In the era of digital manufacturing, a cyberattack can cripple any part of a business, or all of it. The information technology department understands the stakes. Operations people get it. But does the boss?
CEOs, especially at small and mid-size manufacturers (SMMs), are focused on so many tasks directly affecting the bottom line, they may be tempted to hand off cybersecurity responsibility to others and move on. The thinking goes: We’re small. What are the chances a hacker will ever notice us?
Big mistake.
“‘We’re too small to hack’ is a common refrain, but that’s not how adversaries think,” said Michael Tanji, Director of Cybersecurity for MxD, the National Center for Cybersecurity in Manufacturing as designated by the U.S. Department of Defense. “SMMs are the perfect target because they don’t have the same cybersecurity resources as major firms. Because our supply chains are so complex, disrupting a few easy targets has a cascading effect that is more damaging and less risky than trying to attack a prime contractor.”
Tanji said CEOs, as well as other top executives and boards, need to prioritize the role of cybersecurity for the good of the company and its supply chain. Protecting a company’s digital systems and operations is as important as other aspects of manufacturing, including finance and research and development. As a result, CEOs need to invest in cybersecurity, support those doing the work, and model good behavior by taking protocols seriously.
“If you don’t have CEO support — openly declared and regularly addressed — you don’t have a cybersecurity capability. Full stop,” Tanji said. “The basic dynamic of any organization is that people take their cues from the top. If leadership is just paying lip service, so will everyone else.”
Because CEOs have so much on their plates, tech managers and others may need to do some work to persuade the boss to become a more active leader in this area.
We asked Tanji about engaging the CEO on cybersecurity:
How do you convince a CEO that cybersecurity is crucial?
MT: Cybersecurity is nothing anyone wants to do. Executives are obliged to do it for various reasons: compliance with an industry standard, for insurance purposes, etc. Some of the best arguments for more or better cybersecurity aren’t about security, they’re about protecting investments, they’re about reducing risk. You need to understand what issues drive management attention and reframe what you’re trying to do in those terms.
Once you have a CEO’s buy-in, how do you keep it?
MT: You have to show value — that their investment wasn’t wasted. This can be difficult because it’s hard to come up with security stats that make sense to a business mind. Businesspeople like charts to go from lower-left to upper-right. I’ve known organizations that did things like report on how many attempted malware infections were caught. The chart looked like a rollercoaster, which gave the impression that security wasn’t working very well. You need to identify metrics that are meaningful and can also illustrate efficacy.
Any other strategies for keeping focused?
MT: Cybersecurity has to stop being something special. By that I mean it must be something you address as frequently as you do operations or financials or any other critical aspect of your business. Treating it as “special” — the same training video you watch once a year — means the message goes in one ear and out the other. If you show up to work and are told what goals you need to hit, what requirements you need to meet, you pay attention to that because it’s something that is clearly important. It’s something that is being measured, something that your compensation is based on. That’s what people pay attention to. So, if you want them to pay that kind of attention to cybersecurity, you need to make it just as important as the other business metrics or goals.
How do good leaders model smart cybersecurity practices?
MT: If cybersecurity is important to you, then as a leader you need to model the right behaviors and repeat the mantras. Use the same security tools and follow the same practices that everyone else in the company uses; don’t use your power to sidestep or exempt yourself from cybersecurity requirements. Make sure you incorporate cybersecurity issues into your discussions with subordinates, supervisors, and people on the line. People hear you say it, they’ll repeat it. If you walk the walk, people will notice and seek to imitate.
Visit the MxD Virtual Training Center for information on cybersecurity workforce training resources.