CyberSecurity and the CEO: Driving Accountability and Mitigating Risk
Cybersecurity has come a long way from the days it remained exclusively in the hands of the IT department.
As cyber criminals, and their methods, have become more sophisticated and as the threat landscape itself has been changed by advances in technology, the responsibility for cybersecurity has changed. But in the era of massive, high-profile hacks and data breaches, cybersecurity is about more than getting different stakeholders in the business involved. Below, Robin Ferris, solutions architect at Pulsant, explains.
Increasingly it is about the C-level taking a wider interest and being held accountable when something goes wrong.
In today’s modern enterprise, cybersecurity is an organisation-wide commitment – ultimately cybersecurity is everyone’s business, but accountability has to start at the top.
It starts at the top
Getting all staff to buy-in to good cybersecurity practices is critical. While education plays a role in giving all employees a level of understanding around threats, the importance of a strategy and best practices, for the C-level it’s also about leading by example.
It’s important for staff to know why cybersecurity best practices are critical and what the potential consequences are, but if there is no visible management support, are employees really motivated to comply?
If security initiatives are driven and supported from the top down, employees will take them more seriously. As more and more CEOs and C-level executives are being held accountable for cybersecurity failures, ensuring employee engagement is a critical building block for enabling success.
So how do you create a cyber-committed and engaged CEO and C-suite? And what does ‘accountability’ really mean?
Making cybersecurity work
It comes down to three elements: the role of the CISO, creating a cybersecurity culture and making cybersecurity integral to the organisation’s future direction.
Each member of the board is tasked with many things that influence the health of the business, addressing risk and being accountable to shareholders. As a result, the CISO needs to help the board maintain its focus on dealing with the cyber threat by translating it into business issues. This ensures the board becomes more involved, understands the threats and becomes proactive and forthcoming in assigning budget, resources and developing IT security plans. This is an important area for the C-level to master as a greater understanding leads to being more involved in developing more effective cybersecurity strategies, which in turn has an impact on being able to mitigate cyber risk – a key area of accountability.
The CISO should also work with the board in ensuring the organisation’s risk management framework is aligned to one of the industry proven regulatory frameworks (Cyber Essentials, NIST, etc). In the same way, mapping cyber threats and their impact into the organisation’s overall strategy (looking at the threats, how they’re evolving and what impact they will have on all lines of business) can also help make the issue easier to understand and convey to all staff.
There is also a significant amount of collaboration necessary, which has to be driven from the top. Collaboration between security partners, IT managers and CISOs; collaboration between CISOs and the rest of the C-suite; and collaboration between all staff to ensure best practices are being followed.
This collaboration between all parties is also key in embedding a security culture that becomes almost second nature to all employees and can help in ensuring there is a great level of preparedness and responsiveness. Again, this ties back to being held accountable. The C-level needs to take responsibility in understanding what is required, and ensuring the right checks and measures are in place to best mitigate the risk posed by the cyber threat.
Cybersecurity is an ongoing process. It’s a cyclical process that sees organisations constantly updating, evaluating and optimising their strategies in line with the changing threat landscape. Importantly, it’s about making sure you have the right processes and practices in place to mitigate the risk and minimise the impact of an attack.
And the best way of getting staff to engage with a security policy is to ensure the C-level is driving home the importance of security and best practice. Once this level of accountability is achieved, a business’s security strategy becomes more robust and the culture of safety and protection becomes innate to the entire company; not just the IT manager.