Adversaries have villain names, like Chollima, Kitten, Bear and Spider. Why do we create names for villains, but not the defenders? There is a healthy superhero-villain parallel in the world’s battles fought in different cyber theaters of operation. To boil it down, battles driven by nation state and eCrime groups hinge on business models that monetize you. They depend on the fact that you will keep doing you. Cyber adversaries aren’t Marvel scale, where villains like Thanos who, in the name of doing right in his own eyes, kills billions of people to make things better. The heroes won in the end because they understood the risk, which drove purpose, resulting in strategy (and, in this case, a lot of luck?). But the concept of doing evil for perceived good is real. For this reason, businesses leaders need to better understand cyber risk and build strategies to address the many risks we face in life.
This article looks at cyber risk from the perspective of misaligned strategies and business models that, over time, cause undesirable tradeoffs. It explores how we deal with the gray area between the top and bottom lines (of the income statement), impacting how we enable or constrain sustainable growth. Our actions depend on our mental models, which determines where we fall in the hero – villain spectrum. If you suspect you might be on the wrong side of the spectrum, remember that wisdom comes from the prudent application of knowledge over time. Starting out as a villain, the Marvel character Hawkeye teaches how we can go down false paths before we find our true north. Simply put, we often discover wisdom through mistakes.
Here’s a truth, hindsight is easy. Making day-to-day decisions based on competing priorities, risks and incomplete data isn’t. More often than not, you will not have full visibility into all aspects of a decision. You need a set of principles, intentionally designed to align with business models and strategies to guide decision making when you don’t have the full picture. This can close the gap on hindsight and help avoid unwanted results.
Let’s look at the ransomware attack that caused the death of a German woman in the Duesseldorf University Hospital as an example. The attack shut down hospital medical systems, so the hospital couldn’t accept patients, forcing them to send a woman to a facility 20 miles away. This caused a lifesaving delay resulting in her death. According to interviews with ransomware operators, hospitals are easy money. “Hospitals pay 80% to 90% of the time because they simply have no choice.” The path of least resistance. So, in this instance, the ransomware operator perceived their good was to focus on a target that had clear motivations to pay, without regard for the consequences.
Looking at the mental models beneath the Dusseldorf example, we can infer that hospital leaders didn’t contemplate the unprincipled blackmail of human life. Nor did they see the relationship between their business model and the risk of cyber-kinetic attacks, where digital attacks (ransomware) cause real damage in the physical world (systems that sustain life). This blind spot impacted risk prioritization relative to their core business. To be fair, this example is indirect, where dependent system failures resulted in real world impact on life. However, cyber-kinetic attacks pose a real risk to some business models. Think Dusseldorf is an outlier? Look back at the stories of Stuxnet in 2010, the BlackEnergy attack in Ukraine, in 2015 and the Florida water plant attack in December 2020. Also look at the recent Annual Threat Assessment of the US Intelligence Community where it states, “Nation States increasing use of cyber operations as a tool of national power, including increasing use by militaries around the world, raises the prospect of more destructive and disruptive cyber activity. As states attempt more aggressive cyber operations, they are more likely to affect civilian populations and to embolden other states that seek similar outcomes.” Not wanting to see more articles like Dusseldorf, I began considering how mental models and principles can reduce the impact of undesirable tradeoffs caused by strategies that do not align with business models. The first step is understanding the elephant.
The Elephant
There is a common parable of blind men and an elephant. In this parable, the blind men have never come across an elephant before, so they conceptualize what the elephant is by touching it. Each touches a different part of the elephant’s body and describe their experiences. Not surprisingly they all have different experiences. The tail does not feel like the trunk, or the ear like the tusk.
Sounds like the beginning of a joke, “an engineer, architect and Sales VP walk into a bar…”
The elephant parable is applicable to the technology industry and thus all industries because technology touches all aspects of business and private life. Technology is a general term that describes the numerous technical disciplines and domains, each equating to parts of the elephant that people experience throughout their careers. I have been fortunate to touch many the parts of the elephant, in many different roles. I have tried to be a superhero and, like them, discovered I was flawed. I made mistakes. Also like them, I let those mistakes teach wisdom, encourage purpose and develop a growing desire to leave organizations better than I found them.
Mental Models
The more parts of the elephant that you touch, the greater the opportunity to identify patterns and connect seemingly unrelated things together. I started developing my mental models as a network engineer. I was successful because I learned how to “be the packet,” to understand, from the application down to the voltages, how data flowed through networked systems and how the packet was influenced by other systems at every point in its path. I carried this with me as I moved into leadership roles where I straddled the line between business and technology, working through tradeoffs to develop strategy and execution plans that were most likely to achieve desired outcomes based on the data at the time.
Common to both networking and business is the need to understand how strategies, policies, procedures and incentives flow through people, processes and technology to achieve outcomes. Where do policies or incentives fail to change behavior? Where does congestion creep in and counter agility? Businesses need people who can “be the packet” as they manage the exchange of ideas across departments in or across organizations, allowing the ship to point toward the right horizon and move forward.
For hospitals specifically, mental models must relate strategic prioritization of life saving services, and the services upon which they depend to the business model describing the lifesaving services that contribute to revenue. For a business to survive, it has to protect the core.
Principles
Principles are a fundamental truth underpinning our beliefs, impacting our behavior. We don’t often realize that under the hood of our brains, mental models establish principles (which can become unconscious biases…) that form the foundation of strategy. They also play a critical role in day-to-day decision making. In a nutshell, principles are a proactive mechanism to guide decision making in the absence of a full picture.
You want to avoid decision paralysis? Start building principles.
How?
Start by understanding the business and technical knobs and buttons at your disposal to achieve strategic goals. Intentionally commit time quarterly or semiannually (depending on the pace of change in your market) to review your principles and make sure they are applicable based on the data you have at the time.
Here’s one favorite principle (I have a couple favorites…), business outcomes are improved when you can monetize business assets. This means you have to look at all your assets not as cost centers or liabilities, but opportunities to impact top line growth. When you build or review your business model, are you looking at the monetization aspect of your assets when you figure out how you will make money from the value you create? Leveraging existing assets is the greatest opportunity to shift an asset from a cost center to a revenue generator. I am convinced AWS is the golden child of this truth.
Business Models
I don’t have insight on 100 years ago when he Dusseldorf hospital was born, but I do know the founding of the Dusseldorf University Hospital included a plan to exchange the value they provided for a form of payment. That’s the business model, which assumes the payment received is greater than the cost to deliver the value. If correct, the result is profit. Deciding what to do with the profit creates opportunities for unhealthy tension on one end of the spectrum and exponential growth on the other.
I have worked in organizations at both ends of the spectrum and many places in between. I learned that revenue growth is sustainable when you operationalize a good business model, leveraging the symbiotic relationship between business and technical strategies. At the same time, strategy is enabled or constrained by the model, influencing how security and risk conversations are demoted to bottom line costs or strategized with top line revenue.
An example of strategizing security with the business model that – over time – impacts top line revenue is in a WSJ article written by the AWS CISO, Stephen Schmidt who writes, “At AWS, we made an intentional choice for the security team to report directly to the CEO. The goal was to build security into the structural fabric of how AWS makes decisions, and every week our security team spends time with AWS leadership to ensure we’re making the right choices on tactical and strategic security issues.”
To fix the misaligned strategies and business models that, over time, caused undesirable tradeoffs I suspect happened with Dusseldorf, you have to stop being you. Security has traditionally been considered a cost center and the department on “No.” This is legacy thinking. You have to stop being you. For every decision you make, you have to intentionally decide that security can be shifted from a cost center to a revenue driver. Developing and acting on this principle doesn’t happen in a moment; it’s a transformation over time as we refocus on creating value, institutional wisdom and purpose.
The spider bite that gave Peter Parker superhuman powers didn’t make him a superhero. He transformed his heart and mind over time, harnessing his gifts to become a superhero. Similarly, leaders need to be aware of how they can transform and exercise their mental models to lead in this fight. When asked why fight something perceived as unstoppable, Thor responds to Surtur “because that’s what heroes do.” This was hilarious moment, so I understand that – in the moment – Thor forgot the part where leaders also need to understand how business models guide strategy and the evolution of risks that must be prioritized. Cyber-kinetic risk needs to be prioritized in many industries beyond hospitals. The Department of Homeland Security (DHS) has a name for this, critical infrastructure. Misalignment leads to undesirable tradeoffs when business priorities conflict with business models and strategy.
Until a couple years ago, security was a reason why companies avoided the cloud. Today it is a reason they flock to AWS. I believe the reasons is years of relentless focus on aligning business models, strategies, execution, application of principles and understanding the impact of mental models.
Today, business models in the healthcare sector have to prioritize one of many options, including the delivery of best-in-class care through innovative clinical models, offering a premier customer experience, reducing costs through scale and scope of services or improving outcomes for specific populations. In this process, tradeoffs are a consequence of prioritization, but the life sustaining value they create has to remain at the core. To move forward, you need awareness of what’s behind you. You need to understand whether existing strategies, policies, procedures and incentives align to manage risk that can impact desired outcomes. Typically, these are built over time, by successive generations of leaders. Like layers of sediment that accumulate over time, you don’t fully know the story they’re telling unless you dig them up and look. If you’re steering the ship, with your eyes on the horizon, but aren’t moving in the right direction, take a look back. You may be dragging a strategic anchor or two.
The starting point is awareness of mental models driving principles that don’t align with strategy and business models, causing undesirable tradeoffs over time. Reviewing mental models provides opportunities to positively impact top line revenue through monetization of existing assets, giving color to the gray area between the top and bottom lines and enabling sustainable growth.
About RockITek, LLC | RockITek is a value-added distributor providing white glove services to both up-and-coming and commercially established manufacturers with emerging technologies. Our Preemptive Cybersecurity and Image Intelligence portfolios consist entirely of transformational solutions that rapidly meet mission goals and address high priority issues. We specialize in building and managing purpose-built consortiums that accelerate adoption of next gen solutions with a focus on government space. We are a small business (NAICS 541519) with a GSA Federal Supply Schedule 47QTCA19D0085.