BY JAKE GIBSON, Chief Compliance Officer and Chief Security Officer, LightEdge Solutions
An important part of cybersecurity is organizational awareness. Cybersecurity affects everyone, from the C-suite to the bottom of the organizational ladder, and that’s why it’s important for all chief executive officers to play an integral role in their company’s cybersecurity efforts.
A 2018 report from Centrify, a cybersecurity company geared toward businesses, found CEOs were disconnected from their technical officers on information security issues. About 62 percent of CEOs inaccurately responded that malware was the primary threat to the company’s cybersecurity. In reality, it’s people within the organization who pose the greatest threat due to phishing and other schemes. The study also found 24 percent of CEOs were not aware their companies even experienced a breach.
These numbers are alarming, but it isn’t much of a surprise. I often see technical officers trying to push companies forward in cybersecurity awareness only to be met with a CEO who doesn’t take it seriously. Cybersecurity is a critical piece of doing business these days, and it’s essential that CEOs be in the mix.
The average annual cost of cybersecurity in 2017 was $11.7 million, according to the Ponemon Institute. That means quality cybersecurity efforts aren’t just a luxury, they are an integral part of doing business. The CEO should be involved in every large decision made in their company’s cybersecurity effort.
Champion the cause
The biggest role the CEO can play in an organization’s cybersecurity is as an advocate. They must make sure everyone within the company is aware of cyber threats and create a culture of open-mindedness toward cybersecurity.
While CEOs shouldn’t micromanage their information technology department, they should be involved with daily discussions and efforts.
Oftentimes, if a message comes from the very top level, it is well received throughout the organization. And if the CEO isn’t focused on spreading that message throughout the company, there may be a disconnect between the technical side and everyone else, including leadership.
To help employees recognize the risks, CEOs can incorporate cybersecurity messages into all of their communications, like companywide meetings, newsletters, etc. CEOs should also consider implementing cybersecurity educational programs. This way employees can stay current with cybersecurity trends and threats.
CEOs should also be in constant communication with their information security teams. Since CEOs set priorities for the entire organization, they should be informed. In the Centrify study mentioned above, it found that the majority of CEOs were misplacing their cybersecurity priorities. Having open and clear communication channels with information security teams can help CEOs focus their efforts toward critical cybersecurity needs, getting more out of the company’s investments.
If a CEO is informed and making cybersecurity a priority within the organization, it can help prevent costly and damaging breaches.
CEOs should set out to improve their cybersecurity awareness beyond internal discussions. This is especially true for small-business owners who have little to no information security teams.
The best way to gain awareness beyond general research is to attend local and national conferences on information security. At a state level, the Technology Association of Iowa (TAI) holds a yearly Iowa Technology Summit. For the most part, local conventions can be especially helpful because CEOs can build up local contacts and resources.
There are national conferences that come to the Midwest frequently, too, and those can be helpful to get a flavor of the larger conversation around cybersecurity.
There’s a lot to know when it comes to cybersecurity, but it’s important to continue learning. Knowledge is power, and that’s especially true when it comes to CEOs, cybersecurity and their organization’s information security efforts.