應(yīng)對(duì)黑客攻擊從MBA抓起

When Nuno Sebastião enrolled on the London Business School MBA programme, he looked beyond the traditional careers of consultancy and investment banking. In fact, he decided to fight hackers instead.

當(dāng)努諾•塞巴斯蒂昂(Nuno Sebastião)就讀倫敦商學(xué)院(LBS) MBA課程時(shí)，他的目光超越了咨詢和投行等傳統(tǒng)職業(yè)。實(shí)際上，他決定對(duì)抗黑客。

This was not for purely ideological reasons. Having witnessed hacking attacks on computer networks at his former employer, the European Space Agency, his MBA training enabled him to spot a lucrative niche for somebody with business and communication skills to enter the technical field of cyber security.

這并非出于純粹的意識(shí)形態(tài)原因。他在前雇主歐洲航天局(European Space Agency)那里目睹過(guò)針對(duì)電腦網(wǎng)絡(luò)的黑客攻擊，他的MBA培訓(xùn)讓他得以發(fā)現(xiàn)一個(gè)有利可圖的利基市場(chǎng)：讓具備商業(yè)和溝通技能的人進(jìn)軍網(wǎng)絡(luò)安全這個(gè)技術(shù)領(lǐng)域。

“It was clear to me [even] in 2009 that there was an issue here that needed to be addressed,” he says.

他表示：“(甚至)在2009年，對(duì)我來(lái)說(shuō)，這里顯然有一個(gè)問(wèn)題需要解決。”

After graduation he set up Feedzai, a company that identifies fraudulent payment transactions, with two fellow engineers from his native Portugal. “I was the one who identified the business problem,” he says. His California-based company has 150 employees, with plans to grow to 300 this year.

畢業(yè)后，他創(chuàng)建了識(shí)別欺詐支付交易的公司Feedzai，合作者是和他一樣來(lái)自葡萄牙的兩位工程師。他表示：“我的任務(wù)是識(shí)別商業(yè)問(wèn)題。”他的公司總部位于美國(guó)加州，擁有150名員工，今年計(jì)劃增至300人。

Mr Sebastião is far from the only MBA candidate or graduate to have spotted an opportunity in cyber crime. Many are becoming interested in picking up skills that leaders of the future will need to fight hacking crises, while a clutch of schools have added cyber security content to their MBA courses.

塞巴斯蒂昂遠(yuǎn)非唯一在網(wǎng)絡(luò)犯罪領(lǐng)域發(fā)現(xiàn)機(jī)會(huì)的MBA學(xué)員或畢業(yè)生。很多人正變得有興趣掌握未來(lái)領(lǐng)導(dǎo)者抗擊黑客危機(jī)所需的技能，一些學(xué)院把網(wǎng)絡(luò)安全內(nèi)容納入他們的MBA課程。

The shortage of cyber security experts at a technical level is acknowledged. A less well-known problem, however, is a corresponding lack of management executives who possess the technical know-how to deal with hacks.

人們認(rèn)識(shí)到，現(xiàn)在缺乏技術(shù)層面的網(wǎng)絡(luò)安全專家。然而，一個(gè)不那么為人所知的問(wèn)題是，還缺乏擁有技術(shù)知識(shí)、能夠?qū)Ω逗诳凸舻墓芾韺痈吖堋?/p>

“When companies hire cyber security people they are very strong in the technical skills but they miss the soft skills and the business acumen,” says Gianluca D’Antonio, chief information officer of Spanish construction and services company FCC Group and chair of the Spanish Association for the Advancement of Information Security.

西班牙建筑和服務(wù)公司FCC Group首席信息官、西班牙信息安全促進(jìn)協(xié)會(huì)(Spanish Association for the Advancement of Information Security)主席詹盧卡•丹東尼奧(Gianluca D’Antonio)表示：“在公司聘用網(wǎng)絡(luò)安全員工時(shí)，他們的技術(shù)能力很強(qiáng)，但缺乏軟技能和商業(yè)智慧。”

He says that the people who are working in cyber security are not able to communicate the risk to the board. “It’s about communications, it’s about management. Everybody now is talking about the incredible digital future but nobody is talking in a proper way about the digital risk.”

他表示，那些在網(wǎng)絡(luò)安全領(lǐng)域工作的人們無(wú)法向董事會(huì)介紹相關(guān)的風(fēng)險(xiǎn)。“這關(guān)乎溝通，關(guān)乎管理。大家都在談?wù)摬豢伤甲h的數(shù)字未來(lái)，但沒(méi)有人恰當(dāng)?shù)赜懻摂?shù)字風(fēng)險(xiǎn)。”

Hack to the future

防范未來(lái)的黑客攻擊

At IE Business School in Madrid, José Esteves, a professor of information systems, teaches a digital innovation class to MBAs during which he hacks into the accounts of his own students to show them how easy it is. IE is also launching a cyber security masters degree in October for future business leaders.

位于馬德里的西班牙企業(yè)學(xué)院(IE Business School)信息系統(tǒng)教授約瑟夫•埃斯特韋斯(José Esteves)向MBA學(xué)員教授數(shù)字創(chuàng)新課程，他在課堂上侵入學(xué)生的賬號(hào)，向他們演示這有多么容易。今年10月，該商學(xué)院還將為未來(lái)的企業(yè)領(lǐng)導(dǎo)者推出網(wǎng)絡(luò)安全碩士學(xué)位課程。

Meanwhile, Iese Business School in Barcelona has brought in Deloitte to help provide sessions on cyber security in one of its MBA electives.

與此同時(shí)，位于巴塞羅那的IESE商學(xué)院(Iese Business School)邀請(qǐng)德勤(Deloitte)幫助在MBA選修科目之一提供網(wǎng)絡(luò)安全課程。

“It [cyber security] is not something you can delegate, it’s about the security and the reputation of the company,” says Javier Zamora, a senior lecturer in information systems at Iese.

IESE商學(xué)院信息系統(tǒng)高級(jí)講師哈維爾•薩莫拉(Javier Zamora)表示：“(網(wǎng)絡(luò)安全)無(wú)法委托，它關(guān)乎公司安全和聲譽(yù)。”

Even the most secure networks are vulnerable to cyber attacks, as data breaches at Yahoo and Sony showed. Attacks by hackers cost global businesses $280bn in 2016, according to consultancy Grant Thornton, which cites reputational damage as the major risk corporations face.

就連最安全的網(wǎng)絡(luò)在網(wǎng)絡(luò)攻擊面前也很脆弱，就像雅虎(Yahoo)和索尼(Sony)數(shù)據(jù)泄露事件所顯示的那樣。根據(jù)咨詢公司均富(Grant Thornton)的估算，2016年，黑客攻擊導(dǎo)致全球企業(yè)損失2800億美元，該公司把聲譽(yù)損害列為公司面臨的主要風(fēng)險(xiǎn)。

The high-level ramifications of cyber attacks mean they have to be addressed by executives who steer corporate strategy, instead of being left to the techies, says Stuart Madnick, professor of IT and engineering systems at MIT Sloan School of Management.

麻省理工斯隆管理學(xué)院(MIT Sloan School of Management) IT和工程系統(tǒng)教授斯圖爾特•馬德尼克(Stuart Madnick)表示，網(wǎng)絡(luò)攻擊的高層次后果意味著，它們必須由指導(dǎo)公司戰(zhàn)略的高管負(fù)責(zé)應(yīng)對(duì)，而不是留給技術(shù)人員。

Mr Madnick, who teaches cyber security on the school’s MBA course, says dealing with hacks takes extremely nimble management thinking because they can be less predictable than natural disasters.

馬德尼克在該學(xué)院的MBA課程中教授網(wǎng)絡(luò)安全，他表示，應(yīng)對(duì)黑客需要極為靈活的管理思維，因?yàn)楹诳凸艨赡鼙茸匀粸?zāi)難更加不可預(yù)測(cè)。

“A hurricane doesn’t change direction because you know it’s coming, but cyber attackers can.”

“颶風(fēng)不會(huì)因?yàn)槟阒浪鼈円獊?lái)而改變方向，但網(wǎng)絡(luò)攻擊者可以。”

A big part of the problem for managers is the complexity of dealing with such issues, says David Upton, professor of operations management at Oxford’s Saïd Business School.

牛津大學(xué)(Oxford)薩伊德商學(xué)院(Saïd Business School)運(yùn)營(yíng)管理教授戴維•厄普頓(David Upton)表示，對(duì)于管理者而言，很大一部分問(wèn)題在于這類問(wèn)題在應(yīng)對(duì)上的復(fù)雜性。

Cyber attacks encompass everything from state-sponsored espionage to petty criminal acts for financial gain, he adds.

他補(bǔ)充稱，網(wǎng)絡(luò)攻擊包括各種行為，從政府支持的間諜活動(dòng)，到旨在獲得金錢好處的瑣碎犯罪行為。

But defending against a catastrophic negative event is also “inherently unsexy” for many business leaders, he adds. “Managers’ eyes tend to glaze over when you mention it.”

然而，他補(bǔ)充稱，對(duì)于很多企業(yè)領(lǐng)袖而言，防范災(zāi)難性負(fù)面事件“從根本上說(shuō)是沒(méi)有吸引力的”。“在你提到這個(gè)問(wèn)題時(shí)，管理者往往神情茫然。”

Nevertheless, he says, the risk must be addressed at board level and include all corporate departments.

然而，他表示，這種風(fēng)險(xiǎn)必須在董事會(huì)層面得到應(yīng)對(duì)，并包括所有公司部門。

A job for the board

董事會(huì)的職責(zé)

Prof Upton has helped design a board-level executive course and teaches a compulsory course on Saïd’s MBA. “There is a whole global industry that is at work on this and we have managers that are asleep at the wheel,” he says.

厄普頓教授幫助設(shè)計(jì)了董事會(huì)層面的高管課程，并在薩伊德商學(xué)院MBA課程中執(zhí)教一門必修課程。他說(shuō)：“有一個(gè)全球性行業(yè)正致力于此，而我們有些管理者卻在昏睡。”

Iese’s Prof Zamora also believes cyber security issues will permeate every aspect of a business, as technology spreads, from HR to insurance risk.

IESE商學(xué)院的薩莫拉教授還認(rèn)為，隨著技術(shù)的傳播，網(wǎng)絡(luò)安全問(wèn)題將滲透到一家公司的方方面面，從人力資源到保險(xiǎn)風(fēng)險(xiǎn)。

Security is often an afterthought, with speed to push the latest gadgets to market taking precedence. “Whenever you design a product or a service you have to build in cyber security from the beginning,” says Prof Zamora. “It’s an integral part of the design issue.”

目前，安全往往淪為一個(gè)事后的想法，將最新產(chǎn)品推向市場(chǎng)的速度變成優(yōu)先任務(wù)。“每當(dāng)你設(shè)計(jì)產(chǎn)品或服務(wù)，一開始就必須構(gòu)建網(wǎng)絡(luò)安全，”教授表示，“這是設(shè)計(jì)方面不可或缺的一部分。”

At Harvard Business School, associate professor Ben Edelman defends his fellow academics’ reluctance to engage with these problems, because the technical aspects are at odds with a general management approach. But it has not stopped him. “I thought these were really important issues and jumped right in with two feet,” he says.

在哈佛商學(xué)院(Harvard Business School)，副教授本•埃德爾曼(Ben Edelman)為學(xué)者們不愿討論這些問(wèn)題做出辯護(hù)，因?yàn)榧夹g(shù)層面與總體管理策略格格不入。但這并未阻止他。他表示：“我認(rèn)為這些問(wèn)題確實(shí)很重要，于是全身心投入了。”

In Mr Edelman’s teaching he presents a hypothetical case in which a company’s systems are hacked and the students have to decide how the manager should respond. The case goes to a core ethical issue: should the manager close the company network to prevent further hacking or hope to tackle it behind the scenes without informing customers.

在埃德爾曼的授課中，他提出了一個(gè)假想案例，一家公司的系統(tǒng)遭到黑客攻擊，學(xué)生們不得不就管理者應(yīng)該如何回應(yīng)做出決定。這個(gè)案例涉及到一個(gè)核心的道德問(wèn)題：管理者是應(yīng)該關(guān)閉公司網(wǎng)絡(luò)阻止進(jìn)一步入侵，還是希望在不告知客戶的情況下在幕后解決?

“Obviously these are difficult questions but that doesn’t mean we shouldn’t tackle these issues,” says Prof Edelman.

埃德爾曼教授表示：“顯然，這些問(wèn)題回答起來(lái)很難，但這并不意味著我們不應(yīng)解決。”

Mr Sebastião likens the situation to the run-up to the 2008 financial crisis. “No one was interested and then the whole world came crashing down and then all sorts of mechanisms were put in place to prevent it happening again. It is exactly the same in cyber security.”

塞巴斯蒂昂將這種情況比作2008年金融危機(jī)之前。“沒(méi)有人感興趣，接著整個(gè)世界坍塌了，后來(lái)人們?cè)O(shè)立了各種機(jī)制以防范危機(jī)再次爆發(fā)。這與網(wǎng)絡(luò)安全一模一樣。”