[BreachExchange] How can the C-suite support CISOs in improving cybersecurity?

[Destry Winant]

https://www.helpnetsecurity.com/2020/09/10/how-can-the-c-suite-support-cisos-in-improving-cybersecurity/

Among the individuals charged with protecting and improving a
company’s cybersecurity, the CISO is typically seen as the executive
for the job. That said, the shift to widespread remote work has made a
compelling case for the need to bring security within the remit of
other departments.

The pandemic has torn down physical office barriers, opening
businesses up to countless vulnerabilities as the number of attack
vectors increased. The reality is that every employee is a potential
vulnerability and, with the security habits of workers remaining
questionable even amid a rising number of data breaches, it’s never
been more important to foster a culture of security throughout an
organization.

Improving security with culture

We continue to see different data breaches in the news, with hundreds
of millions of users on Instagram, TikTok and YouTube having their
accounts compromised in the latest breach. These instances, and
countless others, are a testament to the critical importance of strong
security behaviors – both at work and home – and the training and
attentiveness they require.

The shared responsibility in security is closely tied to how employees
at all levels perceive the importance of security. If this is
ingrained within the culture, they will have the abilities and tools
to protect themselves. This is, of course, easier said than done.

Creating and maintaining a security culture is a never ending and
constantly evolving mission and influencing people’s behavior is often
the most challenging part of the effort. People have become numb to
the security threats they face, and although they understand the
potential risks, they don’t do anything about it. For example, recent
research revealed that 92 percent of UK workers know that using the
same password over and over is risky, but 64 percent of the
respondents do it anyway. So, how do we get through that dissonance
and get people engaged in security?

Encouraging cyber-secure practices from the top

As security continues to grow in importance, organizations absolutely
need an executive at the top to vocally and adamantly advocate for
security.

CISOs typically lead this charge. They are often tasked with leading a
security team and a program responsible for protecting all information
assets, as well as ensuring disaster recovery, business continuity and
incident response plans are in place and regularly tested. In
addition, CISOs and their teams are usually responsible for evaluating
new technologies, staying updated on compliance regulations,
overseeing identity and access management, communicating risks and
security strategies to the C-suite and providing trainings.

Today, CISOs are also focused on protecting a highly distributed
workforce and customers – in offices, at home or a mix of both – and
meeting the new security challenges and threats that come along with
this hybrid environment. That’s why it’s more important than ever for
other C-suite executives to help promote and drive the organization’s
security culture – especially through communications, training and
enforcement of best practices.

While CISOs continue to spearhead the development of the
organization’s security program and define the security mission and
culture, other C-suite executives can vocally support these programs
to ensure their integrity throughout the whole process, from vision
and development to implementation and ongoing enforcement. The
participation of the C-suite can also help CISOs focus on the most
important security issues and adjust the program to ensure it is
aligned with broader business plans and strategies, thereby helping to
get broader support without compromising security.

One likely companion for this type of cross-department alignment is
the Chief Operating Officer (COO). As this role typically reports
directly to the CEO and is considered to be second in the chain of
command, the COO will be able to provide the authority needed to
advocate for security and how it can impact employees, customers,
products and ultimately the business. This means a good COO today
needs to encourage a business culture that supports security efforts
thoroughly, while also ensuring security is prioritized at a tactical
level.

However, the COO is not the only one that needs to serve as a security
advocate. All C-level executives have a critical role to play in
establishing a strong security culture. Because of their connections
to different stakeholders, they will be able to share diverse
insights.

For example, the COO can better incorporate input from the board,
which is vital to ensuring the CISO understands the company’s risk
tolerance which will directly impact innovation and revenue. The Chief
Financial Officer (CFO) could share insights into the spending
priorities and various obligations needed to protect financial systems
and the Chief Human Resources Manager (CHRM) could get valuable data
from employees. The CHRM is instrumental when driving the development
of the security culture; their level of engagement often determines
the overall success of developing a successful security-conscious
culture.

Security-conscious C-suite executives will be able to step in to
support the CISO’s mission that security needs to be a top priority.

Think security-first

Having model behavior fed from the very top will help to underline an
organization’s collective commitment to cybersecurity. In doing so,
employees are empowered by a sense of shared responsibility around
their role in keeping a company’s corporate data secure. To this end,
it’s crucial that the C-suite of modern companies are trailblazers of
security, particularly in the current landscape.

The techniques employed by cybercriminals are becoming more and more
sophisticated, and the risk of data breaches and stolen information
being offered for sale on the dark web has never been higher. As the
pandemic continues to influence developments in information security,
senior leadership, middle management and junior staff members must all
work together towards a collective aim of securing their workplace.

Fostering a culture of security awareness is by no means an easy feat,
but the long-term gains outweigh any teething issues and will serve to
make businesses watertight in the midst of a growing threat landscape.