[BreachExchange] For True Cybersecurity, Executives Must Become Hands-On

[Audrey McNeil]

http://www.techzone360.com/topics/techzone/articles/2017/04/21/431439-true-
cybersecurity-executives-must-become-hands-on.htm

Of course cybersecurity is critical today – yet many organizations view it
as a huge expenditure that slows the flow of business and frustrates
employees, users and customers alike. C-level executives need to be aware
of how their organizations’ security measures affect the flow of business.
At its best, cybersecurity infrastructure runs quietly in the background,
unnoticed. Rather than being considered a cost center,

cybersecurity can be re-envisioned as a growth enabler or differentiator,
enabling enterprises to make innovative investments that spur growth.

Data security is so important that mishandling it can spell disaster for an
enterprise. It is a potentially ruinous mistake for executives with
non-technical backgrounds to simply assign responsibility for cybersecurity
to the chief security officer, chief information security officer or IT
team. C-suite executives might see the iceberg ahead, but do they really
understand the size of the problem below the surface?

Taking Responsibility

Cybersecurity leadership must come from the top down if it is to
successfully involve everyone. If the top executives are not involved
directly, it can give the impression that cybersecurity is not a No. 1
priority; employees can do it tomorrow or whenever they have time. When the
board or CEO starts asking the management team about what measures the
company has in place to avoid becoming a headline, then there’s a much
bigger chance of real change taking place.

Members of the C-suite who are not tracking with current events may be in
for a rude awakening. The boardroom is placing the responsibility for
cybersecurity squarely on the C-suite’s shoulders. As we have seen in
recent headlines, a particularly bad public data breach can ruin a CEO’s
career. As enterprises and government agencies are required to follow NIST
and other cybersecurity guidelines, more than just the CEO will be targeted
for replacement.

Cybersecurity Awareness Best Practices

For the sake of the enterprise—and their careers—those in the C-suite must
become intimately familiar with the company’s cybersecurity efforts. The
following best practices are a good place to start:

Start with the experts: Ask the cybersecurity team questions and assess:
What are they working on? What is their security posture, and what
solutions are currently in place? What is the critical business
decision-making process used to determine what infrastructure MUST be
secured?  Where are the weak spots? How can the team see, control and
maintain a more secure environment? Attend conferences and seminars to
learn about what steps your peers are taking to protect their own
companies. Make sure that you have knowledge of your current systems and
the opportunities to improve – and as quickly as possible. Don’t wait for
the next quarter or next year’s budget, because it might be too late.

Become a culture change agent: Create a cybersecurity culture by building
security hygiene and compliance into compensation and reward packages (if
they aren’t already). Make everyone in your organization aware of the risks
and how they can keep the company safe. The goal is for everyone to
understand the importance of cybersecurity to the company and your
customers, and to underscore the importance of cybersecurity as a personal
responsibility.

Look ahead and evolve: Leaders must adopt a totally new way of thinking to
address today’s evolving cyber threats. Companies need to adopt practices
that don’t affect their workflow and don’t disrupt the actual business in
any way. Look to what universities, incubators and startups are producing,
as they are the best sources for cybersecurity solutions and talent, and
hire the expertise you need from that pool. Make sure your team is evolving
with the threats.

Know when enough is enough: Are employees bypassing security measures in
order to access business applications more easily? Have they created a
shadow IT environment of unauthorized systems and solutions for their
convenience? When used properly, cybersecurity can be an enabler of new
business, protecting data in the cloud and allowing the company to take
advantage of the cloud’s cost-saving agility and flexibility, for example.
Finding ways to minimize the risk of human error, such as automating as
many security processes as possible, can also help increase business
efficiency.

Maintaining Business Trust

Clearly, these best practices require significant time and attention, but
the rewards are real. There are measurable business benefits for greater
involvement in cybersecurity – and measureable downsides if you don’t. For
instance, if your network gets infected and your servers go down, that
downtime will have a disastrous effect on your company’s bottom line, not
to mention the sustained operational costs and damage to reputation.

Without trust, business doesn’t happen. Your company’s solutions, products
and services must be trustworthy. By leading from the top down, the C-suite
can help ensure that the organization is protected appropriately while
maintaining performance and ensuring that security measures do not disrupt
operations in any way. Once the C-suite has established a security game
plan for the organization and is confident that the team is performing on
the right level, you can trust in your critical information flow and sleep
better at night.

Cybersecurity from the C-suite

Trust has become a precious commodity in this era of mega breaches. Once
lost, trust is difficult if not impossible to regain. C-level executives
have a responsible and opportunity to maintain and even expand the
trustworthiness of their enterprises. This means that they cannot delegate
cybersecurity responsibility to someone else; they must take the issue up
themselves and get hands-on experience and information on safeguarding
critical data. If not, loss of trust, share prices and even careers are
possible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170424/4a067fac/attachment.html>