If you are a C-suite member of your organization, perhaps the new year is an opportunity to make your company's cybersecurity program a priority at the highest level of the business. After all, January 2020 does provide an extra incentive to make positive changes that could have a lasting impact throughout the year and the new decade.
Cybersecurity has been a part of doing business since the creation of computers. But why is it often overlooked by those in the business suite? Since the information technology (IT) department is expected to understand all things technical, the responsibility for implementing a mature cybersecurity program has been laid on this sector of the company, far away from the CEO’s office or the boardroom.
To be sure, the number of recent data breaches and cyberattacks clearly demonstrates the need for organizations to put a strong cybersecurity program in place. A data breach can cripple a company and be damaging to its customers. And if the company collects, processes, and/or stores data protected under GDPR, HIPAA, PCI DSS, and other data security standards, a successful attack may also open the company to regulatory penalties.
The problem of securing a company against cyber threats is not a simple one. But applying common sense and proactive thought and action into your cybersecurity program can mean the difference between doomsday and just another day at the office.
However, placing the burden of making security decisions entirely on the area responsible for selecting and implementing technology can cause paralysis. To fix this, every organization should implement one critical component; executive support.
Most of the skill sets necessary for effectively running a business have a long history and are readily understood. Executives understand the importance of traditional business functions such as the need for responsible accounting and the value of selling their product or service.
Cybersecurity doesn’t fit this mold, as it is a relatively new and highly technical field. Many organizations simply haven’t adapted to the fact that cybersecurity expertise is a necessary asset in the modern business’s C-suite.
As we head into the new year, it’s important for business stakeholders to consider why cybersecurity ultimately begins in the C-suite.
Most organizations acknowledge that they will probably be a victim of a cyberattack. However, there is a big difference between acknowledging this fact and being prepared to deal with an attack.
One commonality among most cyberattacks is that they happen quickly. Each moment between the initial infection and the organization’s response dramatically increases the impact and cost of the breach on the business.
As a result, it’s important that the security team responds and takes the proper action as quickly as possible.
However, in many cases, this action may be controversial, like taking certain machines or services offline to contain the breach.
In order to be effective, security teams need to know ahead of time they have the support of the C-suite to act immediately, rather than allow the infection to spread while waiting for approval.
The global cost of cybersecurity is in the trillions of dollars annually. The vast majority is spent on the core products and services necessary to keep the organization and its network secure.
In cybersecurity, cutting corners due to budget constraints leaves the organization insecure. An organization wouldn’t delay buying a lock for the front door due to “budget constraints”: The same mindset is necessary for cybersecurity acquisitions.
An organization’s cybersecurity team needs a C-suite that is supportive and understands the difference between essential and non-essential protections to properly fund the efforts needed.
The primary difference between a mature cybersecurity program and an immature one is if the security team is proactive in searching for and addressing potential threats on the network. While waiting for an incident or data breach to reveal the presence of an attacker on the network is easier, it also means that the team is responding too late to be effective.
This effectiveness of threat hunting can’t be evaluated with traditional measures of return on investment (ROI). A good threat hunting team spends long hours and (hopefully) has little or nothing to show for it.
An understanding of the value of the mundane when it comes to cybersecurity can be invaluable in the C-suite’s support for activities that move the organization to a more secure posture.
Hackers are increasingly targeting the end-user with phishing and similar attacks since they’re often a softer target than software. If an employee uses the same password for their business accounts as a service involved in a data breach or plugs an untrusted USB drive into their company computer, the security team’s job becomes exponentially harder.
While the IS (information security) department is typically held responsible after a cyber incident or data breach, there is only so much that the team can do. Correcting this issue requires enterprise-wide policies, procedures, and training to help reduce the organization’s human threat surface.
The leadership of your enterprise is responsible for creating a corporate culture that takes cybersecurity seriously, involves human resources, emphasizes training, and does not discourage employees from reporting falling victim to phishing or social engineering out of fear of punishment.
It is the responsibility of the C-suite to put these programs in place and visibly champion them to increase employee engagement.
The importance of support in the C-suite cannot be overstated. In many aspects of an organization’s cybersecurity strategy, the support of executives for the actions of the security team can mean the difference between a costly data breach and a non-event.
As the number and impact of data breaches increase, the importance of cybersecurity in the C-suite will only grow.
If you're ready to discuss making cybersecurity a priority for your organization, reach out to begin the conversation.