The people, processes, and technology that protect digital resources and manage cyber risk are essential to sustaining businesses and societies. Even so, in many enterprises, boards and executives are just beginning to truly engage in cyber security strategy and leadership.
A recent NASDAQ survey highlights alarming gaps between awareness and accountability at the highest levels of global enterprises: too many board members and executives are unable to understand security briefings and unwilling to accept responsibility for data breaches.
The simultaneous explosion of connected technology and devices, Big Data, and cybercrime has led to wider adoption of new executive roles such as the Chief Security Officer (CSO), Chief Information Security Officer (CISO) and Chief Digital Officer (CDO). As information governance, risk management, and compliance activities grow in scope and complexity, there is more than enough high-level strategy and oversight to keep an expanded C-suite challenged and busy. However, additional silos of responsibility can create confusion and inefficiencies when roles are not clearly defined, or collaboration is subdued.
When it comes to cyber security, it’s more important than ever for board members and core executives—especially those not directly involved with deploying security programs—to fully participate and contribute on a continuous basis.
The roles of the CEO, CFO, CIO, and CMO have undergone significant transformation over the past decade. Public scrutiny of business leaders is at an all-time high, in part due to enormous hacks and global data breaches. It’s become increasingly clear in the last few years that in the event of a breach, the hacked organization will be blamed and held fully accountable. Therefore, everyone in the C-suite is potentially going to have their feet held to the fire.
The good news, however, is that executives are beginning to pay more attention to the security measures protecting their organization’s assets, data, employees and customers. The cautionary tales, Armageddon scenarios, and the threat of public humiliation have made a significant impact. Executive awareness and engagement are finally increasing to meet the threats, but building a solid line of defense requires ongoing, strategic collaboration. Leaders must commit to adopting a culture of responsibility from the top, making sure their message reaches out to the edges of the enterprise and everywhere in between.
Covering all the bases—defense, risk management, prevention, detection, remediation, and incident response—is more feasible when leaders contribute from their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives. Let’s take a look at each role within the C-Suite:
CEOs are on the hot seat and being pulled in a million directions at once. They face an influx of new regulations and risk factors related to the IT infrastructure and services that keep their enterprise up and running. These challenges can only be addressed through collaborative teamwork. Building a robust, encompassing cyber security program requires strong leadership from the CEO and a willingness to coordinate with the board and other executives to bridge traditional silos and redefine roles. By keeping security programs aligned with strategic business objectives, CEOs can help their organizations develop competitive advantage and dive into emerging opportunities with confidence.
In order to maintain an accurate, big picture understanding of their organization’s security preparedness, CEOs must actively solicit and distill security-related concerns, opinions, and contributions from multiple stakeholders. It’s important to make sure your team thinks of security breaches in terms of “when” not “if”—cyber-attacks are so numerous and sophisticated, it is foolish to think they can be entirely avoided.
In the event of a breach, you have to be ready with a quick and effective incident response; the faster the response, the better the outcome. In the eyes of regulators and consumers, credibility is bolstered by evidence of comprehensive, ongoing cyber security efforts. CEOs must espouse strategies that intentionally build resilience through security analysis, training, planning, and testing. The CEO leads the way by emphasizing the importance of ongoing communication and collaboration. Championing a culture of security awareness throughout the organization and supply chain strengthens your defenses; “insider threats” are still the most common attack vector.
Cyber criminals attack financial systems directly and indirectly, and data breaches of all kinds impact an organization’s bottom line. These ongoing threats require CFOs to become intimately involved in security measures and cyber risk management. CFOs are also concerned with loss of funds through theft, waste, and supply chain issues, all of which can originate or proliferate in the cyber realm.
From internal operations to investor relations, every part of a CFO’s role involves highly sensitive data that must be closely controlled and protected. To fulfill their fiduciary duties, CFOs must maintain a thorough understanding of where this vital information is, who might want to steal it, and how they might gain access to it. Their responsibilities include disclosing to the board the potential impact of a cyber-attack. This includes integrating security risks into discussions and decisions about investments, procurement, and partnerships. Analyzing the feasibility and cost effectiveness of cyber insurance and security solutions also falls in the CFO’s domain. Last but not least, CFOs should be intimately involved in crafting and rehearsing the portion of the organization’s incident response plan that involves communicating with shareholders, partners, suppliers, and customers.
CFOs have always played an important role in advocating for and pursuing critical investments that promote long-term business growth. Forward-looking CFOs recognize the importance of investing in cyber security as a primary method of protecting reputation, stock price, financial resources, and proprietary information.
The CIO role is, of course, most closely connected to cyber security responsibilities. It’s clear that CIOs have the most to gain from a broader, more collaborative approach. A united front that recruits champions from across the organizations is stronger than a thin, overwhelmed line of defense made up on only IT team members.
As new roles like CISO and CDO step in to alleviate their workload, CIOs should take the lead in engaging non-technical executives and board members. Their new directive is to excel at calm, clear communication with all stakeholders in order to obtain better funding and support for security initiatives. They have to speak the language of business and risk in order to convince boards and investors of the crucial link between IT enablement and risk management. Boards want regularly updated metrics and assessments they can compare over time as well as a way to form these into an accurate, holistic picture of information technology risk. The NASDAQ survey found that a vast majority of board members, especially those at vulnerable organizations, were unable to interpret cyber security reports. It is the CIO’s job to bridge this dangerous divide.
The CIO’s mandate is maintaining an effective, working balance between technology benefits, security controls, and risk management. By aligning their efforts with strategic business objectives, CIOs will partner more closely with their colleagues in the C-suite to shape business decisions, competitive strategy, and sustainable innovation.
The CMO oversees a digital realm that is more closely tied to the customer than ever before, so it’s not surprising that their role has seen the biggest changes in recent years. The advances made possible by mobile marketing, social media, ad tech and Big Data have prompted an astonishing rise in the amount of consumer data that is gathered and analyzed for marketing purposes. Part of managing this data, much of which falls under privacy regulations, is securing it against theft and abuse. After all, cybercriminals are just as interested in that data as you are. Data-driven marketing depends on customer trust, and repeated headlines about spectacular breaches are eroding that trust.
More and more, we see brands and customer relationships damaged in the aftermath of an attack. In the event of a breach, CMOs will find themselves front and center, so they should make sure they are part of the incident response and data security planning. One of the big lessons learned from recent incidents is that financial and reputational damage will be amplified or mitigated depending on how quick, credible, and efficient the brand response is. All of a CMO’s hard work can go up in smoke if customers sense a lack of care or transparency.
In today’s enterprise, the CMO’s organization drives digital based growth. The board and executive team rely on them to lead brand, product, and innovation efforts to competitive advantage, without coming into conflict with data privacy legislation. It’s the CMO’s job to make sure the brand stands out for all of the right reasons.
Responsibility Starts at the Top
The C-Suite has the clearest, broadest “big picture” view of how their organization’s components intersect. A serious, shared commitment to common values and strategies is key to a productive relationship between the executive team and the board. Only through sincere, ongoing collaboration, can complex threats like cyber-crime and espionage be managed. Without synchronized oversight, risk factors will multiply unimpeded.
In a global enterprise, there are so many elements beyond the C-suite’s control and traditional risk management isn’t agile enough to deal with the dangers of cyberspace activity. By building on a foundation of preparedness, executives can create cyber resilience by assessing threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the sure-fire way to secure assets and protect customers, partners and employees.
It’s time for all executives to step up and bridge the gap between awareness and action. Organizations that create a deeply rooted culture of security and accountability from the top down will be able to withstand the persistent, dynamic nature of today’s ever-expanding, global cyber threats.
About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.