Cybersecurity Lessons from the Field

Jun 28, 2021 | DTJ Online

What does it take to be a champion of cybersecurity for the Defense Industrial Base? Especially in this time of recovery from a global pandemic, cybersecurity hinges on alignment. Success depends on three factors: a shared vision of the end game, cross-functional credibility, and a disciplined innovation process. Starting with this edition and continuing for two years, the Defense Transportation Journal will address each of the three factors by sharing cybersecurity lessons from the field based on experiences of industry leaders large and small.

Every organization understands that we connect in an ecosystem of employees, customers, and suppliers that extends from our supplier’s suppliers to our customer’s customers. We also recognize that cybersecurity relies on precautions that extend across these connections. In short, cybersecurity is a team sport. Having said that, too many organizations in the US and worldwide lack a shared vision of the end game, cross-functional credibility, and a disciplined innovation process.

When Atlanta was hit with a cyberattack, that was “Atlanta’s problem” and barely stayed as a national topic of attention for more than a day…even though whole segments of Atlanta’s critical infrastructure were shut down including parts of the systems for the city’s courts, police, and human resources. The same thing happened as those cyberattacks spread to municipalities and companies across the US that lacked the resources to cope with the bitcoin ransoms, let alone the systemic attacks.

Against that backdrop, a global pandemic reminds us how much we depend on coordinated mobilization. To address this need, we will detail how the smallest, most resource-constrained companies can be best practice leaders without a big budget. We will focus on the experiences of companies with less than 50 employees that make up the vast majority of the 300,000+ businesses in the narrow definition of the Defense Industrial Base and the 30 million+ businesses in the US overall.

To match those concepts of operation, we need:

  • Local businesses and global businesses to become glocal businesses jointly leading the next generation of collaboration best practices
  • A strong, shared vision of the end game that has now been established as the Cybersecurity Maturity Model Certification (CMMC)
  • Cross-functional credibility to say this is not an IT problem but is the responsibility of the entire CEO team across all market categories
  • A disciplined innovation process like the one the National Institute of Standards and Technology (NIST) has provided

Companies like Maersk created a role model for this kind of alignment with their business preparedness and response to the global NotPetya attack. Maersk made its resiliency a core competitive differentiator of its business model and spent hundreds of millions of dollars to do that.

Smaller organizations also felt the pain of that attack as collateral damage. For example, consider the small hospital serving as the primary care facility for the entire area around Princeton, West Virginia. The Princeton Community Hospital lost all network access to patient records and overall operations. That left clinicians taking notes and ordering medications by hand while shutting down normal human resources and finance functions completely. The Princeton Community Hospital continues to exist today, but they lacked a nationwide playbook for how “the rest of us” establish business continuity protocols like Maersk.

The problem with the Defense Industrial Base is not the autonomy of small businesses, but rather their lack of participation in a coordinated response. In the US system, small businesses are not the problem. Small businesses are America’s strength as long as they mobilize effectively.

Government-led economies receive directive policies on how they address cybersecurity from the top-down driven by state-controlled enterprises. That will not be the US approach, and we would not be good at it even if we tried. America’s success by design will depend on distributed leadership. Any failures in that distributed leadership will be targeted by adversaries.

This series will detail the cybersecurity know-how of small organizations, the kind of organizations that are just familiarizing themselves with NIST. (Until recently, the vast majority of firms in the Defense Industrial Base had never heard of NIST.) We will focus on how these smaller organizations can be role models within the realities of their budgets. In the same way Ben Franklin brought local tradespeople together every Friday night to figure out what was going well for community businesses and what could be going better, this series will share specific experiences of everyday progress.

We will draw on real cases of companies as an amalgam under the name DIB-Co. Each issue will include micro-case installments of how this company transformed itself. Like many businesses, DIB-Co only learned of NIST in the last few months. But now DIB-Co, in this actual example, has already become a pacesetter for cybersecurity improvements despite the company’s long road ahead to comprehensive cyber-readiness. On this journey, DIB-Co will go from being unaware that they are part of the Defense Industrial Base to recognizing that dozens of their customers are suppliers to the iconic giants of US defense logistics.

Over the next two years, DIB-Co’s goal is to make cybersecurity an integral part of the company’s competitiveness. In the 1970s, American car companies argued that they had to make the hard tradeoff between profitability and quality. In contrast, Japanese automakers during that period argued that profitability was impossible without quality. American automakers transformed themselves to that quality-from-the-start perspective.

Today, many American members of the Defense Industrial Base see a tension between their choice of focusing on efficiency or cybersecurity. This series will reposition cybersecurity as a discipline that makes efficiency possible across the Defense Industrial Base and the US economy as a whole. DIB-Co’s future depends on that transformation.

By Ted Rybeck, Chair, Benchmarking Partners, & Chair, NDTA Cybersecurity Best Practices Committee

Share This