James Goepel is the General Counsel (GC) and Chief Technology Officer for ClearArmor Corporation, and a member of the company’s Board of Directors. As GC, he advises the company on a wide range of legal issues, and lead negotiations with ClearArmor’s customers and strategic partners. As the CTO, he is heavily involved in the design of the company’s main product, leads the international development team’s efforts to bring products to market, identify and recruit partners, and create the licensing and financial terms under which the company conducts business.
Goepel is also the company’s representative to the NIST National CyberSecurity Center of Excellence, and a participant in the Center for Internet Security’s efforts to update their top 20 security controls. He regularly speaks at domestic and international conferences on a variety of topics, including cybersecurity, intellectual property law and commercial and government contracts. In addition to his legal background, Goepel gained practical security and technology experience working in a variety of roles for large corporations, start-ups and Congress before attending law school.
Christopher P. Skroupa: Where does the cyber governance landscape need to shift to, and how can that point be reached?
James Goepel: In my experience, most organizations relegate cyber governance to the I.T. staff because their leadership sees cyber security as a technology issue. These leaders fail to appreciate that a cyber security incident can have a profound impact on the organization’s bottom line. From substantial fines and penalties imposed by regulations like Europe’s GDPR, which amount to 4 percent of an organization’s global revenue, to the cost of remediation, data breach notifications, lost business, loss of brand reputation and lost intellectual property, a single cyber security incident can quickly force an organization out of business.
We need a cultural shift to a point where organizations finally treat cyber security risks as a business issue and govern cyber security with the same level of leadership engagement as financial risks. The leaders’ participation is critical, because only the leadership has the knowledge and visibility to define the organization’s budgets, priorities and, ultimately, its risk tolerance. This leadership-driven, business-focused approach to cyber governance is essential to creating robust, sustainable cyber security.
I have met some CEOs and Directors who are resistant to making these cultural changes, because they find the thought of tackling cyber governance to be overwhelming. As we speak more, it is clear they know their organization needs a structured cyber security plan, but they don’t know where to start. Thankfully, the United States National Institutes of Standards and Technology (NIST) created a standard framework that provides a structured approach to creating a cyber security plan. With true NIST Cyber Security Framework (NIST CSF) alignment, these leaders can effectively govern cyber security, and their I.T. departments have a better understanding of the organization’s business priorities, including its risk tolerance.
Skroupa: To what effect can the disconnect between Leadership and I.T. impact cyber governance and security?
Goepel: The organization’s business priorities shift all the time, and these shifting priorities need to be reflected in the organization’s approach to cyber governance. If there is a disconnect between leadership and the I.T. department, the best the I.T. department can do is to guess at how it should address problems. Let’s take an example right out of the headlines: A technology organization that is crippled by ransomware which simultaneously takes down all of its servers.