Book Review – Mobilizing the C-Suite: Waging War Against Cyberattacks
Reading Frank Riccardi’s new book, Mobilizing the C-Suite: Waging War Against Cyberattacks, reminded me of an amusing conversation I had recently with a major player in the edge computing space. He said, “Let me share half a million dollars’ worth of McKinsey consulting in two sentences…” Riccardi, a lawyer and Certified Healthcare Compliance (CHC) professional with C-level cybersecurity experience, offers a similar “cut to the chase” take on dealing with cyber risk.
This compact, readable book gets right into the heart of the matter. American corporations are facing mortal (or at least job-threatening) attacks from organized criminal gangs. In particular, he highlights the devastating potential of ransomware, which can destabilize a business to the point of liquidation. From there, Riccardi springs right into specific recommendations, including multi-factor authentication (MFA), password management, and patching.
As someone who has written about cybersecurity as a corporate management issue for many years, my instinctive reaction to Riccardi’s approach was to think, “No! You can’t be so prescriptive.” Instead, the C-level executive must first establish a cross-organizational team of stakeholders who have to be educated on the theory and practice of frameworks like NIST CSF. This team must then bring in consultants who will construct a threat impact “heat map” that identifies trouble spots and the “crown jewels” digital assets that require the most robust defense, and so forth.
In other words, you need half a million dollars’ worth of McKinsey to get you to where Riccardi takes you in two sentences. This is the implicit message of the book. Yes, you can absolutely do the framework/ stakeholder/risk impact death march. Or, you can save yourself a year and a lot of money and cut right to what they’re going to recommend, anyway, which are better basic cyber hygiene and a few critical countermeasures, e.g., MFA, better passwords, patch management, and employee security training.
The refreshing frankness and detailed prescriptions in this book may not endear it to cybersecurity professionals. But perhaps that’s Riccardi’s intent. He’s aiming for the C-suite, bypassing the framework-obsessed. It may not be as easy battle for him to fight, however.
He’s also going against the grain in today’s paradigm-oriented security world. While he urges C-suite executives to order the implementation of stronger basic measures, those same executives are likely being peppered with presentations urging major investments in secure access service edge (SASE) programs or zero trust initiatives. Who will get the dollars?
Riccardi’s overall point is very well taken, though. Experienced cybersecurity managers understand that some of the worst vulnerabilities arise out of the simplest neglect. Ransomware attacks are effective because so many companies lack MFA, strong passwords, and data backup. Attackers exploit these weaknesses, breeze right in and encrypt the target’s data. Disaster and CEO firings ensue.
As he explains, using humorous and readable stories—like referring to a ransomware attack on a cream cheese maker as a “schmear campaign”—MFA and other simple countermeasures can mitigate so much of the risk. Riccardi also discusses problems like shadow IT, which is the tendency of businesses to bypass the IT department and implement their own, private information systems in the cloud using credit cards. This presents a security nightmare, and it needs to be addressed. Riccardi similarly points to the unwise practice of offshoring data management without adequate controls.
Some of his recommendations, smart as they are, are bound to run into problems of “easier said than done” and “the devil is in the details.” Training employees to be more vigilant about cyber threats, for example, is not so simple, and experts disagree on whether it’s even worthwhile. Patch management can be difficult for older systems, and even basic patch management requires the commitment of people and resources, so it’s vulnerable to budget cuts. Data backup can be effective against ransomware, but most sophisticated ransomware attackers can still destroy data that’s backed up insecurely, and so forth.
Nevertheless, the book offers a great starting point for meaningful, pragmatic dialogues about security. It offers sensible, direct steps c-suite executives can take to improve their companies’ security postures, and protect their own jobs in the process.