Cybersecurity and the C-Suite

When I am at a conference and asked what I do, and I start talking about what my company does, I often get the “deer in the headlights” gaze.

This is one of my biggest business challenges – is explaining what cybersecurity and data privacy compliance is to executives and why it is important to their businesses.

Often the C-level has a rudimentary understanding of cybersecurity.  They hear about data breaches in the news and hear the word cybersecurity a lot.  Often the executives tell me their IT departments have “this handled.”  Then I ask more probing questions about their cybersecurity policies or their incident response process or when they last did a security audit check and that is when the executive visibly gets uncomfortable.  And I know why.  It’s because their organization does not have cybersecurity handled.

In CIO Review, in his article Why the C-Suite Must Embrace Cybersecurity, Chris Riley, President of U.S. Operations, SSH Communications Security, writes:

It is a potentially disastrous mistake for executives with non-technical backgrounds to simply assign responsibility for cybersecurity to the chief security officer, chief information security officer or IT team. C-suite executives might see the iceberg ahead, but do they really understand the size of the problem below the surface?

Because of the executive’s lack of understanding cybersecurity, they defer to their IT staff.  Often executives and operations management have the misconception that their IT staff are also cybersecurity experts which leaves many companies and their customers exposed to everyday security threats.  This vulnerability can be costly.

Riley further states, “As we have seen in recent headlines, a particularly bad public data breach can ruin a CEO’s career. As enterprises and government agencies are required to follow NIST and other cybersecurity guidelines, more than just the CEO will be targeted for replacement.”

Executives need to know that even if their companies have none to some cybersecurity measures in place, it is not a matter of if their company gets hacked – but when and to what extent.  This is the new norm in cybersecurity and this should change how the organization approaches cybersecurity risk management.

In addition, C-level executives need to be aware of how their organizations’ security measures affect the flow of business.  One challenge for every organization is linking business operations to IT functions.

At a recent conference, CDW Protect SummIT, held February 25-26 in Phoenix, editor Phil Goldstein in BizTech Magazine, says the key takeaway at the conference is that if organizations want to stay ahead of, or at least not fall too far behind, cybersecurity threats, they must think differently about cybersecurity.

Goldstein notes that, Keren Elazari, a renowned cybersecurity analyst, author and researcher, says: “Things will happen…How you react to those things determines not just your job at the company but your company’s future as well.”

In addition, Goldstein writes about some important points made by Alyssa Miller, CDW Information Security Solutions Practice:

Organizations must instead take a data-centric approach to security that protects their critical assets. These assets are not necessarily technology… but things like customer data, financial assets, trade secrets, key personnel and critical services.

We need to start thinking about these assets in terms of the business… We also need to come up with a better understanding of what business threats we face.  Those include attacks like fraud, theft, exposed data and attacks that interrupt the business.

Organizations should invest in threat hunting and security assessment capabilities…Application security assessments should be ongoing…She compared it to maintenance someone might do on a car on a regular basis.  If we do our preventative maintenance, it helps defend against that more expensive repair down the road.

Additionally, organizations need to prioritize their defenses and build from their critical assets outward with alternating layers of prevention and mitigation solutions.  Start at the thing your business holds most dear.

Doing so allows IT leaders to build a very, very compelling business case for cybersecurity investments. If they go into a CEO’s office or a board room and make the argument that security investments protect a critical part of the businesses, they are likely going to be taken seriously.

An organization’s cybersecurity program should never be considered a one-time solution.

Organizations need to conduct annual audits, or more, and continuously revisit their cybersecurity program and policies.  It is important to make modifications that take into account the latest threats and attack strategies and the continuous updates in data privacy regulation requirements. The cybersecurity program plan will be a “living document” that changes and adjusts as needed.

When the C-suite understands that a data breach or other cyber incident will occur in their company, this will be the catalyst for them to approach cybersecurity from the top level down and to develop, with the right experts and staff, a comprehensive cybersecurity program.

This is why I will continue to discuss with and educate the C-suite on the criticality of cybersecurity and help them be pro-active in their organization’s cybersecurity and data compliance initiatives.

Christine Baird is the CEO of Clarus Tech Partners, a New York and California based technology company, and with her team of IT, legal, cybersecurity, and compliance experts they advise and implement cybersecurity and data privacy compliance solutions. Read Christine Baird’s article about how to develop a cybersecurity program for your organization.