Every cyber investigator, digital forensics examiner, and cybersecurity professional I have ever met throughout the years had the same complaints. Their boss didn't understand what they did or why it was important, and they were never provided the resources needed for proper execution of their job. Why don't they understand? What are we doing wrong? I offer here a few suggestions of why we are often unsuccessful in getting our boss, their boss, and the Board to ‘get it.’ Does it take a catastrophe to get their attention?
I have observed several seniors in both the private sector and the government who understood that there was a cyber threat problem but were gambling that a catastrophe simply wouldn't happen on their watch. They changed jobs every two to three years, trying to save or make more money for their organization in the short term with the intention of inflating their own bonuses (or perhaps they didn't have the nerve to push their bosses where they needed to be). In other words, these job hoppers knew that their companies would eventually become victims of a significant breach but had the luxury of betting that it wouldn't happen before they move on to the next lucrative position – a tactical decision rather than a strategic decision for the organization.
There are still many senior leaders in the government and private sector as well who simply don’t get it. I think it is generational. After growing up and becoming obviously successful without even knowing how to spell the word ‘computer,’ these concerns did not reach the top of their priority list.
Last fall I ran into an old friend, Mike Higgins, CISM for NBC Universal. We were both judges at the NYU Polytechnic CSAW High School Forensics Finals. I met Mike in the late ‘80s when he was a DIA Senior Intelligence Analyst. He was later instrumental in creating the DoD CERT. Mike had a theory. Everyone has a "too-hard-to-think-about box”. Many smart managers and leaders who didn't understand the technology realized that this new cyber threat was important. However, they needed more time to research it in order to fully understand and address it, so they put it in their "too-hard-to-think-about box." During any spare time, they would reach into this “box" and spend time digging in and studying these vexing problems. Unfortunately, however, these folks almost never had enough time in their day to reach into their "too-hard-to-think-about box".
How do we help the leaders in the private sector, Federal, state and local governments, and academia “get it”?
Jim Christy is VP of Investigations and Digital Forensics at Cymmetria. Jim retired from the U.S. government in 2013, ending a career investigating computer crimes and running digital forensics labs that began in 1986 at the Air Force Office of Special Investigations.
Jim can be reached by email at firstname.lastname@example.org.
Connect with Jim on Twitter: @jimchristyusdfc