As much as we wish it weren’t true, when a security breach occurs, everyone tends to look at an organization’s leadership and either place blame or seek guidance. In the past, cybersecurity has been seen as an IT department’s concern, rarely making appearances in board meetings or receiving large pieces of the yearly budget. In the last decade, all that has changed and it’s for the better. Executive teams are realizing that the ramifications of a security breach directly affect them and we probably don’t need to mention that there are more than a few examples of CEOs whose positions have been impacted by a large data breach.
These facts could be discouraging, but in the case of cybersecurity, awareness and proactivity are allies. Almost every executive will experience a security breach while they are in leadership; however, preparing for, responding to, and rebuilding after a breach might become more a part of their legacy than new products or rising stock prices.
Starting at the top
The simplest way executives contribute to an organization’s cyber resilience is by demonstrating a culture of cybersecurity. Modeling both the correct security practices and communicating the importance of cybersecurity sets the tone in an organization that cybersecurity is a priority. This attitude is tested during moments like budget meetings when deciding how to allocate funds and highlighted when a breach occurs and executives must respond.
Building cybersecurity knowledge and understanding
Just as cybersecurity is no longer only an IT department’s concern, knowledge about security is not only an IT department’s responsibility. The better executives are able to understand threats and repercussions, the better they are able to ensure that the risks being taken are appropriate and that they align with an organization’s values and needs.
Executives should be in the know. A CEO might not need to know about every little cyberattack, but if they know, as a rule, which kinds of attacks are normal, they will be able to respond when they are notified of abnormal activity. When a breach occurs, no one should need to explain to an executive what’s at stake and how they need to respond. Cyber resilience includes an executive team that is well-informed and takes responsibility.
If vendors fail, you’re still on the hook
Organizations rarely function without external vendors and although choosing these vendors wisely and making sure that their security practices align with your own is of the utmost importance, your customers won’t care who was technically to blame should an attack get through. There should never be a moment when your only line of defence is in someone else’s hands.
How to move forward
Cyber resilience is, in its simplest form, being proactive over and over again. Performing risk assessments, testing procedures, and continually communicating about security goes hand in hand with planning for when an attack happens and building a strong incident response plan. Continuing to gain knowledge about vulnerabilities and the growing number of threats is an ongoing part of a CISO’s job, but it doesn’t stop there. All executives need to possess a keen understanding of their organization’s security because they will be just as involved as their risk management team in the fallout, should a breach occur. Cybersecurity is a team sport.
CISOs aren’t cyber resilience strategists
Even though an organization’s CISO heads up cybersecurity and should be heavily involved in creating a cyber resilience strategy as well as an incident response plan, they shouldn’t hesitate to bring in other key resources in the company and their security partners to assist. Cyber resilience depends on the knowledge and experience of many minds. As we continue with our focus on cyber resilience, this month, please contact us if you would like assistance with creating a cyber resilience plan for your organization.