LEGAL
Whether it is doing more with less in a struggling economy, trying to outperform aggressive competitors, or prevent the theft of critical intellectual property, business executives today face an unending series of difficult decisions. While we hear more and more about information and how it can help with these issues, the reality is many companies are struggling more with these issues, despite the talk of "Big Data."
That issue really permits us to focus on what the issue is, which is executive decision making. Executives have many roles in a company, but according to a Harvard Business School article, there is one key distinction between executives and nonexecutives in organizations:
The job of a manager is, above all, to make decisions. At any moment in any day, most executives are engaged in some aspect of decision making: exchanging information, reviewing data, coming up with ideas, evaluating alternatives, implementing directives, following up.
...
To climb the corporate ladder and be effective in new roles, managers need to learn new skills and behaviors – to change the way they use information and the way they create and evaluate options.1
Cornell's Johnson Graduate School of Management offers a variety of courses in executive decision making, and in describing its "Executive Decision Making" class, it states:
In this course, participants will learn how to apply formal decision-making processes in order to reduce risk and maximize benefit. Learn best practices and techniques for gathering data and making critical decisions with limited time and resources.
There are any number of different examples of similar descriptions of executive decision making that illustrate this issue:
In today's rapidly changing world, executives are often called upon to make bold decisions and venture into new areas as a result of technological innovations, downsizing, budget cuts, or reorganizations. The most effective leaders use all the information available to them and cultivate the views of others who are in a position to better assess consequences of a specific course of action.2
There are also examples from the public sector that emphasize the importance of executive decision making and the key role of information, including from the Naval War College in a text entitled "Executive Decision Making":
Making high-level defense decisions is a large part of being a senior military officer or career defense civilian. Earlier in your professional life, many of your decisions concerned near–term problems involving small numbers of people and a limited array of resources. You could usually make these decisions by using standard procedures or by relying on your personal experience. Now, increasingly, you will find yourself making or participating in more complex decisions that affect the long-term capabilities of your organization and therefore the welfare of the nation-issues that concern force structure, organization, modernization, operations, and policy.
In short, making the right decision is a critical aspect of being an executive, and having the right information, at the right time, is a critical component of making the right decision as an executive. This is true when executives make decisions that improve revenue, as well as when they make decisions on how to protect their companies from attack. The challenge is that the true nature of the threat is not completely understood by companies today.
The threat we face is that organized groups are working to find and exploit an information imbalance and create an asymmetric threat. An information imbalance is a situation where one side of a conflict has superior information regarding the weaknesses of the other. If that superior information relates to the weakness of another party, it can then be used to create an asymmetric threat, which is a threat that is targeted to, and exploits, another's weaknesses.
The best example of this is 9/11, contrasted with Pearl Harbor. Pearl Harbor involved an organized, but symmetric threat. It was the Japanese military attacking another nation state's military. And while Japan exploited an information imbalance, it was a fight between combatants with roughly equal resources. For 9/11, Al-Qaeda did not need their own army or air force; in fact, they didn't need organized military. They simply needed utility knives (perhaps even box cutters), training, and more importantly, information about how our system of air travel worked. By creating this information imbalance, they were able to perpetrate a devastating asymmetric attack on the United States.
The lesson of 9/11 was not lost on the public sector – it realized the nature of the threat and has taken steps to address it, and one need only examine recent Executive Orders, and the words of General Keith Alexander, the Director of the National Security Agency, and a recent speech by Defense Secretary Leon Panetta to see this. In 2005 President Bush issued Executive Order 13388 "Further Strengthening the Sharing of Terrorism Information to Protect Americans," with the goal of giving information sharing of terrorism information among key stakeholders, including the public and private sector. In 2010 President Obama reaffirmed the need for public sector and private sector cooperation, and information sharing, to address cyber security concerns when it issued Executive Order 13549, "Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities."
In a recent presentation, Secretary Panetta illustrated the true nature of the threat – state-sponsored activity that is increasing in intensity and, with the potential to disrupt our way of life. In discussing the nature of state-sponsored activity, he was clear. "A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack on 9/11," and Panetta also believed that "such a destructive cyber terrorist attack could virtually paralyze the nation." Panetta continued, "We know of specific instances where intruders have successfully gained access to these control systems," and he also stated that "we also know they are seeking to create advanced tools to attack those systems and cause panic, destruction and even loss of life."
The critical point is that the examples Secretary Panetta uses are not attacks on DoD, or other public sector resources – they are attacks on the financial institutions and energy sector – by the government resources of another nation state. This threat is not limited to the financial or energy industry. If you are a group seeking to do us harm, why attempt to detonate a WMD, when you instead can attempt to hack a Supervisory Control and Data Acquisition (SCADA) device that controls a water supply? Or why not attempt to disrupt the medical services in a large area by attacking the systems of a large hospital chain, or even a major health insurer. This can be done by a direct attack on the company, or by an attack on a company that is part of the chain of delivery of the necessary product or service. As a result, the threats are nearly endless and span a multitude of businesses that are not just in the energy or financial sectors.
In sum, as the physical war in the Middle East winds down, we now face a new, more diffused threat – organized well-funded attacks by entities that are state sponsored or part of organized crime networks. These actors seek to create information advantages that can be turned into asymmetric threats, and these threats are a clear and present danger to our society. The only chance the private sector has to combat these threats is to organize itself and utilize certain tools to help address these concerns.
One such tool is the doctrine of Information Superiority, which is a DoD doctrine that focuses on using information in a superior way. While this started as a public sector doctrine, it has application to the private sector, and it is a core component that can help executives execute on their core function – making decisions.
Andrew B. Serwin is the founding chair of the Privacy, Security & Information Management Practice and is a partner in the San Diego/Del Mar and Washington, D.C. offices of Foley & Lardner LLP. Mr. Serwin has handled a number of high-profile privacy and consumer protection matters, including multiple privacy enforcement matters before the Federal Trade Commission and is internationally recognized as one of the leading consumer protection and privacy lawyers.
Mr. Serwin was named to Security Magazine's "25 Most Influential Industry Thought Leaders" for 2009 – he is the only law firm lawyer to ever receive this award, and was ranked second in the 2010 Computerworld survey of top global privacy advisors. He is recognized by Chambers USA as one of the top privacy & data security attorneys nationwide (2009-2012), where he was described by clients as "a tireless worker, holding onto the ever-shifting puzzle pieces of the law in this area in a way that other privacy lawyers cannot," and noted as "an excellent privacy lawyer, a real expert in the field," by Chambers Global 2012. The Legal 500 recognized Mr. Serwin as a Leading Lawyer in data protection and privacy (2010-2012) where clients stated that he "understands business concerns and provides practical, to-the-point advice." He has been Peer Review Rated as AV® Preeminent, the highest performance rating in Martindale-Hubbell's peer review rating system and was selected for inclusion in the San Diego Super Lawyers® lists (2007-2012), including being ranked in the Top 50 lawyers in 2012. Mr. Serwin was also selected by his peers for inclusion in The Best Lawyers in America® in the field of information technology law (2010-2013).
-->
