In the past 20 years as a CSO/CISO and global consultant to hundreds of businesses, I've seen first hand the transformation of cyber risk and the impact on businesses in many industries. Regardless of industry differences, cyber risk is the game-changing business challenge of the 21st century.
CEOs, boards of directors, and organizations that are willing to address cyber risk as a business issue today should take these three strategic actions immediately.
1. Question your cyber preparedness – CEOs must ask their CSO/ CISO what are the cyber preparedness plans for the organization. Don't be afraid of asking difficult questions. Question everything about your cyber preparedness plans. Understand the risks and your actions when you execute those plans. Foster a corporate culture of awareness, responsibility and accountability in regards to your overall cybersecurity efforts and most importantly for your cyber preparedness plans.
Some organizations have cyber preparedness plans that are written mostly to meet industry or government mandated compliance or contractual requirements with customers. The shortsightedness of this approach is organizations creating cyber preparedness plans that are not comprehensive enough (and are designed with minimum standards just to meet the compliance requirement checklist), are infrequently tested and are usually updated only once every year or two. As a CEO, you should not accept that status quo in your organization—ever. Hold your C-Level executives accountable and responsible for your organization's cybersecurity program.
In today's ever-changing enterprise risk landscape, organizations must be more proactive in ensuring the preparedness planning is keeping up with your business priorities and the constantly evolving risk/threat landscape.
2. CEO and board of directors must become educated – CEO, ask your board what is their level of experience/expertise in cybersecurity. You may be very surprised by the answer you receive. Let's assume for a moment your board has virtually no knowledge/experience in cybersecurity. What should your responsibility be as a CEO? As a CEO, you should immediately work with your CSO/CISO to improve the communication and education of your board for matters of enterprise risk management and cybersecurity.
As CEO, you have a responsibility to keep your board informed of the risks and preparedness plans for your organization. Ensure your board works directly with you and the CSO/CISO on all matters related to cyber risk. Remember that cybersecurity is a shared responsibility that starts with transparency and accountability from the top and driven throughout the culture your entire organization.
3. CSO/CISOs must report to the CEO and board – For many organizations, cybersecurity is perceived to be a technical issue. The reality is that cyber risk is more than a technology problem and has become a business issue. In some organizations, the CSO/CISO reports to the chief information officer (CIO). The results are conflicts of interest between the goals, budgets and strategic planning of the CIO and the CSO/CISO. For example, the CIO's priorities are to keep systems operational, while the CSO/CISO must have the authority and support of senior executive management to make immediate decisions to protect the organization. Another conflict of interest is in budget funding—where the CSO/CISO may report up to the CIO, the CSO/CISO's budget funding will largely depend on whatever money the CIO has left over from their budget.
CEO, allow me to ask you a question. Would you take a flight on a commercial airline that left the funding of aircraft maintenance up to whatever funding was left over after paying payroll and suppliers? No, of course, you would not risk your life in boarding an aircraft that may not have had required maintenance performed due to poor financial planning. Why would you risk the brand and reputation of your business in funding your cybersecurity program based on funding that is left over from the CIO's budget?
CEOs and board members must work in close collaboration with their CSO/CISOs to understand cyber risks and the organization's overall cybersecurity program. Investors, as well as government regulators, are asking and requiring CEOs and boards to have more knowledge and understanding about cybersecurity risks. CEOs and boards are being held more accountable for their organization's cyber risk plans and actions. For example, in recent major breaches, CEOs have been fired after their organization's brand and reputation were severely damaged. Cybersecurity is no longer a technical issue, it is a business imperative.
CEOs that set up the CSO/CISO to report directly to the CEO and board are sending a clear, unequivocal message to their organizations, investors, partners and their customers that they are committed to addressing cyber risks with transparency, shared responsibility and accountability. The stakes are too great for organizations to do otherwise.