3 Cyber Risks in the Era of Musk and TwitterCISO Marco Túlio Moraes on Cybersecurity and the Rise of the Stakeholder Theory
Since executive Elon Musk became CEO of Twitter, the big issue affecting the future of that social media platform is also one of the most significant assets in the digital business world: trust.
Between Oct. 27 and Nov. 1, 2022, nearly 900,000 Twitter users deactivated their accounts. That's more than double the usual average of deactivations per week. This indicator converges with the chaos Twitter users have faced, including the exodus of cyber execs, data breaches, launches of insecure products and the title of "scammer's paradise."
Even though the social media business could do a better job of dealing with all these situations, these are not risks intrinsic solely to that business. Every company needs to understand its risk appetite and tolerance levels based on both shareholders' and stakeholders' expectations. It must think of solutions considering its risk profile and its potential constraining factors, which may be financial, cultural and technological.
For what is happening on Twitter, three cybernetic risks - which are also strategic - raise an alert.
Risk 1: 'Move Fast and Break Cyber'
Jonathan Taplin wrote the book "Move Fast and Break Things." "Move fast and break cyber" is what happens when you launch digital products without cybersecurity.
In "Capitalism and Freedom," Milton Friedman wrote: "There is one and only one social responsibility of business - to use its resources and engage in activities designed to increase its profits so long as it . . . engages in open and free competition without deception or fraud." This profit model hurts many areas, including cybersecurity, and undermines the trust of customers and society.
In "Net Positive," Paul Polman and Andrew Winston advocate for the stakeholder theory, developed by R. Edward Freeman, which allows for concern about the ecosystem, society, individuals affected, third parties and minorities, as well as profit. A powerful movement is underway, seeking to change the status quo in terms of a more inclusive view - the so-called stakeholder economy. This movement seeks to positively affect the world and is much nobler than the isolated model focused on profit only.
Launching digital products without analyzing the inherent risks, or ignoring them, can be a short-term financial gamble. It succeeds if the company is lucky enough not to suffer a cyber incident and if its users have confidence in the product.
Twitter decided to launch its paid verification system while ignoring the risks alerted by its internal team, who "predicted" the results: Scammers and spoofers would impersonate users and companies. That's what happened with the Twitter blue checkmark.
Can you imagine the strength of a scam attempt that comes from a scammer posing as a person or organization validated by Twitter? It's an excellent product for cybercrime. Of course, Twitter had to roll back and pause the new product. Now the company has launched it again, with a verification process to validate the user. But the damage to trust in the platform remains.
Risk 2: Lack of Cybersecurity Talent
One of the roles in cybersecurity is to monitor and triage security events to detect incidents and respond appropriately to them. This aims to avoid or reduce the incident's impact on businesses.
Companies deal with thousands of security events and potential incidents daily. To sustain such operations, in addition to technology and processes, there is another essential component - people.
The biggest challenge today is finding cybersecurity talent. There are more than 3.4 million unfilled jobs worldwide in a workforce of 4.7 million globally, according to the last (ISC)2 report.
The ability to attract and retain talent is critical to cyber risk management.
Imagine having to maintain Twitter's critical cybersecurity operations when the company is already going through a turbulent time and the cybersecurity executive and other key people have left the company. That situation can enable operational failures and business continuity risks, intensify cyber risks, and raise concerns from regulators.
The ability to attract and retain talent is critical to cyber risk management. Creating and maintaining a culture that values cybersecurity is essential for the success of new digital businesses.
Risk 3: Insider Threats
According to Ponemon's 2022 Cost of Insider Threats Global Report, the average annual cost of incidents caused by insiders, employees and negligent or malicious third parties was $15.4 million. The study analyzed 278 organizations and over 6,800 security incidents.
The tech crisis has intensified this insider risk. Massive layoffs - such as those at Twitter - and poor security controls put personal data and business operations at risk when combined with evil intent from disgruntled people. Performing this process while disrespecting people, as Twitter has done, amplifies the risk.
What are the top cyber risks in your organization? Understanding and reviewing how our organizations face external events and trends is important, but the essential step is to understand the main risks and how to manage them.
Once you identify the primary cyber risks, start by reviewing the criteria and processes to decide on them. How are low-level and high-level risks accepted, avoided, transferred or mitigated? Understand how the main business processes, such as the launching of digital products, are connected to cybersecurity initiatives and vice versa.
Once you have minimum cyber risk management capabilities, determine whether your structure and organizational culture are enabling those capabilities.
- How diverse is the cybersecurity team?
- What are the leadership profiles?
- Is the agenda included in the day-to-day activities of the business units, or is it just a concern for the security area?
- What controls are in place to deal with different risk scenarios?
Unfortunately, the cybersecurity challenge will be around for a while, as cyber risks can't be restricted to 280 characters.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Marco Túlio Moraes has over 20 years of experience in technology and cybersecurity and experience in the financial market and in native digital companies, such as startups and fintechs. He has led strategic programs at Fortune 500 companies, such as Red Ventures, Experian, MUFG, and AES, where he developed one of the first cybersecurity programs in Brazil. He was recognized in 2019, 2020 and 2021 by different international organizations as one of the top security executives and was one of the top 50 chief security officers recognized by the IDG.