Many years ago at the beginning of my law enforcement career, a wise police chief that I worked for told me that before my intelligence unit acted on any intelligence we gathered we had to vet it with a second source. “Trust but verify.” I took the advice to heart, and that sage advice paid big dividends for me through the years.
The idiom “Trust but verify” is most often associated with Ronald Reagan, the 40th President of the United States, and his approach to nuclear disarmament during the latter years of the Cold War. However, the phrase itself has earlier roots and has been used in various forms over the years.
The Russian phrase “Доверяй, но проверяй” (Doverai, no proverai), which translates to “Trust, but verify” in English, is often cited as an inspiration for Reagan’s use of the phrase. Reagan famously used the idiom during negotiations with the Soviet Union in the 1980s, particularly in the context of the Intermediate-Range Nuclear Forces Treaty (INF Treaty), signed in 1987. He often repeated the phrase when discussing the importance of trust between the superpowers, while simultaneously emphasizing the need for rigorous inspections and monitoring to ensure both sides were complying with the terms of the treaty.
The phrase has since become a widely recognized concept in diplomacy and negotiation, emphasizing the importance of trust but also the need for independent verification and transparency. It’s often used in contexts beyond diplomacy to emphasize the importance of verifying information or promises in various situations to ensure that they are accurate and reliable.
C-Suite leaders should be applying “Trust But Verify” to their organization’s cybersecurity efforts.
In today’s digital landscape, the responsibility for cybersecurity doesn’t solely rest upon the shoulders of IT departments and technical teams. Instead, it has rapidly ascended the corporate ladder, becoming an essential concern for the C-suite. As leaders and decision-makers, C-suite executives play a pivotal role in establishing, maintaining, and bolstering an organization’s cybersecurity posture. Why is this responsibility so crucial for top-tier executives?
Holistic Organizational Vision: C-suite executives have a unique, bird’s-eye view of the organization, understanding its various components, goals, and vulnerabilities. They can ensure that cybersecurity initiatives are in alignment with the broader organizational strategy, making sure that resources are appropriately allocated, and that there’s a synergy between the business objectives and cybersecurity measures.
Stakeholder Trust: Shareholders, partners, customers, and employees place their trust in organizations to protect sensitive data, whether it’s financial records, personal details, or intellectual property. Any breach can significantly erode that trust, causing both reputational damage and financial consequences. C-suite executives, as the face of the company, are integral in upholding and reinforcing this trust.
Regulatory & Compliance Implications: With increasing scrutiny from regulators around the world, businesses face stringent cybersecurity compliance requirements. Non-compliance can lead to substantial fines, sanctions, and legal repercussions. Executives, especially the CEO and CFO, play a key role in ensuring that the organization adheres to these regulations, safeguarding not only the company’s reputation but also its bottom line.
Fostering a Culture of Security: Organizational culture is often shaped from the top down. When C-suite executives prioritize cybersecurity, it sends a powerful message throughout the organization. It underscores the importance of safe digital practices, from the boardroom to the breakroom. Employees, in turn, become more vigilant, making them less susceptible to risks like phishing scams or careless data handling.
Rapid Decision Making in Crisis: In the event of a breach or cyberattack, quick decisions are paramount. C-suite executives can mobilize resources, communicate with stakeholders, and guide the organization during such crises. Their involvement ensures a coordinated response, minimizing damage and expediting recovery.
Financial Investment and Resource Allocation: Ensuring robust cybersecurity often requires significant financial investment—from deploying advanced tools and technologies to hiring top-tier talent. C-suite executives play a crucial role in allocating budgets, ensuring that the organization invests adequately in its digital defenses.
Evolving Threat Landscape: The realm of cyber threats is dynamic, with new challenges emerging regularly. C-suite executives, with their broader market insights and strategic vision, can anticipate future challenges, guiding their teams to preemptively address these threats rather than merely reacting to them.
This Morning’s “Trust But Verify” Moment
If you are an executive responsible for the health and well-being of an organization, trust but verify should probably be a tool in your management toolbox. For example, here’s how I used “trust but verify” in the cybersecurity realm in my office this morning.
Email is one of the most popular attack vectors for cyberattacks. If your email address is in the public domain, there is a hacker somewhere trying to gain access to your inbox. This morning, I asked our security operations center (SOC) personnel a simple question, “Who is trying to break into my email account today.”
My expectation wasn’t that they would be able to answer my question off the cuff, but that they would be able to assess my query and answer my question in less than an hour. It took them 7 minutes to assess who was trying to break into my account and tell me how they were being thwarted.
This morning’s email hack attempts were coming from multiple Amsterdam-based computers connected to the global internet by way of an ISP known as Des Capital B.V. These computers were trying to brute force my account through our mail server’s web interface. My SOC staff estimates that it would take an average computer 3 tredecillion years to brute force my account password if it was given unfettered access to try. 3 tredecillion probably isn’t a number you are familiar with, I’ll type it out for you:
3,000,000,000,000,000,000,000,000,000,000,000,000,000,000.
Unfortunately for the would-be hackers, every computer IP address they threw at the task got 5 tries and then got blocked for a period of time. That makes brute forcing my email an almost impossible task. If they do get lucky and guess my password, then they’ll have to overcome the two-factor authentication that acts as an additional layer of protection.
I spent about an hour engaged with my people to understand the answer to my query. They showed me in depth how it gets even worse for the would-be-hacker. The information we gathered from hacker behavior is shared with our cybersecurity partners as cybersecurity intelligence.
We apply the same intelligence gathering and sharing process that I used in law enforcement to cybersecurity. When our SOC sees hacker behavior, it shares it with other SOCs and vice versa. Using the collective knowledge of our partners, we may block would-be hackers before they even try our infrastructure based on the knowledge they were attempting to break into someone else’s computers.
That’s the kind of competent answer I was looking for and it gives me confidence that our cybersecurity staff are hard at work thwarting hackers. You don’t need to be a cybersecurity expert to ask your cybersecurity people pointed questions, to trust but verify.
You do need some general knowledge of the behaviors and methods of hackers. And you can garner that knowledge with just a little bit of effort. Pay attention to cybersecurity matters and learn more about the field. The survival of your organization may depend on it.
While my recent “trust but verify” query revolved around my email inbox’s security, it’s crucial to understand that this is just a drop in the vast ocean of cybersecurity. In the interconnected digital world we operate in, every point of contact, every device, every application can become a potential gateway for cyber adversaries. Email security is undeniably crucial, given its ubiquity in business communication, but there are numerous other facets that require equal, if not more, attention.
For instance, network security focuses on safeguarding the integrity, confidentiality, and availability of data as it’s transferred across networks. Application security emphasizes ensuring the apps your business relies on daily are fortified against breaches. Endpoint security, on the other hand, is about securing end-user devices like computers and mobile devices. And let’s not forget about cloud security, given the accelerating shift towards cloud-based solutions in modern enterprises.
As an executive, while you don’t need to be the expert on every nuanced aspect of cybersecurity, you should have a holistic understanding to effectively lead and question your teams. So, when engaging with your cybersecurity department, diversify your inquiries beyond email safety.
Questions to Engage Your Cybersecurity Team Effectively
Here are some pointed questions an executive might consider posing to their cybersecurity team to ensure a comprehensive security posture:
Network Security: “How frequently do we monitor our network traffic, and what anomalies have we detected in the past quarter?”
Application Security: “Are all our business-critical applications updated to their latest versions, and have we conducted recent penetration tests to identify vulnerabilities?”
Endpoint Security: “Given the rise in remote working, how are we ensuring that every endpoint, especially personal devices, accessing our corporate network is secure?”
Cloud Security: “As we transition to cloud-based solutions, what measures have we implemented to ensure the integrity and safety of our data off-premises?”
Incident Response: “In the unfortunate event of a breach, what’s our protocol for containment, mitigation, and communication? Do we conduct regular drills to prepare?”
User Training: “Considering that human error is a leading cause of breaches, how regularly are we training our staff on cybersecurity best practices?”
Data Protection: “How are we ensuring compliance with data protection regulations, and how frequently do we audit our processes?”
Asking such questions not only demonstrates your commitment to maintaining a secure digital environment but also challenges your cybersecurity team to remain on their toes, fostering a culture of continuous improvement and vigilance. Remember, in the rapidly evolving landscape of cyber threats, proactive engagement and consistent learning are your best allies.
If you have no starting point for asking cybersecurity questions of your staff, download our Cybersecurity Essentials book. It’s free. If I was starting from zero, I would want my cybersecurity charges to assure me that we had at least deployed the CIS IG1 security controls. We explain all about the CIS controls beginning on page 17. Stay safe! If your organization needs help with your cybersecurity, get in touch….
Image by Mohamed Hassan from Pixabay