NSA Director to CEOs: Security Is Your Job, Too


One outcome of this post-Target, post-Yahoo, post-SWIFT hack era has been a surge in security positions requiring new expertise. Because finding shrewd security architects or building an eagle-eyed SecOps team can help maximize your investments.

But Michael S. Rogers, director of the NSA, says it’s time to confront a more impactful truth. An enterprise’s CEO, he says, needs to be just as hands-on, just as accountable, when it comes to protecting a company. Specifically, they need to aggressively reconcile tactical security plans with business goals. This was the focus of a recent chat the Wall Street Journal had with Rogers, who also leads the U.S. Cyber Command.

“You don’t want your network-security team deciding unilaterally what’s important to you as an organization. You, as the leader, need to set that tone,” he explains, saying that he practices what he preaches. This includes the C-suite setting clear expectations of their security teams, which may approach data protection merely from a technological, rather than a business, perspective. Adds Rogers: “When I ask CIOs what they think is important, versus when myself or fellow operational commanders answer that question, I get totally different answers.”

He emphasizes that a CEO should also be responsible for determining when to take risks. For instance, Sony decided that—despite negative publicity after its infamous breach—it would reach out to the government for help in containing losses and preventing further attacks. Rogers estimates that if an organization is unable to quickly spot attacks, three to six months will pass before it recognizes a breach. This puts the company at a grave disadvantage, requiring more radical C-suite problem-solving.

Rogers says he told the entertainment giant, ‘The only way this is going to work is if we get full access to your network and your data. It’s the only way we can really generate the level of insight that I think you expect from us.’”

As scary as this is, they did, giving his team insight into Sony’s structure, networks, and data. “They could have sat there and said to themselves, ‘We really need to minimize this. Let’s not really confront this publicly,” he says. Instead, “They were very upfront.” They didn’t really have a choice:  radical their reaction needs to be.

The moral of this corporate parable is that CEOs need to adapt to evolving threats alongside their security analysts. Sometimes that means drastic times calling for drastic measures. But it also means taking interest in formidable, adaptive security solutions that will have better payoffs—both in the trenches and in boardrooms—over time.