CEO Today Magazine May 2019 Edition

www.ceotodaymagazine.com 34 special feature In businesses, large and small, cyber anxiety is reaching epidemic levels. With crippling breaches, damaging fines, internal and external threats and careers on the line, CEOs need to champion effective cyber leadership. But what exactly does that look like? The short answer is that cyber leadership looks like teamwork and feels like a culture of awareness and shared responsibility that travels right to the end of the organisational chart and back again. But short answers tend to disguise layers of knotty complexity. Questions about who ‘owns’ cybersecurity are alive and kicking. We know the issue needs to be owned by the CEO and board of directors because they’re most likely to be sacked or fined if their company’s acts or omissions lead to a costly cyber incident. IT directors need to own it because they are responsible for procuring clever bits of tech. And given the role of employees in accidental or deliberate data leakage, HR must own their bit of the cybersecurity jigsaw too. If that’s not complicated enough, we blur terms such as leadership, ownership, responsibility and accountability. And power-play between IT directors, data security managers, heads of HRand others leads to a fight for budget and a flight from responsibility that potentially constitutes a cyber risk in itself. So how can CEOs determine the best way forward? Governance, accountability and ownership Effective cyber governance is about: • strategy and vision • policies, procedures, structures and systems • culture • allocation of resources, and • monitoring and managing risk This process often starts with an audit of sensitive information: where it’s stored and how it can be protected, who has access and how that access is controlled, what third parties share the data and how it travels from A to B. What’s often overlooked is the CEO’s role in supporting the board to take ownership of cyber resilience. This is absolutely essential in order to create an innate, positive and consistent data security culture. A board toolkit, published by the UK’s National Cyber Security Centre (NCSC), helps company directors to prioritise, resource, manage and review risks. Another excellent resource Governance, Accountability and Ownership of Cybersecurity By Peter Matthews, CEO of Metro Communications