey-results-reveal-
both-it-pros--greatest-fears-and-apparent-needs.html, accessed January
2017.
Institute of Electrical and Electronics Engineers (IEEE), 2019. www.ieee.
org/about/index.html, accessed October 29, 2019.
International Federation for Information Processing (IFIP), “About IFIP”,
2018. www.ifip.org/index.php?option=com_content&task=view&id=
124&Itemid=439, accessed December 2018.
ISCTE, University of Lisbon, 2018. http://iscte.hosting.acm.org/, accessed
October 29, 2019.
SECURIN G CY BERS PAC E IS E V ERY B O DY ’ S BUSINE S S 37
Joint Task Force for Computing Curricula, “Curricula 2005, The Overview
Report”, The Association for Computing Machinery (ACM), The
Association for Information Systems (AIS) The Computer Society
(IEEE-CS), 30 September 2005.
Laberis, Bill, “20 Eye-Opening Cybercrime Statistics”, Security Intelligence,
IBM, 2016. https://securityintelligence.com/20-eye-opening-cybercrime-
statistics/, accessed October 29, 2019.
Lois, Jason E., “It Can Happen to You: Know the Anatomy of a Cyber
Intrusion”, Navy Cyber Defense Operations Command (NCDOC),
Story Number: NNS151019-05, 2015, Release Date: 19 October 2015.
Microsoft Security Team, “The Emerging Era of Cyber Defense and
Cybercrime”, 2018. https://cloudblogs.microsoft.com/microsoftse-
cure/2016/01/27/the-emerging-era-of-cyber-defense-and-cybercrime/,
27 January 2016.
National Infrastructure Advisory Council (NIAC), “Surviving a Catastrophic
Power Outage”, Department of Homeland Security, 11 December 2018.
Newhouse, William, Stephanie Keith, Benjamin Scribner, and Greg Witte,
“NIST Special Publication 800-181, National Initiative for Cybersecurity
Education (NICE) Cybersecurity Workforce Framework”, NIST.
SP.800-181, August 2017.
Privacy Rights Clearinghouse, A Chronology of Data Breaches, PRC, San
Diego, CA, 2017.
Rivero, Nicolas, “The Biggest Data Breaches of All Time, Ranked”,
Quartz, 2018. Downloaded from https://qz.com/1480809/the-biggest-
data-breaches-of-all-time-ranked/.
Saltzer, Jerome H. and Michael D. Schroeder, The protection of information
in computer systems, Communications of the ACM, 17, 388–402, 1974.
Symantec, “A Manifesto for Cyber Resilience”, 2014.
TechTarget, “Human Attack Surface”, Whatis.com, 2018.
1 Business Strategy and
Value Preservation
The superior man, when resting in safety, does not forget that danger may come.*
Confucius
* Per The Best Confucius Quotes, April 2015, James Alexander, Crombie Jardine Publishing Ltd, Bath, UK.
3
4 Corporate Defense and the Value Preservation Imperative
many are now duly focusing their attention on the concept of sustainability and the delivery of
long-term stakeholder value.
There now appears to be an increasing recognition that any such long-term obligation can only be
delivered once the concept of sustainability in its broadest sense has been successfully incorporated
into how the organization does its business. This means that long-term sustainability must be embedded
into the organization’s vision and become a common feature of consideration at strategic, tactical, and
operational levels within the organization itself. It means addressing it within the corporate strategy.
Traditionally, the concept of corporate strategy was considered to be concerned with helping
to ensure that the organization was capable of providing sustainable above average industry per-
formance, thereby allowing it to perpetually deliver superior returns and help create wealth for
its shareholders. The global financial crisis however clearly exposed systemic weaknesses in the
prevailing corporate strategy on an international scale. The subsequent fallout from this seismic
event has resulted in the reputation of the corporate world being severely tarnished in the eyes of
many stakeholders. The resulting negative impact has been felt not only by shareholders but also by
management, staff, clients, business partners, suppliers, regulators, local communities, and indeed
society in general, who all have eventually suffered as a consequence of flawed corporate strategies.
The corporate world now faces multiple pressures to reform the manner in which business is
conducted and how individual organizations are managed. Stakeholders are now demanding higher
standards of corporate citizenship in terms of integrity, ethics, and accountability. They are also
demanding an improved strategic direction in order to provide them with greater protection and
assurance going forward. Increasing pressure in the form of proxy advisor demands and pressure
from stakeholder activist groups have prompted a rigorous search for an improved approach to cor-
porate strategy, one that is aimed at helping organizations to foster an age of long-term sustainability.
The vision: Ideally the corporate vision should help to immediately visualize the big picture
by providing a description of the organization’s desired future state. It represents a broad,
forward-thinking image that the organization should have for its purpose and intentions
before it sets out to achieve its goals and objectives. Typically a corporate vision should
be short and succinct, and represent an inspiring image of its mindset and aspirations. It
should describe where the organization wishes to go and what it is trying to create and
develop. Ultimately it should describe what it intends to achieve in the future and should
represent a source of motivation for the workforce.
Mission statement: A mission statement should typically be more detailed than the corporate
vision and represent a statement of rationale regarding the fundamental purpose of the
organization. It should help guide the decisions and actions of the organization and it is
therefore important that it is stated clearly so that it is understood by all, and can serve as a
constant reminder to its stakeholders of the purpose of the organization’s existence. It can
be used as a reference point to evaluate the current activities or to help resolve trade-offs
or disputes between different stakeholders. The mission statement should broadly outline
the aims of the organization and what unique contribution the organization provides to its
stakeholders. The lack of a clear mission statement diminishes the organization’s ability to
verify that it is progressing on its intended course.
The vision and mission statements help provide a background to the organization’s strategic objectives
for the future, without specifying the measures that need to be taken to help achieve the desired goals.
In this way, they help to provide a context within which the organization’s strategy can be formulated.
Strategy formulation: The corporate strategy is in effect the path that has been chosen in order
to arrive at the end vision. It therefore represents the roadmap by which the organization
intends to complete its mission. A clear formulation of the corporate strategy should help
the board and executive management to connect the ideas, assumptions, and decisions that
are driving the organization’s strategic agenda. It should help to provide a definite plan of
6 Corporate Defense and the Value Preservation Imperative
action going forward to achieve this end. In determining corporate strategy, due consid-
eration should be given to matching the organization’s strategic activities to the organiza-
tion’s environment, its available resources (e.g., people, processes, and technology), and the
extent of its capabilities. Due consideration should also be given to the values the organiza-
tion wishes to espouse and the expectations to be set for its various stakeholders. The strat-
egy formulation process should help set the organization’s strategic objectives and help to
identify and select an appropriate business model. It should clearly state the organization’s
strategic goals and outline the strategic measures and initiatives required to achieve these
objectives. These strategic goals should be tangible and achievable in order to be helpful in
guiding all of the organization’s business activities going forward.
Strategic planning: Corporate strategy is typically implemented via a strategic plan; however,
there are many examples of organizations whose failure was attributed to its inability to
successfully execute its strategy in practice. Successful strategy implementation requires
a carefully planned approach, a very high level of discipline, and involves the effective
implementation of critical business activities in order to make it work. It is unreasonable
to expect the attainment of strategic goals without the adherence to a carefully planned
approach and the implementation of the required tasks. The strategic planning process
should consider the corporate culture, the resources available to the organization, and the
projected timescales required to achieve the stated strategic objectives. The strategic plan
should guide and direct the subsequent tactical and operational planning exercises, in order
to help ensure that these plans are in alignment with the organization’s strategic objectives.
The resulting plans should identify tasks that are specific and measureable and will notice-
ably contribute toward the achievement of the strategic objectives. Many strategies fail due
to poor or inadequate planning, and the quality of the final plans is generally a reflection
of the quality of the planning process.
Strategy execution: Once a clear strategic plan has been formulated, the executive management
is then responsible for ensuring the effective and efficient implementation of that corporate
plan. Execution of the corporate strategy via implementation of the strategic plan is critical
to success and should never be underestimated as it is never guaranteed. Indeed, many stra-
tegic commentators suggest that execution is the key to competitive success, as making the
plan work can be an even bigger challenge than formulating strategy, or creating a strategic
plan. There are many factors that can hinder successful execution, including internal politics,
resistance to change, and the occurrence of hazard events. Execution involves putting the plan
into action by translating planned tasks and activities into the completion of verifiable actions.
It involves the effective performance of the necessary tasks outlined in the plans and this
requires considerable organization, and employing resource management and change man-
agement practices. This is perhaps best achieved using a top-down approach that incorporates
the full chain of command so that the required action steps are performed at strategic, tactical,
and operational levels. The executive management team needs to collaborate with the line
management to help ensure timely, effective, and efficient performance of the required tasks.
Strategy review: Once a strategy is executed according to the plan, there is a reasonable expecta-
tion that it will prove to be successful; however, a successful outcome can never be assumed
or taken for granted as there is many a slip between the cup and lip. The strategy needs to
be a living breathing concept that needs to be continuously monitored and assessed. The
success or failure of a corporate strategy cannot be adequately assessed without a process
to review how well the strategy is performing in practice. This should involve comparing
the actual results against the benchmark of intended milestones and outcomes. A strategy
review process represents an evaluation of the corporate strategy and substrategies, and an
appraisal of the execution of the strategic plan. The process of strategy review is equally as
important as the processes of strategy formulation, strategy planning, and strategy execution
as it evaluates the logic and rationale of the original strategy and appraises the effectiveness
Business Strategy and Value Preservation 7
and efficiency of the implementation of this strategy. It enables the organization to focus
on the appropriateness of the current strategy and to question the soundness of previous
assumptions, which may no longer stand up to scrutiny due to changing circumstances and
the dynamic environment of the twenty-first century. It allows an organization to re-evaluate
the validity of the previous strategic choices and the extent to which ongoing performance
has helped achieve the desired results. It also allows an organization to measure the variance
that exists between the original desired results and the organization’s actual results.
In certain cases, a strategy may prove to be successful from the very beginning, and the organiza-
tion may be prepared to ratify it and endorse it going forward. In other cases, it may be determined
that there is a considerable room for improvement and that the existing strategy needs to be modi-
fied or adjusted accordingly. The extent of this modification will need to be considered on the back
of the results of the strategy review. In certain scenarios, the results may indicate that a serious
corrective action is required. In such cases, the existing strategy may be rejected as a failure, and it
may be determined that a new strategy is required and needs to be formulated.
order to achieve a long-term gain; however, excessive short-term pain can in and of itself also lead
to a long-term pain.
This acknowledgment can help an organization appreciate that what is required is a blended
approach, where one eye is focused on the medium to long-term horizon and the other eye is focused
on addressing short-term issues that need to be handled in the present. Although sustainability is
generally associated with the long term, its achievement requires focusing on the short-, medium-,
and long-term horizons, and an appreciation that there are times when short-term instant gratifica-
tion is required to be sacrificed in order to help ensure longer-term gratification.
Business value therefore can embrace both tangible and intangible assets such as the organiza-
tion’s balance sheet value and the value associated with its business model and other intellectual
capital. Indeed, the concept of business value can also embrace the theory that an organization’s
value can best be viewed as a network of relationships with stakeholders who are both internal and
external to the organization itself. In this context, business value is concerned with the value embed-
ded in these relationships over time.
Key business activities: The business model should clearly identify and outline the key busi-
ness activities that the organization intends to operate. Generally an organization’s key busi-
ness activities involve the processes by which the organization intends to convert its inputs
to outputs. These outputs generally take the form of either products or services that can pro-
vide value to the organization’s key stakeholders. When considering its business model, the
organization should clarify how it intends to differentiate itself in the marketplace in terms
of such issues as its unique selling point (USP) (e.g., product differentiation, market segmen-
tation, supply chain, and distribution channels) to be used to deliver its products or services
to its stakeholders. It should focus on how the organization intends to convey its message
to its key stakeholders and how it intends to communicate with them on an ongoing basis.
The inputs: The essence of the business model is the conversion of inputs into outputs in
order to create value. The business model should clearly identify and outline the key inputs
required by the organization, which when applied through the business process will con-
vert into value-added outputs. These key inputs represent those ingredients that the orga-
nization depends on in order to deliver value. The performance of its business activities
provides the organization with its source of differentiation by converting its key inputs
from raw materials into its finished end product. Key inputs are derived from various types
of capital whereby business activities draw on many types of capital in one form or another
as inputs into the value creation process. The key inputs and how they relate to the various
capitals from which they are derived represent a critical aspect of the organization’s busi-
ness model. How the corporate strategy links key inputs to capitals, opportunities, risk,
and financial performance is critical to the success of the strategy.
The capitals: The business model should clearly identify and outline the types of capitals the
organization depends on for its success. Organizations typically depend on different types
of capital whether they are considered tangible or intangible capitals. There is no currently
universal agreement on the different types of capitals, and they may be classified in differ-
ent ways by different organizations. One example is the six types of capitals identified by
the IIRC as follows: financial capital, manufactured capital, intellectual capital, human
capital, social and relationship capital, and natural capital (IIRC 2013b). These capitals
represent stores of values in various forms that become inputs into the organization’s busi-
ness model. Such capitals can be used to release value in the form of producing outputs
and outcomes when they interact and are combined, transformed, and leveraged through
an organization’s business process. Value is therefore created by the resulting increase,
decrease, or transformation of the capitals.
The overall stock of the value stores, which is provided by the capitals, is not fixed over
time, but rather they are in a continuous state of flux as they are increased, decreased,
or transformed through the activities and outputs of the organization. Consequently such
Business Strategy and Value Preservation 11
interactions can in fact enhance, modify, or otherwise affect the overall capital stock.
Although in theory the organization’s aim is to create value in its capitals, in practice this
may also involve the depletion or destruction of the value stored in some capitals while at
the same time increasing it in others. In general, this can result in an overall net increase
or decrease in the overall stock of the capitals.
Ultimately whether the net effect is perceived as either an increase or decrease may
well depend on the perspective of the stakeholder concerned. In many instances, returns
in financial capital may be dependent on interrelationships among other forms of capital
in which stakeholders have different interests, for example, society and the environment.
Also, not all of the capitals required by the organization are necessarily owned by that
organization. Certain capitals may be the property of the organization, whereas certain
others may be owned, belong to, or be an entitlement of various other stakeholder groups
who in turn share in both the value created and their associated costs.
As noted earlier, there are different types of capital that organizations typically depend
on for their success; however, not all organizations are equally dependent on the same capi-
tals; therefore, different capitals will have different relevance to different organizations.
Although it is likely that most organizations will interact with all of the capitals mentioned
earlier, to a certain degree, some of these interactions may be considered immaterial in
terms of the organization’s business model.
Whether certain capitals are increasing or decreasing can affect the availability, qual-
ity, and affordability of those capitals. This is a particular issue of concern for capitals
of which there is a limited supply, and capitals that are not possible to be renewed. It is
important to bear in mind that the availability and supply of certain capitals can be seri-
ously impacted by the extent to which organizations, both collectively and individually,
interact with these capitals. Ultimately, such issues can in turn have a serious impact on the
long-term viability of an organization’s business model.
Innovation: The business model should clearly identify and outline the organization’s USP
over that of its competition. An organization’s long-term success or failure may well be
determined by how the organization addresses the age-old requirement to be innovative.
The business model should clearly address the organization’s attitude to innovation and its
approach to responding to change. The flexibility of its strategy, the agility of the business
model, and the organization’s capacity and capability in adapting to change can have a pro-
found impact on the organization’s long-term viability. This may be of particular relevance
when faced with sourcing inputs and capitals, and adapting business activities. Logically,
the key to a long-term success lies in the extent to which the organization can foster an
innovative mindset throughout the enterprise so that it becomes embedded in the corporate
culture and is continually present in day-to-day activities.
and some negative. Such a trade-off should consider the effects both individually and collectively.
Assessing the nature of the value created involves considering the nature of the interdependences
that exist between the capitals and their relationships with the various stakeholder groups. It is
doubtful that long-term sustainable value can be created by solely focusing on increasing one indi-
vidual capital at the expense of all of the other capitals. The value creation process is typically
concerned with a number of issues.
Value drivers: The value creation process is concerned with determining the organization’s
value drivers. Typically it is the organization’s value drivers that distinguish it from its
competitors as they have a critical role to play in the organization’s ability to create value
over the short, medium, and long terms. Value drivers can vary by types of business; they
can be generic, industry specific, or organizational specific and their range can vary from
one organization to another. They reflect certain key elements, characteristics, or attributes
that make an organization attractive to its stakeholders. Such elements consist of those
unique activities, capabilities, and core competencies that enable an organization to pro-
vide a perceived competitive advantage in the perception of its stakeholders.
Value drivers may be tangible or intangible as both can contribute to the creation of
value by an organization. They may reflect tangible assets owned by the organization or
intangible assets that help to increase the overall desirability of the organization in the eyes
of its stakeholders. In the twenty-first century, intangible assets are now increasingly being
perceived as primary value drivers. Value drivers reflect those factors that are identified as
having the most significant impact on the future value of the organization and those factors
that can be most effectively managed and controlled. Therefore identifying and managing
value drivers can help an organization to focus its attention on the key activities that are
most likely to help in achieving its short-, medium-, and long-term goals and objectives.
Outputs and outcomes: The value creation process is concerned with determining the organiza-
tion’s required outputs and preferred outcomes. From a value creation perspective, there is a
subtle but important distinction between an output and an outcome. The organization’s busi-
ness model represents a series of processes and activities that convert inputs to outputs. As
outputs tend to be process driven, they therefore refer to planned deliverables whereby the end
product typically tends to be tangible in nature and therefore can be accurately anticipated in
advance, and precisely and objectively measured in quantitative terms on completion.
Outcomes, on the other hand, refer to the impact that the outputs may have on the stake-
holders, both internal and external. Stakeholder reaction is typically reflected by its impact
on the organization’s capitals. Outcomes therefore relate to the ultimate payoff, the value
added to the stakeholder as a direct or indirect result of the outputs. Therefore outputs have
an impact on outcomes, but it is important to appreciate that they are not the same thing. As
outcomes tend to be reaction driven, they are by their very nature less predictable than out-
puts and hence more difficult to anticipate as they can take place over multiple time frames.
Although an outcome may be less predictable, it is still measureable in terms of its impact
(financial and nonfinancial) on the organization’s capitals. This measurement may be more
subjective and qualitative when dealing with nonfinancial capitals. Although outcomes can
result in the anticipated, planned, or intended consequence of an output, it must also be
understood that it can also result in an unanticipated, unplanned, or unintended consequence.
As an outcome represents the occurrence of a change in circumstance for a stakeholder,
which is a result of targeted outputs, it is important to understand that such a change can have
either positive or negative consequences, which means that an outcome can present either a
potential upside or a potential downside for the stakeholder and in turn the organization itself.
Although the traditional corporate strategy and the setting of strategic objectives have been pri-
marily concerned with focusing the potential upside and intended positive outcomes, an emerging
Business Strategy and Value Preservation 13
contemporary view focuses on an appreciation that corporate strategy must also include a sufficient
focus on the potential downside and unintended negative outcomes. A balanced corporate strategy
should therefore incorporate a degree of both value creation and value preservation.
In business as in many other aspects of life, the reality is that the nature of uncertainty means that
an organization’s activities can either have a positive or a negative impact on the value it delivers to
its stakeholders. Over a prolonged period of time, this value experience may include numerous fluc-
tuations as a result of both positive impacts and negative impacts. Successful organizations however
depend on their ability to both create and sustain value over the short, medium, and long terms.
Over the long term, value is compounded by both creating and preserving value.
Once an organization has succeeded in creating value, it then faces the dual challenge of continu-
ing to create value on an ongoing basis while simultaneously ensuring that it can also preserve the
value that is created. Therefore, a focus on value creation alone is not considered to be sufficient, it
must be accompanied by a focus on value preservation. In any event, successful organizations learn
to continuously monitor the dynamics between value creation and value preservation. Unfortunately
in many unsuccessful organizations, although value creation quite rightly received due consider-
ation in corporate strategy, there is far less evidence to suggest that value preservation received a
similar consideration. In general, it would appear that the requirement to preserve value is much less
appreciated and therefore is often neglected.
hazards (i.e., risks, threats, and vulnerabilities), the occurrence of which could be detrimental to the
achievement of the organization’s objectives. To successfully deliver on this obligation, an organiza-
tion requires an appropriate program for self-defense.
* Failure by an organization to recognize this necessity will be seen by many stakeholders as representing a strategic
“Red Flag”.
Business Strategy and Value Preservation 15
safeguarded. In other words, there is an expectation that organizations are not only working toward
adding to, or increasing stakeholder value, but also taking measures to protect the existing stake-
holder value from decline. For example, shareholders expect the organization to take measures to
help protect the organization’s share price and its market capitalization.
In the twenty-first century, stakeholders are now demanding at least reasonable levels of due dili-
gence in this regard and are increasingly prepared to hold the organization to account should they be
considered negligent in their efforts. At a minimum, there is now an expectation that the organiza-
tion will take all appropriate measures to ensure that it has adequate corporate defense initiatives in
place. Organizations are expected to at least be able to provide reasonable comfort that stakeholder
value will not be diminished.
things have to change, and going forward the corporate defense strategy needs to be considered as
an essential element of the overall corporate strategy.
An old sporting aphorism states that offense wins games, defense wins championships. In business
speak, offense refers to the focus on bringing the dollar in through the front door, whereas defense
refers to the focus on preventing the dollar from leaving through the back door (Lyons 2014). In
other words, in the corporate world, offensive activities are associated with the organization’s focus
on upside rewards, whereas defensive activities are associated with the organization’s focus on the
prevention of downside loss. What is essential is finding the correct balance between taking larger
risks and reaping larger rewards. If organizations in the twenty-first century are to deliver long-term
sustainable value, they must learn to achieve a healthy balance between their focus on offense and
their focus on defense. Getting this balance right can help provide better opportunities for delivering
long-term sustainable value.
A commonly held view of economic theory is that the Western capitalist model is primarily
driven by the motivating factors of greed and fear. The former is the motivation to extend our-
selves in search of even greater rewards, whereas the latter is the motivation to protect what has
already been achieved lest it should be taken from us. Progress no doubt requires both, whereas
prudence and common sense would suggest that long-term sustainability requires a healthy blend-
ing of the two.
Unfortunately the search for balance, or the middle path, is not a new concept and is one that
goes back thousands of years. In the Western philosophy, especially that of the Greek philosopher
Aristotle, the golden mean represented the desirable middle between two extremes, one of excess,
the other of deficiency. Another famous Greek philosopher Socrates taught that man “must know
how to choose the mean and avoid the extremes on either side, as far as possible.” The search for
balance continues to this day.
Unfortunately, in the business world, this is rarely immediately apparent because offense elements
are clear and obvious, whereas defense elements are more hidden and subtle. Therefore extremes
in offense are far more regular than extremes in defense, although this can also occur. Ultimately,
however, extremes in either offense or defense can result in the development of an organization that
is putting its long-term sustainability in jeopardy.
• An overly narrow focus on pure financial metrics while ignoring important nonfinancial
issues
• A focus on short-term interests at the expense of broader, long-term stakeholder interests
• The lack of board-level appreciation of the necessity of having a formal, systematic
corporate defense program in place within their organization to help ensure that their
stakeholder interests are adequately safeguarded
• The lack of a seat at the C-suite table for a defense champion to challenge, scrutinize, and
add a degree of balance to the formulation of corporate strategy and policies
• The resulting lack of transparency and responsibility for corporate defense where account-
ability is fragmented and diluted at the executive management level
• The lack of coherent coordination of defense-related activities at a functional level, leading
to the development of silo-type structures that are not in alignment with one another but
rather operate in isolation, resulting in both ineffectiveness and inefficiency
Although a great deal of work has been undertaken since the financial crisis to improve corporate
behavior, there is sufficient evidence available to suggest that many of these issues still need to
be addressed as weaknesses and deficiencies in corporate defense activities remain commonplace.
Examples include the rogue trader Jerome Kerviel at Societe Generale, the cyber theft at SONY, the
health and safety issues in the clothing industry in Bangladesh, and more recently the Volkswagen
emissions scandal, to name but a few. This will require a notable correction to the current imbalance
in order to create a natural harmony between offense and defense.
light and as being necessary for the achievement of long-term sustainability, rather than being seen
as a necessary evil. Corporate defense is not about business prevention; it is about doing the right
business in the right way.
In far too many organizations there is a defense deficit. Corporate defense is more likely to be
implied in corporate strategy rather than being considered a core element of business strategy, and
more often than not there is an absence of any formal corporate defense strategy. Corporate strategy
must therefore incorporate a balance between offense and defense in order to arrive at a natural
equilibrium. This will require a subtle blending of these antagonistic yet complementary principles
that are inherently intertwined and mutually interdependent within a dynamic system. In essence,
the principles of offense and defense represent two sides of the same coin, and therefore cannot and
should not be addressed in isolation from one another.