As a CEO, it is your duty to grow your business and protect it from anything that could hinder its achievements and progress. Cybersecurity is no exception. It is time for CEOs to take the reins on cybersecurity, not only for the well-being of their organizations, but also for themselves. A Gartner analysis of security breaches reported over a five-year period shows that CEOs are increasingly blamed and punished as a result of cybersecurity-related events — even more so than IT executives. The consequences include dismissal, resignation or loss of significant compensation.
The risk component of cybersecurity makes it a top priority in business objectives and should no longer be left solely within the hands of IT. It should be a combined effort with IT and led by the CEO. If the efforts are solely handled by IT, there could be cultural disconnect within the organization which leads to poor investment decisions. The problems that most IT personnel have is best described by Gartner VP, Paul Proctor who stated, “They treat you like wizards. They give you some money, you cast some spells, the organization is protected, and if something goes wrong, you must be to blame.” CEOs cannot continue to remove themselves from the cybersecurity decisions.
The other problem caused by CEO’s disconnecting themselves from cybersecurity decisions is that “check-box” cybersecurity becomes the default norm. Companies need to realize that doing the bare minimum to address cybersecurity concerns is essentially a guarantee of future failure. With minimal budgets and this mindset, there is a greater focus on meeting a regulator’s approval than there is for doing what’s best for a company’s well-being. While a check-box mentality helps you address the well-known threats that regulators know about, it also leaves you vulnerable to zero-day threats and new methods of attacks. Such a strategy also lacks a clear focus on the resilience organizations need to maintain effective operation when undergoing an attack. Hence when a data breach does occur, CEO’s will face the consequences of their negligence.
Leadership is critical for effective cybersecurity because a positive cybersecurity culture must come from the top down. A CEO must make it clear that every employee has a shared responsibility in handling emails, responding when encountering suspicious links and the creating strong passwords. Most importantly, CEOs need to regard the real risk a major breach would cause their organizations. This means doing more than giving IT a budget constraint and expecting them to work magic. CEO’s should be working with IT to institute a detailed plan that outlines processes and responsibilities for major incidents.
These goals can be obtained by establishing a proactive cybersecurity strategy with goals, objectives, and defined responsibilities. Need some help getting on track? Join us July 25 at 2pm for a 30 minute webinar. In this webinar, we will introduce a simple four step process to easily analyze and implement the NIST Cyber Security Framework into your current program. We want to help establish a shared cybersecurity effort for you and your management team. Click the button below to sign up for the live or demand version.