CEOs are in the spotlight and constantly under fire. From the outcry over wage inequities to massive breaches of customer data and trust, public scrutiny is at an all-time high in the C-Suite. And along with all of the other demands on their time and attention, CEOs now have to make sure they don’t get hung out to dry by hackers.
Senior executives at businesses of all sizes understand that the global economy is still not adequately protected against cyber-attacks, despite years of effort and annual spending in the multi-billion dollar range. A recent survey of 200 large US companies noted a remarkable lack of confidence about cyber security and risk management at the highest levels of enterprise. A full third of C-level executives are not confident their board can make the right IT security decisions.
CEOs are constantly barraged with information and reports urging them to consider various elements of cyber security risk. It’s challenging to sort through it all to distill the implications for their organizations. In today’s global, digitized business climate, every CEO must be armed with a thorough understanding of threats and risks as well as the urgency of properly assessing and responding to incidents (both past and potential). Without this understanding—and an ability to communicate it to all levels of the organization—strategic risk analyses and resulting decisions may be flawed, gambling much more than intended.
Reputation and Public Perception
With the speed and complexity of the threat landscape changing on a daily basis, all too often we’re seeing businesses sustain significant damage, even left in ruins in the wake of reputational and financial damage. CEOs need to ensure they are fully prepared to deal with these ever-emerging challenges—as the latest security mantra goes, it’s not IF, but WHEN a breach will happen. This may seem obvious, but the faster you can respond to these attacks on reputation, the better your outcomes will be. When it comes to quick and effective incident response, hustle is not enough. Rather, organizations must intentionally build resilience into cyber security efforts through analysis, training, planning, and testing across the enterprise—with the CEO leading the way, banner held high.
Attackers are more organized, attacks more sophisticated, and threats more dangerous than ever before. The fallout from recent data breaches highlights global interconnectedness: critical infrastructure, supply chains, the Internet of Things all make us simultaneously more powerful and more vulnerable. Cybercriminals and hacktivists see opportunity in the trust dynamic vital among suppliers, partners, and customers. A big shiny brand reputation makes a rich target indeed.
CEOs should lead collaboration and security awareness across their enterprises and throughout the supply chain—partners and vendors have to work together to keep both their ecosystem and individual reputations secure. After all, cybercrime organizations are highly collaborative—their chiefs run criminal enterprises that mirror legitimate business, right down to the org charts and HR functions.
Security as a Social Norm
So-called insider threats are still the most prevalent cyber attack vector— in fact, 55% of all attacks are carried out by malicious insiders or inadvertent actors. Accordingly, the ‘people’ component of the ‘people, process, and technology’ approach to cybersecurity is frequently highlighted as the most challenging. Indeed organizations continue to heavily invest in developing a front line of defense through security awareness training and policies for secure use and access. Yet under closer scrutiny, many training programs have been found to be ineffective, and therefore, a waste of time and money.
Today’s CEOs often demand return on investment forecasts for the projects that they have to choose between, and awareness and training are no exception. Evaluating and demonstrating their value is becoming a business imperative. Unfortunately, there is no single process or method for introducing information security behavior change, as organizations vary so widely in their demographics, previous experiences and achievements and goals.
At this moment in time, I would argue that it’s time to place greater emphasis on embedded behavior programs than traditional security awareness training. Thanks to headline-making breaches, most employees are aware of cyber security threats, but simple awareness does not equate to behavior change. To satisfy the demand for more effective people-focused security programs, not to mention regulator and stakeholder demands for stronger governance, your enterprise should look to successful behavior modification campaigns such as those working toward worker safety on job sites and seat belt and helmet use, whereby safety habits have become culturally ingrained as a social norm.
To achieve optimal levels of security and resilience, cyber hygiene practices have to become ingrained into daily, habitual practice, and being a champion and defender of cyber security has to rise to the level of a social norm across the enterprise. A CEO should lead the charge, building momentum for enterprise-wide behavioral changes by supporting effective programs and inspiring employees to do their part—day in and day out. Look for innovative solutions that encourage and reward employee behavior and attitude changes.
For example, tie security training to an exciting fundraising campaign or competition that inspires teamwork. Build in gentle but consistent nudges and countdowns that remind your network users to think again or make the right choice. Gamification makes training more fun and competitive: teach a concept, then put them into game scenarios where they can apply it and ‘play’ against each other in a friendly competition. Companies, such as Security Mentor, recently expanded their Gamification features to enable employees to earn rewards and compete as groups. Updates like this will enhance the overall user experience and drive greater participation and engagement.
It’s worth noting that damage to brand reputation in the aftermath of a breach deepens when the public perceives (or evidence exists) that leadership was dismissive or negligent regarding security concerns, as was purported to be the case at both Target and Home Depot. A CEO known for clear and consistent security evangelism as well as material support of proactive measures will impart credibility to his or her organization when it comes time to say, “Despite our best efforts, we have experienced a data breach. We place the highest priority on protecting our customers, and are working hard to resolve the issue quickly and effectively.” Remember, that’s when, not if.
Stay Focused and Stay Ahead
Unfortunately, CEOs have to worry about more than the theft of personal information. Cybercriminals aren’t teenagers in the basement; often, they are covert government operatives committing high level espionage and stealing valuable intellectual property and trade secrets. As the players, targets, and stakes shift in response to geopolitical and financial forces, leadership must be vigilant—keeping up on trends and emerging threats, drawing lessons from incidents at other companies, reassessing plans and priorities, and collaborating closely with security experts.
Given the breakneck pace of business and technology, and the myriad elements beyond the CEO’s control, traditional risk management simply isn’t agile enough to deal with the perils of cyberspace activity. Enterprise risk management must build on a foundation of preparedness to create risk resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading an enterprise to a position of readiness, resilience, and responsiveness is the surest way to secure assets and protect people, come what may.