Raytheon CEO: Directors Must Hold Management Accountable On Cybersecurity

Raytheon CEO Thomas Kennedy
Raytheon CEO Thomas Kennedy

Raytheon CEO Thomas Kennedy is in charge of a $27 billion company, with 67,000 employees.

Needless to say, cybersecurity is something he pays attention to—both internally and in the work that defense contractor does for its clients.

Corporate Board Member asked Kennedy to discuss what the board of directors’ role is in creating a cyber-safe workspace. The Raytheon CEO also touched upon the role company culture plays in creating a more secure organization, how his leadership style has evolved and more. Below are excerpts from this email conversation.

What is the CEO’s role in creating a cyber-safe workplace?

The simple truth is that when everything is connected, everything is vulnerable. So CEOs must be the ones setting the tone at the top that cyber securing the enterprise is a top priority. In words and actions, they need to become champions for cybersecurity. And they need to support it with investments, getting the right IT and operations talent in place and empowering managers to implement effective systems, processes and plans.

Companies can gain significant competitive advantage by leveraging new technologies for automation, cloud computing, global supply chains, and networked products and services. But all of these must be secured and monitored—across the entire system of systems, whether an internal tool or a product you sell—from its IT components, to operational technology (OT) hardware and software, to internet of things devices and connected third-party services. The business must manage the associated cybersecurity risks of all of these elements, since the impacts can be severe. There are the very real dangers of business disruption; health and safety impairment; damage to a company’s brand and its public trust; lawsuits and fines; and the loss of critical intellectual property and privacy data.

I like to say that there are two types of companies out there relative to cyber: those that know they’ve been breached, and those that don’t know they’ve been breached. As a result, CEOs need to be proactive. They can’t assume they’re not a target – they are.

How can CEOs best communicate the importance of cybersecurity to their employees?

The challenge for companies is that employees are both the strongest defense and the weakest link relative to cybersecurity.

This risk is called “the insider threat” – and there are two kinds of threats from employees here. There’s the employee deliberately downloading sensitive files or intellectual property to sell or bring with them to a competitor when they leave; and/or sabotaging the OT system. Then, more commonly, there’s the employee who unintentionally falls victim to an external bad actor, such as through a phishing scheme, or who circumvents security controls in a misguided effort to do some work. No matter the intent, there has been a stream of headlines of such actions leading to the critical loss of IP on IT systems, and sabotage against the OT systems of factories, industrial control systems and even hospital equipment.

Getting employees to become part of the solution needs to be communicated through employee education. It’s a high payoff activity. Since increased training not only lowers the risk that employees will unknowingly facilitate breaches, but that when bad things do happen, they know how to respond and minimize the impact. Good training brings to life the dangers of bending rules and how to be alert for malicious insiders.

At my company, IT partners with Communications to get the word out through an employee education initiative we’ve branded RTN Secure. And it’s regularly updated to highlight new vulnerabilities and best practices as the threats evolve.

Cyber-aware employees then become your best line of defense and a critical component of your organization’s cyber resiliency. You have to assume compromise; it’s not if, but when.

What is the board of directors’ role in creating a cyber-safe organization? How can directors help get the message out?

With boards being responsible for ensuring that management is addressing risk at their companies, no risk is rising in importance as quickly as cyber. It must be at the top of their agendas.

It’s an issue they can no longer ignore. I can’t say it enough. The cyber threat is real, maturing and escalating every day. So boards need to educate themselves quickly on the risks and the countermeasures associated with their systems, their products and their industries.

As the risk evolves, so too, must board oversight. Shareholders expect boards to fully understand the company’s cybersecurity risks and strategy to mitigate the risks. As I noted earlier, all systems must be maintained continuously for security – IT systems, OT systems and any connected solutions the company sells.

Directors can get the word out that cyber is critically important by holding senior management accountable. It’s the responsibility of directors to ask senior management hard questions relative to the organization’s cyber posture. For instance, what are the cyber operational risks, and how are they being managed? What are the cybersecurity goals and metrics, and are investments in people and technology being appropriately funded or incentivized? And directors need to insist on regular briefings from the chief information security officer.