A Battle-Ready Problem in Cyber

Lt. Gen. (ret) Bill Mayville explains one critical factor organizations are missing in their defense against cyberattacks.

Bill Mayville retired as a Lieutenant General from the United States Cyber Command in the spring of 2018 after 36 years of military service. His career began with the geopolitical conflicts of the Cold War and included commanding and leading troops in combat in Iraq and Afghanistan following 9/11. He joined Korn Ferry in April 2019 as a senior advisor in its Cybersecurity practice.

In the time it takes to read this post, about three cyberattacks will have taken place. It takes the average reader two minutes to read 500 words. Hack attempts happen every 39 seconds on average. When looked at that way, it’s amazing to think how frequently we are at risk of an attack. Mere seconds are enough to wreak havoc on the global financial markets, bring an airport to a grinding halt, steal an identity, or start a war.

Last week, we learned the United States may have even used it as partial retaliation against Iran’s downing of an American drone by reportedly launching a cyberattack against Iranian intelligence systems. 

As the vice commander of US Cyber Command, I helped oversee the growth of a cybersecurity workforce that now numbers more than 6,200 people and a $230 million research and acquisition operation to improve US national security capabilities, as well as cybersecurity operations to safeguard Department of Defense activities worldwide. Based on my experience, here’s what I can tell you: technology is enabling new forms of economic and political power that are both costly and destructive, and it’s only going to get worse.

By some estimates, more than 20 billion connected devices will be on the market by next year. That’s 20 billion ways for hackers to get passwords, credit card numbers, consumer data, proprietary data, financial data, and more to leak, hold for ransom, or sell on dark markets. To be sure, 82% of leaders surveyed for the World Economic Forum’s latest Global Risks Report believe cyberattacks leading to financial theft or data fraud will increase this year, citing the “deepening integration of digital technologies into every aspect of life.”

Time and again we’ve seen the devastating effects a cyberattack can have on an organization’s value, market share, reputation, and even long-term survival. Yet less than 40% of global business organizations claim they are ready for a cyber-attack — mostly because they are looking in the wrong place.

The cybersecurity challenge isn’t just one of technology; it’s also one of leadership. Conflict, after all, no matter how sophisticated it is waged, remains a human enterprise—95% of cybersecurity breaches are due to human error. Cybersecurity isn’t just about understanding the threats and vulnerabilities facing organizations and governments. It’s about understanding what makes a successful security and information leader. Quite bluntly, most organizations have been unable to exercise effective leadership in what is at bottom a man-made domain.

Organizations need help figuring out a new way to fight that involves more than technology. Of course, technological innovation offers competitive advantages, and certainly solutions like artificial intelligence will drive more effective risk management in the cyber realm and beyond. But bolt-on technology solutions are not a winning strategy without a systemic approach that includes training of the workforce, the technical development of leaders, soft-skills training for technologists, and an organizational ethos that values individual responsibility and accountability.

Leadership, along with an organization’s culture and structure, must fuel both risk management and innovation in cybersecurity. Technological innovation, of course, moves faster than most organizations can absorb them, changing the expectations of the workforce and making the simplest decision-making quite complicated. As a result, jobs are transforming and emerging, and new types of leaders and subcultures are springing up.

That doesn’t mean organizations have to change their ethos, but they do have to change their cultures. They need to train talent to think for themselves and develop leaders who are adaptive, innovative, collaborative, and attuned to their environment. They need to become learning organizations with smaller, more effective cross-functional teams that are empowered to operate autonomously.

Cyber is, in essence, the new workspace where people and strategies intersect with global networks and technology. The organizations who think, and do differently, will win far beyond their competitors.