The Cyber Readiness Institute is addressing one of the most challenging risks for companies operating today – cybersecurity – and an aspect that is equally daunting: securing the value chain. Driving meaningful change requires input and expertise across geographies, sectors and companies. As such, it is fortuitous that the Institute’s two founding organizations – The Center for Global Enterprise (CGE) and the Center for Responsible Enterprise And Trade (CREATe.org) – bring a wealth of experience helping companies around world address top risks through the improvement of management practices.
The goals of the initiative are also boosted by involvement of the Institute’s co-chairs: Samuel J. Palmisano, Founder of CGE and former CEO and Chairman of IBM; Ajay Banga, President and CEO, Mastercard; Satya Nadella, CEO, Microsoft; and Penny Pritzker, Former U.S. Secretary of Commerce and Chairman of PSP Capital Partners
This Q&A with CREATe.org’s President and CEO, Pamela Passman, offers insights into the work of the non-governmental organization (NGO), CREATe.org, and how it came to work with CGE on this joint initiative and other collaborations.
Q/ Pamela, CREATe.org’s mission is to promote leading practices in cybersecurity, intellectual property (IP) and trade secret protection, and anti-corruption. How did you come to work with CGE and launch the Cyber Readiness Institute?
The idea behind CREATe.org was to help identify the best practices for addressing some of the toughest governance and risk issues facing companies today as they operate globally with disparate value chains. CGE is also focused on identifying and sharing leading management practices for global companies. CGE asked CREATe nearly two years ago to work with it on an effort to build management practices for the evolving digital supply chain, and our COO, Craig Moss, has played a key leadership role on CGE’s Digital Supply Chain Initiative, helping companies harness the benefits of the digital supply chain. As we more deeply engaged with CGE, it became apparent that there was another area of focus that made sense for joint collaboration: cybersecurity. Craig will play a key role as a director in the Cyber Readiness Initiative and will lead the effort on building tools and resources.
As many know, CGE’s founder Samuel J. Palmisano served as vice-chair of the Commission on Enhancing National Cybersecurity and he and his fellow Commissioners shared an objective of ensuring that the recommendations from the Commission Report are adopted in a practical and sustainable manner. CREATe.org is also focused on broadening adoption of best practices for cybersecurity and has been working with a group of seasoned representatives of global companies and major universities to operationalize leading cybersecurity practices. Given these synergies, we considered where we could have the greatest impact. Our collective expertise and input from our co-chairs focused our efforts on two key areas – helping small and medium-sized companies in global value chains and improving workforce understanding of cybersecurity.
Q/ In your work with organizations around the world, what do you feel are the top ways that businesses fall short when it comes to cybersecurity?
Working with business leaders, academics, think tanks and other experts confirmed our view that effective cybersecurity requires an enterprise wide approach embedded in an organization’s business operations. That is, ensuring that the ‘people, processes and technology’ elements are addressed across an organization. Companies of all sizes fall short in addressing all of these elements of effective cybersecurity.
Basics – such as controlled access to critical information, employee training and system updates – can go by the wayside due to resource constraints or competing priorities. Some companies are simply overwhelmed and unsure as to how to address effective cybersecurity. Others compartmentalize it as an ‘information technology’ or IT issue rather than considering the broader elements required for protection. For example, “insiders” are known to pose the greatest threat for companies. Do employees understand their role in protecting corporate systems and assets? Are contractors held accountable to the same controls? How about third parties? Additionally, many enterprises will have robust controls in place at headquarters, but will not extend these fully to regional offices or subsidiaries.
Q/ What does CREATe.org want to achieve in the joint initiative to launch the Cyber Readiness Institute?
We are excited about the possibility of engaging with some of the world’s leading organizations and professionals to develop practical tools and resources that small- and medium-sized companies can leverage to improve cybersecurity within their organizations and also with their third parties.
Government can and does play an important role in cybersecurity. The development of the NIST Cybersecurity Framework, for example, offers excellent guidance for taking a risk-based approach to cybersecurity. What our organizations can bring to the table is a private-sector approach that complements other efforts and is catered to the needs of companies of all sizes.
Q/CREATe.org has launched several whitepapers related to helping organizations improve cybersecurity, and also on the topic of the protection of critical corporate assets – trade secrets, intellectual property and other confidential information. How are these issues related?
In past years, hackers employed a ‘land grab’ mentality – tapping into system vulnerabilities with the hope that here would be prized data such as credit card details, social security numbers and the like. However today cyber-attacks are increasingly becoming more sophisticated and bad actors are targeting highly valuable information with persistence and precision. For example, in highly competitive industries such as ‘renewable energy,’ a company with innovative technology might be the target by competitors, governments or others wanting to steal trade secrets and take a short-cut to commercialization. There is also a trend towards targeting third parties who may be connected to the systems of another – usually larger – organization. For example, when the Home Depot point-of-sale systems were compromised, hackers used third party credentials as an entry into the network.
In our work at CREATe.org, we approach cybersecurity with the goal of protecting key assets and data while enabling innovation and collaboration. We advocate that organizations break down silos and build bridges across functions and roles to ensure that there is a systematic approach to protect what is most mission-critical and sensitive. Whether you are working in a large organization or a small organization, the people, process and technology need to work together. There is much that we can learn from each other – drawing on management practices that have decades of practice and new ones that are guided by tools and other resources.
To learn more about CREATe.org and download free whitepapers, please visit www.CREATe.org.
Get in touch: Email: [email protected]
LINKS & RESOURCES
- Commission on Enhancing National Cybersecurity
- Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
- EU General Data Protection Regulation (GDPR)
- The Cybersecurity Law of the People’s Republic of China
- CREATe.org Whitepaper: Cyber Risk: Navigating the Rising Tide of Cybersecurity Regulation
- CREATe.org Whitepaper: The Importance of Cybersecurity for Trade Secret Protection
- CGE Website
- CREATe Website