In the realm of cybersecurity, an important concept for every leader to understand is that of Digital Crown Jewels ('DCJs'). These are your organization's most precious digital assets, consisting of the data you possess, process, and pass on that allows you to deliver on your strategy. This might include customer records, purchasing histories, employee records, finances and intellectual property information about proprietary products and services. DCJs also include an organization's data processing environment (DPE): how data flows through the organization and the processes by which the firm and its agents access and manipulate data. The challenge is this: the list of actors who pose a threat to the integrity of a firm's DPE is long and growing. The authors provide guidelines for protecting your DCJs in three categories: preventable risks, strategic risks and external risks. They end with a warning: act now, because the potential cost of failing to act is far too great.
Who doesn't love a magic trick? When we watch magicians perform, we enjoy being fooled by their manipulations and sleights of hand. But when leaders in our workplaces use the same techniques as magicians to further personal agendas, they engage in a special and unique form of falsity. This can be useful in furthering organizational goals and performance, but it can also lead to frustration, dysfunction, and even the collapse of the organization. Drawing on research on the psychology of magic, we explain how business leaders construct "magical processes" that can be used to mislead and manipulate workers in the same ways that magicians trick their audiences. We propose a typology of magic tricks in organizations and introduce the acronym CARD to summarize the four steps in these processes: concealing, attracting attention, retaining attention, and directing behavior. We describe each step, provide illustrations, and explain how managers and employees might detect and defend against each one. Finally, we identify structural conditions that may make organizations vulnerable to magical processes. We hope to improve readers' ability to detect magic and CARD tricks, and to pierce through to the agendas hidden behind these false facades.
PharmaCo was a large, multinational, integrated pharmaceutical company. Its board of directors was meeting to discuss a possible friendly merger with a complementary competitor and to review a quarterly cybersecurity report. However, before either of these discussions could begin, PharmaCo's chief financial officer interrupted with news that the company's customer database had been encrypted by hackers in a ransomware attack and a ransom of $25,000 in Bitcoin had been demanded. Unfortunately, this was the first in a series of cyber attacks affecting the organization. The board of directors must increasingly deal with a number of issues brought by management and make some critical decisions in overseeing this crisis.
PharmaCo was a large, multinational, integrated pharmaceutical company. Its board of directors was meeting to discuss a possible friendly merger with a complementary competitor and to review a quarterly cybersecurity report. However, before either of these discussions could begin, PharmaCo’s chief financial officer interrupted with news that the company’s customer database had been encrypted by hackers in a ransomware attack and a ransom of $25,000 in Bitcoin had been demanded. Unfortunately, this was the first in a series of cyber attacks affecting the organization. The board of directors must increasingly deal with a number of issues brought by management and make some critical decisions in overseeing this crisis.
If it hasn't happened yet, it is only a matter of time before your organization has a 'cyber incident'. The FBI estimates that a cyber incident will occur every 14 seconds this year, ranging from minor, accidental disclosures of sensitive information to a major theft of data and other valuable assets by criminals, state-sponsored actors, or terrorists. The authors show that cyber threats are the result of three interrelated characteristics: those who engage in cyber attacks, or the Threat Actors; the value they expect to extract from the Targets they attack; and the 'Attack Vectors' they will use to attack your organization. Understanding how these three elements interact is critical for every modern leader.
In late September 2014, students in the Arnold School of Business (Arnold) full-time MBA program wrote an open-book managerial accounting exam. Immediately after the exam, one of the students, who was also vice-president academic of the Graduate Business Students Association (GBSA), was informed by a classmate that some students accessed the Internet for solutions during the exam. The GBSA representative knew she had to do something but was unsure how to proceed. In part A of the case, the student representative consulted with her colleague, the GBSA president. The two considered four potential courses of action: (1) do nothing; (2) bring the issue to the entire GBSA council; (3) inform the course instructor; or (4) speak directly to the academic chair of the MBA program. In part B of the case, the two student representatives speak with the academic chair, who explained that without any hard evidence of academic dishonesty, little could be done. The academic chair and GBSA representatives must decide how to resolve the issue when any solution is likely to disappoint some students and cause division, and possibly enmity, among classmates who are just one month into their MBA.
In late September 2014, students in the Arnold School of Business (Arnold) full-time MBA program wrote an open-book managerial accounting exam. Immediately after the exam, one of the students, who was also vice-president academic of the Graduate Business Students Association (GBSA), was informed by a classmate that some students accessed the Internet for solutions during the exam. The GBSA representative knew she had to do something but was unsure how to proceed.<br><br>In part A of the case, the student representative consulted with her colleague, the GBSA president. The two considered four potential courses of action: (1) do nothing; (2) bring the issue to the entire GBSA council; (3) inform the course instructor; or (4) speak directly to the academic chair of the MBA program.<br><br>In part B of the case, the two student representatives speak with the academic chair, who explained that without any hard evidence of academic dishonesty, little could be done. The academic chair and GBSA representatives must decide how to resolve the issue when any solution is likely to disappoint some students and cause division, and possibly enmity, among classmates who are just one month into their MBA.