How to Keep Your CEO Out of Prison
This is the first article in a series entitled Changing the Cybersecurity Culture from Within: Leading from the Bottom-up
Understanding the Role of Leadership in Cybersecurity
What is the most valuable asset for your company? We still want to be humanistic and say its people, employees, customers, etc. That is fair. But, there is another asset that runs a very close second. The company’s data.
We live in a world of hyper connectivity that is only going to increase both through the volume of the data and the speed it is generated. Data has become a commodity resulting in billions of dollars in revenue for some of the top companies who profit from the use of the Internet. In the Information Age businesses leverage online marketing, digital advertising, and Internet enabled sales; such as providing services for the distribution and protection of data. With innovations like the Internet of Things, blockchain, applications of Artificial Intelligence and so on, data is making every company a data firm.
CEOs need to view their handling of data as a key strategy. How a company builds, maintains, and protects its data will change the competitive landscape. It allows smaller upstarts with a new algorithms to be worth billions in months and breaches in security of blue chip firms to lose billions in a matter of hours. It creates new concerns in areas of regulation, anti-trust, and legal liability and it changes how the stock market values a company. Once upon a time, security officers were charged with protecting the precious resources inside a perimeter. In the Information Age this has not changed, but it is the cybersecurity that plays a massive part in protecting the company’s primary assets. Without a proper strategy that is well executed shareholders can, will, and should hold the person in charge responsible for the lapse in control over these resources.
Several organizations in the last five years have experienced an increase in threats from the cyber landscape, with many experiencing great loss in assets, competitive advantage, and credibility all due to the lack of security around their intellectual property, digital footprint, and/or customer information. In 2016 “cybercrime cost the global economy over $450 billion, over 2 billion personal records were stolen and in the U.S. alone over 100 million Americans had their medical records stolen,” which demonstrates the overall lack of readiness.
Cybersecurity needs to be seen by CEOs as a key strategic effort of the company. Rather, it is often viewed tactically. HIPAA, SOX, NIST, PCI DSS, FedRAMP and other compliance and standards provide cybersecurity professionals with a framework for establishing security. A security officer’s role is to prevent bad guys from entering the facility and causing harm to personnel and resources; thereby reducing liability on the organization and placing it on the bad guy. This still holds true to cybersecurity professionals. With the right tools, frameworks, and training in place, cybersecurity professionals can deter, prevent, and/or detect the bad guys, either inside or outside the perimeter. However, being in compliance, understanding the applicable data protection and disclosure laws, implementing a robust cybersecurity program, and providing training to employees is still only the beginning to establishing a strategy that will aid in combating cybercrime and sustaining the organization’s competitive edge.
However, many rely too much on these tactical approaches rather than using them as a tool to establish an effective cybersecurity strategy aligned with the business needs, potential threats, and risk appetite. Failing to implement an effective strategy will result in compromise and exploitation. The severity caused by the loss of control can lead to grave consequences for the company from both a financial and brand perspective, and in some cases loss of job for the person in charge.
Leadership can be held responsible for data breaches that occur on their watch, because of the consequences these attacks have against the organization. Consider the number of resignations submitted in the last five years as result of a data breach; Target’s CIO and CEO in 2014, the head of the U.S. government’s personnel office in 2015, and OPM’s CIO in 2016. Some of these are due to inadequate cybersecurity solutions, lack of awareness and training of employees, or simply not taking cybersecurity seriously throughout the organization and communicating the strategy effectively.
Across the globe changes and updates are being provided around cybersecurity, including the EU General Data Protection Regulation established in 2016 which sets penalties for delaying notification of a data breach, requiring companies to provide notification of certain data breaches within 72 hours. While the Federal Trade Commission provided a Privacy and Data Security Update in 2016, which alleges “Oracle was aware of significant security issues affecting older versions of Java SE that allowed hackers to craft malware that could give access to consumers’ usernames and passwords for financial accounts, and let hackers acquire other sensitive information through phishing attacks.” CEOs and cybersecurity professionals have to be mindful and continuous on updates to ensure the organization remains compliant as these changes occur.
Perhaps the most important part of a comprehensive strategy is Organizational Change Management. Change Management, including building awareness and knowledge for shareholders, and employees on the importance of proper procedures, protocols, and plans, is essential in securing the resources within. Communication to customers, government, and regulatory entities is critical to establishing trust, positive image, and reducing the impact for when a breach occurs. Leadership needs to build awareness that cybersecurity is an enabler to success, and provides control over company direction. Cybersecurity is not a hindrance, but a strategy for success.
Cybersecurity is like brakes on a car. The brakes on a car are not there to stop us, but they enable us to go faster. If we did not have brakes we would only drive one mile an hour or not at all, because we would have no control. Brakes provide a safe and controlled travel at high speeds. With brakes we have the security (pun intended) to go 65 mph, because we know the brakes will be there to slow and control the vehicle when needed. Cybersecurity enables us to do our jobs without worry of who may attack us, provides protection from sending sensitive data to the wrong place, and it gives control over what employees can or cannot do. Stakeholders need to gain the knowledge necessary to enable success both at work and at home, and understand that cybersecurity is not different among these two environments, it only contains the perception of difference.
A matured cybersecurity strategy that is effectively communicated can protect assets, personnel, shareholders, and help keep the CEO out of prison.