AIAA

The World's Forum for Aerospace Leadership

  • MY AIAA
  • Donate
  • Press Room
  • Renew
  • View Cart
American Institute of Aeronautics and Astronautics

    All Together Now: Making Cybersecuity a Whole-of-Enterprise Effort

    All Together, Now: Making Cybersecurity a Whole-of-Enterprise Effort

    Everyone’s Job

    We’ve said before that cybersecurity is everyone’s job, not just IT’s job, but what exactly does that job look like for people in different roles across the organization? Let’s consider some of the primary responsibilities of different people or teams in an organization. Of course, roles and titles vary across organizations. They depend in particular on whether the organization is small or large, privately held or publicly traded, and a private company or nonprofit or university. But key functions are generally consistent across many organizations. Everyone has a role to play in enabling cybersecurity. 


    Start with Human Resources. Human Resources should help train employees on cybersecurity. Ideally, it wraps cybersecurity in as a requirement in employees’ job descriptions and performance assessments. Organizations that are really committed to cybersecurity hold employees accountable for following cybersecurity policies and being good stewards of the organization’s information and IT assets. Human Resources also coordinates on-boarding, role changes, and off-boarding: many cybersecurity incidents happen when employees are about to leave an organization and decide to take information with them (against organization policy). Incidents also happen when employees have switched roles or left the organization, but their old credentials are still valid; sometimes employees intentionally misuse these network credentials, and other times hackers steal the credentials of departed or transitioned employees and use them to access information or cause disruption.

    Finance can help cybersecurity become integrated across the enterprise by virtue of its “gating” function. Most projects or expenditures need financial approval on an annual or periodic basis, so this “gate” in the process, when projects must check in with Finance, is a great opportunity to make sure cybersecurity is involved in project planning, vendor selection, and so on. 

    Communications and Investor Relations play critical roles in preparing for crises and responding to them. Communications can help design training for employees and advise management on how to talk about cybersecurity with customers and users — for example, whether the company should be reserved about cybersecurity and only disclose what is necessary in part to avoid becoming a target, or whether it wants to talk about its cybersecurity as a strength and even a differentiator in the market. 


    Many cybersecurity risks come to an organization via third parties like suppliers, vendors, and business partners, so Procurement and Contracting are important, too. These teams track third parties and coordinate with IT Security to assess their cybersecurity and the risk posed to the organization. Most organizations assess third parties when they are first going to enter into a business relationship with them. Sophisticated organizations do “continuous monitoring” to track the security of third parties over time, through technologies, questionnaires, and onsite assessments. Target, which suffered a damaging data breach in 2013, no doubt wishes it had better controls in place around its third parties.

    The Legal team also maps third-party risks, particularly through contracts. Good contracts impose requirements on third parties to meet certain cybersecurity measures, to report if they are breached, and to indemnify the organization for harms that come to it as a result of their cyber insecurity. Legal also manages cyber insurance, which is an important tool for reducing exposure to cybersecurity risk, and helps ensure compliance with regulatory or contractual requirements imposed on the organization from the outside. Often, organizations retain cybersecurity vendors through Legal so that sensitive security matters are privileged and protected from discovery in the event of a lawsuit. Finally, if a cybersecurity incident happens, Legal is an important part of any response. In an ideal world, Legal has even been involved in documenting how the company made decisions about its risk tolerance and designed its cybersecurity program, and this documentation can help protect the company if it is later sued. 


    The teams we have looked at so far are responsible for corporate or enterprise cybersecurity, but most organizations are in the business of making a product, and making sure that product is secure is critical too. It matters for the customer who buys the product, for the reputation of the organization that makes it, and, most importantly, for the safety and well-being of the people who ultimately use it! Whether the product is a physical object enabled by software (like a jet engine) or an application that is made entirely of code and rests on other systems, the people who design, build, and support these products are critical to cybersecurity. Engineers and others who support products should incorporate cybersecurity throughout the product lifecycle; during concept and product design; while building the product, especially by using secure development life-cycle practices to ensure high quality code; when delivering and servicing the product, especially when remote access is involved; and even when decommissioning products that may store sensitive information. So far, the cybersecurity industry has focused its attention on organizational and corporate networks, and not enough attention has been paid to products. As more and more products become digitally enabled, cyber attackers will target them. The job of product teams in achieving cybersecurity has never been more important.

     

    Looking to the “top” of the organization, the CEO is ultimately accountable for managing cybersecurity risk. The CEO should set the “tone at the top” to emphasize cybersecurity and must ensure the right governance processes and people are in place to make decisions about risk and to hold executives accountable for whole-of-enterprise cybersecurity. And the CEO must make or oversee key decisions about risks (which are acceptable and which aren’t), resources, and IT Security requests. During a major cybersecurity crisis, the CEO will often make the most critical business decisions and will personally sign off on communications to customers, users, business partners, regulators, and others. Of course, the CEO keeps the Board informed, and the Board has an important oversight role to review and probe the cybersecurity program, to approve the risk tolerance of the organization, and to monitor governance and progress.


    Data, Data, Everywhere

    Of course, in addition to helping achieve cybersecurity for the whole organization, these teams also have their own unique information assets to protect. Product and R&D teams develop the invaluable Intellectual Property that hackers love to steal (like that time with the F-22, F-35, and C-17). Finance needs rigorous controls to protect the organization’s money, since many cyber criminals try to corrupt accounts payable and vendor payment processes to steal funds; in at least one case, cyber criminals stole nearly $50 million! Human Resources possesses employees’ Personally Identifiable Information, sensitive information like performance reviews, and potentially even medical information. One of the most significant breaches ever was the breach of the U.S. Government’s Human Resources department, the Office of Personnel Management, which lost sensitive information on more than 20 million people. Management is constantly exchanging sensitive emails, documents, and other communications that must be protected. Communications and Investor Relations often hold the power to issue press releases and earnings reports and other information that is time-sensitive, especially for publicly traded companies that must follow strict rules on when and how they disclose material information to investors. Legal uses law firms, and law firms get hacked, too. The list goes on. Everyone, therefore, must also contribute to the organization’s risk assessment to determine what information and systems need to be protected.


    The Weakest Link, and the Champion



    Finally, there is the role that every individual must play no matter where in the organization they work. Cybersecurity experts often say that hackers will exploit “the weakest link,” the one person in the organization who gets a phishing email and clicks on a bad link, or who uses the same password for their work system as their personal social media accounts, circumventing security controls and putting the organization at risk. Each of us needs to be a good steward of cybersecurity and help protect our organizations. At a minimum, this means following policies: whether and how to work remotely from home; keeping information on approved systems; only using IT systems for allowed functions; and being alert for phishing emails. Even better than not being “the weakest link,” though, is to be the champion of cybersecurity in your organization. Help raise the bar among your peers.

     

    Ask management good questions. How can we better integrate cybersecurity into product design and development? Do we use secure development practices to write secure code? Does our product software allow unintended functionality that could be disruptive, and if so, why? When we use vendors and third parties, are we assessing their cybersecurity and imposing controls on how they handle our information and access to our enterprise? How is the organization protecting the intellectual property I work hard to develop? If we are not using multifactor authentication, why not? If a cybersecurity incident affects our organization’s network or one of our products, are we prepared to respond? The list goes on. You are important to cybersecurity, so go forth, incorporate cybersecurity into your own role, and ask good questions!


    Go back to AIAA's Cybersecurity Webpage.