“If you see hackers, you see Usi.” Someone once told me that I should tell people this, so they’d remember how to pronounce my name, and who I am.
So now that my name’s embedded in your memory, let me introduce myself. I’m one of the founders of Omnistruct, and we are in the business of making sure your business is prepared for hackers. And we do that by making sure that you’re proactively addressing a strict, organization-wide policy of informed cyber hygiene focusing on three crucial areas: security, privacy and risk.
‘To err is human …’
Wait, aren’t these just technical matters? Yes, there is a technical component, but it’s fractional — contrary to what you’ll hear from the thousands of companies who want to sell you those very tools and services. Their goal is to attempt to stop the hackers from getting in at all. This is important, don’t get me wrong. You always need that line of defense. But it’s just one piece of a larger puzzle. Successfully putting that puzzle together means understanding that, despite your best efforts, being compromised isn’t a matter of if, but a matter of when. As poets have been pointing out for hundreds of years, we’re only human. Wisdom lies in preparing for the worst. And that means approaching cyber security as an inevitability — and then being qualified enough to meet your obligations for data protection to the letter of the increasingly severe laws and regulations where you operate. I know what you’re thinking. “But the cybersecurity industry will save me and my business from this chaos! It’s what I’m paying them to do!” Sadly, this isn’t just untrue, but it’s dangerous thinking. Even the most sophisticated security tools are, at best, an ongoing struggle to stop hackers. In an era when breaches continue unabated despite billions spent on cybersecurity, lawmakers in the U.S. are following Europe’s lead in implementing strict laws to protect consumer data. The idea is that, statistically, widespread breaches are inevitable. So, the failure to plan and prepare for this contingency is punishable — and not just for businesses, but for executives and board members, too. And yes, that includes all of us! A befuddled, “but I’m not technical, I’m a CEO” will offer no protection under new regulations like California’s CCPA. The mindset that wants to toss this problem over the fence to IT without co-owning it is dangerous because it runs afoul of such new laws, and because it ignores the fact that cyber security is now essentially a business-wide problem that can’t be siloed (or scapegoated) away. If you want to be even more shocked, let’s talk about the consequences. Regulators and lawmakers are showing a marked interest in holding the C-Suite and board members personally accountable for neglecting cyber risk. At one point, legislation called the Mind Your Own Business Act called for jail time for leaders who fail to take cybersecurity seriously. (Luckily, this one didn’t become a law … or not yet, anyway.) On top of fines and legal fees for the leadership suite, your business will also be subject to fines and other sanctions like license suspension. The new regulations also empower consumers to more readily file civil suits against businesses who fail to protect their data under the strict new letter of the law. And if you’re found to be in violation, your business gets posted on the state attorney general’s new “sin bin” website, telling the world you were compromised. That’s not great news for your ability to entice new customers in the years to come.
A job that’s too big (and important) for your IT department
And if you’re building or managing a business, you are also trying to win business, right? As such, you’re probably doing so via a website, at some capacity. And unfortunately, that makes this problem your problem, too. So, how do you get ahead of this? It all begins with adjusting the way you approach cyber security. In my world, there are only two kinds of companies: Those that have been hacked, and those that will be hacked. Successfully navigating cyber risk means operating on the assumption that you will be breached at some point. It isn’t just a matter of assigning IT with implementing security protocols, but also creating a strategy that fully and methodically complies with all of these new regulations. The idea is not just to ensure that you’re not one of the “examples” regulators are looking for, but also that you’ll be able to show that you’re actively addressing cyber risk to help continue winning the confidence of clients and customers. So, what do you do? Who can you trust to manage this burden of expertise, spanning tech, operations, and legal? Will your insurance cover it? Who can you call for answers for these types of questions? As you can see, this is far more than you can simply delegate to IT. In addition to technical expertise, you’ll also need the input of experts like policy writers and specialized consumer protection lawyers. You’ll also need to perform tasks that are far beyond the scope of most IT departments, like background and internal integrity checks for all parties involved, including (especially!) non-technical staff. Much as we’d love to kick the can down the road to IT leadership, doing so presents a few more concerns: Asking someone in IT to write a policy or a procedure or undergo another task that’s outside of their area of expertise will create dissatisfaction among your staff, More important, it’ll also yield a less-than-optimum result.
Cyber governance, made easy
If you can’t tell yet, this is where Usi enters the chat. With decades of collective experience in the hard-won wisdom of cybersecurity, my partners and I have constructed a cyber security model that approaches the issue with the comprehensive thinking, full attention to detail and marshalling of expert resources that it requires. Our cyber Governance as a Service (or GaaS) model isn’t just a protection against hackers, but a blueprint for managing the three components of full data protection (security, privacy and risk — it’s kind of my mantra). Guided by essential data like the latest state, federal and international regulations and an advanced knowledge of cybersecurity frameworks, we help you figure out your proactive cyber hygiene position. We help make sure your entire company is legally doing the right thing regarding cyber risk governance in the eyes of regulators — even when nobody’s watching. For you, it’s hitting the easy button to address the cyber risk problem as a complete entity, for as long as it exists. Our service offers economies of scale in staff, governance, and innovation to help you address this issue affordably. You’ll get the assurance of covering all of your cybersecurity legal bases, and your overworked IT, development, sales staff, operation, leaders, and other managers will get more time to focus on moving your business forward. As your cyber risk illustrators, demonstrators, and oversight team, we can help you prove that you’re doing the right thing, so when that hacker finally breaches the defenses, your risk of sanctions, fines, and other repercussions is minimal. As we move further into a strange new decade, it’s isn’t just about giving yourself and your team some serious peace of mind, but your business the foundation it needs to grow. George Usi, CEO, Omnistruct Inc