Cyber Security Requires Strong CEO Leadership
The procession of cyber attacks marches on, leaving a trail of shutdowns, outages and damaged reputations in its path. In order to build resilient organisations and systems that can defend against and withstand the onslaught of cyber attacks, we need our most experienced and empowered leaders to show up, dig in and persist. Cyber security is a job for everyone, and it starts with the leadership of the CEO.
The Board’s Role in Cyber Security
In the typical enterprise, the CEO sits atop a pyramid of executives, managers, teams and processes. In the digital era, every part of this hierarchy relies on, interacts with, and supports the bottom line using cyber systems. Networks, computing and data are the lifeblood of virtually every modern organisation. If you aren’t paying attention to cyber security, you aren’t engaged in the core operations you are tasked with directing. CEOs own the big picture. Without visibility into cyber risk and resilience, you are steering blind.
Everyone says the CEO should be more engaged in cyber security, but what does that mean? For starters, it means requesting and receiving regular security briefings – and finding a way to ensure that you understand them. It means taking to heart that you are responsible for overseeing data breach prevention. It means that you must passionately and continuously lead the charge to create a culture of security throughout your entire organisation. You have to lead by example, and by constantly communicating and showing that cyber security best practices are a top priority. One of the core tenets of modern corporate responsibility is protecting the privacy and integrity of customers’ data — does everyone in your organisation fundamentally “get” that? If not, figure out how to cultivate that as a company-wide value.
Finally, and most importantly, CEOs can engage by working actively and collaboratively with their senior executives – not just the CIO and CSO, but the entire C-suite and beyond – to make sure they are all working together, strategically and tactically, on cyber security and risk management programs.
Covering all the bases—defence, risk management, prevention, detection, remediation, and incident response—is more feasible when leaders contribute from their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives. Board directors can provide more meaningful oversight if they understand the distinct role of each executive, how these roles are changing in the digital era, and where breaking down barriers and forging new paths could transform the enterprise response to both cyber challenge and opportunity.
The Ever-Evolving Role of the C-Suite
Over the past decade or so, the roles of the C-Suite have undergone significant transformation. They have more responsibilities and business moves at a faster pace. Adding to the heat, public scrutiny of business leaders is at an all-time high, in part due to massive hacks and data breaches. It’s become increasingly clear that in the event of a breach, the hacked organisation will be blamed and held accountable. That means everyone in the C-suite is potentially on trial.
The good news is that executives are paying more attention to the security measures protecting their organisation’s assets, data, employees, and customers. The cautionary tales, doomsday scenarios, and the specter of public humiliation have made an impact. Executive awareness is expanding to meet the threats, but building a solid line of defence requires fostering a culture of accountability from the top, making sure the message reaches out to the edges of the enterprise and everywhere in between. Strong policies should be backed up by automated controls and management enforcement.
Moreover, there is evidence that CEOs are starting to grasp the concept that cyber security investment is a driver for business and innovation; on the flip side, consumer surveys indicate that a company’s transparency about cyber security protections is increasingly a determinant in customer loyalty and purchase decisions. It follows that cyber security and risk management investments can be strategically aligned to business goals and revenue generation. The Board, with its big picture view, should help guide these investments with an eye to the future. This is what it means to channel disruption.
Close the Gap Between Awareness and Action
Business leaders easily recognise the enormous benefits of cyberspace—innovation, productivity, and engagement with customers. It is much more difficult to assess the risks versus the rewards, and then act from that understanding. Leading the enterprise to a position of readiness, resilience and responsiveness is the surest way to secure assets and protect customers, partners and employees.
In preparation for making your organisation more cyber resilient, here is a short list of next steps that I believe businesses should implement to better prepare themselves:
- Focus on the Basics
- Include Both People and Technology
- Prepare for the Future
- Be Ready to Support New Business Initiatives
- Align Security with Risk Management
- Change your Thinking About Cyber Threats
- Think Risk and Resilience
- Re-assess the Risks to Your Organisation and its Information from the Inside Out
- Revise Information Security Arrangements
- Collaborate and Share Intelligence
Now is the time for CEOs to step up and bridge the gap between awareness and action. Organisations that sow and fertilise a deeply rooted culture of security and accountability from the top down will be able to withstand the persistent, dynamic nature of cyber threats. Engaged CEOs make better decisions about how to align business and security objectives to manage risk, protect brand reputation, and respond effectively to incidents. In the end, companies that prioritise well-equipped security programs and widespread security awareness are more prepared to grow, innovate, and compete.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. He has been ranked as one of the top 10 individuals shaping the way that organisations and leaders approach information security careers.