The past decade taught us that companies can no longer ask if their data is in danger of being hacked. Instead, the question was when would their data fall prey to a cyber criminal?
The recent spate of cyber-attacks in large and mid-sized enterprises accentuate the fact that security is no longer about just protecting a business’s information and therefore confined to just the IT department. For companies to maintain customer trust, brand reputation, as well as safeguarding data, IP and critical infrastructure, cyber security needs to become an issue from the top down. This means that Boardrooms and the Corner Offices must get into discussions involving security – that is if they want the enterprise to maintain its market share and its reputation.
A recent KPMG report noted that cyber security has made its way onto the radar of so many CEOs and they feel a sense of urgency to make it a mandatory topic at the board level. However, the fact that less than half of the CEOs saying they aren’t well-prepared for a cyber attack even today remains a cause of concern. As 2019 is coming to a close and we move into a new year – or a brand new decade, let us examine how top decision makers can exhibit cyber readiness in 2020.
The Risk of Cybersecurity
First of all, CEO and board must realize that in addition to spearheading innovation and growth, cybersecurity readiness is part of their core responsibility. A shift toward a more proactive and forward-thinking projection is the need of the hour. For example, Robert McCullen, CEO and President of Trustwave mentions in a Forbes article that during acquisition planning, CEOs should acknowledge assimilating unpatched databases, hidden malware and lax security policies in addition to intellectual property and new market opportunities that it has purchased. This is crucial to consider and must be present from the start.
They should also ask about how cybersecurity fits into the overall corporate planning process and whether executives take ownership of this. Additionally, the board should know the company’s process for disclosing security breaches and if there is a set plan in place.
Combine Business and IT Architectures
The CEO must make it clear that cyber security can’t just be a technology problem, but rather it must be a holistic one, by which cyber security considerations are imbedded at the earliest levels of product and service design, says Hemant Arora, Partner, Cyber Security at PwC.
“Security and risk assessments should be baked into company strategies from the start, rather than letting them stunt digital innovation of the organization,” says Arora.
Several studies by security experts including ISACA recommend that business and technology leadership must work together to discuss potential risks and find solutions that protect intellectual property and financials alike. While leading the security strategy, the CEO must establish a security governance model and program to encourage enterprise-wide collaboration. Include the C-suite in developing an incident response plan and share it with the board for input.
Time for Action
Cybersecurity is not implementing a checklist of requirements, believe expects. Instead, CEOs must translate their words into actions by playing an active part in cyber security discussions. That means interacting directly with the executives responsible for security including CIO and CISO will help him understand the key issues impacting the business. It also helps deliver their mandates across the business environment not specifically within the technology space.
When a security breach happens, it’s the CEO’s job to be the voice of calm. He or she should take charge to explain the action plan that is in place and what steps are being taken to investigate and fix the situation. As Diwakar Dayal, Managing Director at Tenable says, “The CEO’s ability to understand the technology they are using and the security industry as a whole is critical.”
A comprehensive cybersecurity program leverages industry standards and best practices to protect systems and detect potential problems, along with processes to be informed of current threats and enable timely response and recovery. C-suite should play a key role in the strategic framework for managing cybersecurity risk throughout the enterprise.
In the light of new regulations such as European Union’s General Data Protection Regulation (GDPR) and the recently approved Personal Data Protection (PDP) Bill in India, among others, managing cybersecurity risk as part of an organization’s governance, risk management, and business continuity frameworks is becoming even more crucial.
Incidence Response Plans
Even a well-defended organization will experience a cyber incident at some point. When network defenses are penetrated, a CEO should be prepared to answer, “What is our Plan B?”
“Early response actions can limit or even prevent possible damage. A key component of cyber incident response preparation is planning in conjunction with the CIO/CISO, business leaders, continuity planners, system operators and other key security stakeholders,” Mary O’Brien, General Manager, IBM Security says, adding that this includes integrating cyber incident response policies and procedures with existing disaster recovery and business continuity plans.
The C-suite together with security and risk leaders should also oversee enterprise risk management, including the regular evaluation of cybersecurity budgets, IT acquisition plans, IT outsourcing, cloud services, incident reports, risk assessment results, and other top-level policies.
Cyber Security Culture
It is crucial to establish and nurture a security-minded culture across the board, including employees, partners and even third-party vendors. Besides, rigorous training and awareness exercises on cyber security, CEO must first understand potential threats unique to the organization (and industry), so that he or she can gain a much more realistic understanding of risks and potential breach impact.
Jaspreet Singh, Partner, Cyber Security, Advisory Services, Ernst & Young, believes, cyber security culture must include everyone who has access to data. A key activity of a CEO is to prepare a general threat assessment that involves in-depth interviews with senior management, IT administrators and partners. Once this assessment has been made, tailored contingency plans and ongoing security education can be put into place so everyone tied to the organization ends up becoming your best security advocate.
“Businesses that make security an integral part of their company culture will be among those best positioned to fend off the next big cyber attack,” Singh says.
Every successful change strategy is driven from the top and it applies to cyber security as well. Security is not just the prerogative of the CIO/CISO or the IT department; it requires complete management intervention and commitment. Management teams must understand that it is much cheaper to invest in Cyber Security than it is to take reactive measures in the event of a cyber-attack.
As a Frost & Sullivan study reveals that a large-sized organization in India incurs an average of $10.3 million of economic loss from cyberattacks, whereas a mid-sized organization incurs an average of $11K. Not all losses are calculable though. Cyber crime adversely impacts the brand equity and credibility of firms. In terms of prospects, this means declining investor trust and possible dip in share prices.
Once top management understands this, they can be better equipped to make security decisions. We can only hope that cyber security starts at the top in 2020.