Cyber security has never been simple. The threats evolve every day and the attackers have become more inventive and better financed. Over the past years, we’ve witnessed all the hype and confusion surrounding cyber security as it transforms into a frightening new reality—one where corporate and government organizations seem helpless to stop cyber incidents. It’s critical that senior executives properly define the issue and identify what constitutes an effective cyber security program. In an interview with Insights Success Magazine, Ken Barnhart, founder and CEO of Highground Cyber, shared his keen observations into the cyber security industry and his journey in developing and leading his company for this new era.
What inspired you to start Highground Cyber?
As a combat veteran, I firmly believe cyber security represents a clear and present danger to our nation and its economy. In my role as a Vistage speaker and cyber security champion, I travel around the country educating Board of Directors, CEOs, and small business owners about how to improve their cyber posture. I’ve listened to their gut-wrenching stories of bank accounts drained in spear-phishing attacks, intellectual property stolen, systems and data locked up with cyber extortion tactics, and their identities stolen. Highground Cyber was launched with a mission to help the small and mid-market CEOs to protect their companies, themselves, and their families.
What market segments are you focusing on?
We’re heading straight for the areas where we observe the greatest need. The data clearly suggests the small and medium businesses under $250 million and 200 employees are losing the cyber security battle. According to a recent report by ADP, 50 percent of our nation’s payroll dollars’ flow through companies with less than 250 employees and that market is bearing 72 percent of the cyber security attacks. While retailers like Target, Home Depot, and Walmart get all of the big media headlines, these are also companies that have the resources to weather a cyber security storm and recover rather quickly. In Target’s case, they have even rebuilt a world-class cyber security system into a model that other companies are now copying. That’s not the case for small and mid-market companies. Just recently a $200 million professional services company in the Midwest lost a multi-million-dollar payroll run to a spear-phishing attack, and now their very survival is in doubt. These are not isolated incidents—the statistics show that 60 percent of companies that suffer a major cyber attack will fail within six months and 90 percent fail in a year. Reversing that trend in the small and mid-markets is our core focus.
What are some of your growth plans?
While the Highground Cyber brand is new, our experience is not. We are a spin- off of a practice group that has been defending enterprise clients for almost a decade. I spent 17 years as the founder and CEO of the Occam Group, Ltd, and a few months ago I sold the company to the minority shareholder. I brought with me our award-winning Smart & Safe Assessment. In 2015, CIO Review recognized our CEO-centered Smart & Safe framework as one of the TOP 20 MOST PROMISING Cyber Security Solutions. Our five-year plan is to double every year as a national brand. The ability to laser focus my attention on the growth of Highground has resulted in a 200 percent growth so far in 2017. That puts us a little ahead of our plans, but we have a big mountain to climb and many CEOs to help them along the way.
With so many new cyber security companies, how do you differentiate Highground in the market?
Our differentiation strategy is born from the realization that most of the mid-market is improperly conceptualizing the cyber security issue as a technical problem. The hard reality is that cyber attacks are only part of the larger organizational issue of risk management and business continuity. Since most CEOs don’t have a technical background and because cyber is incorrectly classified as a technical issue, they delegate the organizational response to the IT functional or outsourcing partner. In most cases, the mid-market CEOs aren’t actually delegating the responsibility for the cyber issue they are abdicating their authority. This is particularly dangerous for the CEO as they are the corporate officer who is ultimately professionally and personally liable when a major cyber incident happens. We address this dilemma with three unique claims called Lift-Shift-Persist. Our first claim is as simple as it is bold. The small or medium business must LIFT the focus of their cyber security efforts from the IT leader to the CEO. If they don’t, their program will never achieve the necessary results. This is not because the IT leaders lack professional skill or experience, but rather they are not organizationally empowered to direct the human resources, legal, risk management, policy, brand and public relations functions that play a critical role in a holistic cyber security program. The CEO is the only role with the decision rights and organizational authority to coordinate these functions. The critical success factor is empowering the CEO with an approach that helps them put together a plan to coordinate these functions and helps them manage the execution.
Our second claim is the business must SHIFT the execution to a cyber program that’s holistic, realistic and reports into the CEO. The program-planning process starts with our award-winning Smart & Safe Assessment that establishes a baseline of the cross-functional areas necessary for a comprehensive plan. Once completed, we develop a bespoke cross-functional program to address the unique threats and assets for every company. We work with the CEO to then make the plan realistic for the three checkbooks from which they manage their company. The first is obviously financial, as the program plan will need funding, but we take a multi-budget cycle approach that looks forward 36 months. The second is change management. Organizations have a varied capacity for change, and the pace and scope of change for a business to address cyber security is often much more limited than their financial resources. As the final check, we work with CEOs to address their corporate culture. The defense of a company’s digital assets and sensitive information has to be woven into the fabric of the corporate culture and the CEO is the leader of that effort.
Our final differentiator is PERSIST because cyber security is not a “set-it-and-forget-it” issue for companies. Many of our competitors sell a system or software, install it, and either walk away or do some type of annual checkup. Our approach focuses on creating a culture of security and information systems that keep the CEO and the Board of Directors informed on the overall security posture in three critical areas: Security, Governance and Resilience.
What does winning the cyber security challenge look like for a mid-market CEO?
We believe there is a difference between explaining cyber issues honestly, which can be admittedly scary when the company is your 401k plan, and just scaring people for the pure shock value. I talk with hundreds of CEOs every year and I have yet to meet a single one who earned their chair by being easily frightened. The way we explain this is with what we call the IRON TRIANGLE of cyber security: Security, Governance, and Resilience. In the final analysis, security has always been about one thing for thousands of years—asset protection. The first win a CEOs must achieve is to establish a comprehensive list of the physical and digital assets that they cannot afford to lose. If the loss of a particular asset is a business-crippling event, then they have to get those locked down first. We call this phase, “locking up the crown jewels.” Security tools play a powerful role in this area and the options available to mid-market companies have improved dramatically, while simultaneously dropping in cost. It’s important for CEOs to recognize they need to enlist their employee and partners in the defense of critical company assets. All it takes is one person to handle a critical asset recklessly or maliciously and serious damage can be done.
Getting on top of governance is the next big “win” for the leadership. The CEO, not the IT leader, is the source of authority here and bears the responsibility to demonstrate good governance of the organization. The federal courts have recently provided ruling and rationale to help clarify what exactly “good business judgment” means. The Department of Homeland Security has also made some major contributions to further clarify what companies should be doing to establish proper governance. The good news is that the path to establish an effective cyber security program is much clearer than is has ever been. The bad news is the IT function has zero chance of successfully implementing the required elements.
The ultimate win for any mid-market CEO in their cyber posture is resilience. The ability to recover quickly from a cyber incident and keep rolling needs to be every CEOs goal. The cliché we hear all the time is that it isn’t a question of if a company will experience a cyber attack but when. While there is a measure of truth in this phrase, it also misses the larger point impact mitigation. Many organizations have built systems and processes that are “robust but fragile.” A speed boat is fast and agile, but can’t take a breach in the hull and continue to float much less function. The resilience goal is to make organizations more like a battleship that can take several serious hits and stay in the fight.
Your passion is so compelling. What drives you?
In a word: Enough! I am sick and tired of seeing good CEOs and their families getting hurt, harried and harassed. I have always been fond of the Edmund Burke quote, “All that is required for Evil to triumph is for good men to stand by and do nothing.” With passion and purpose, I’m hoping that Highground Cyber proves its mettle in this marketplace and grows very quickly.
After being confined to researchers, academia and non-profit organizations for over a decade, Google is opening access of its Earth...Read more