The 2019 cyber incident which witnessed Chris Hylen stepping down as CEO of the California-based cybersecurity software services company Imperva, following a massive hack of their customer email, password, and sensitive key data due to a misconfiguration of their cloud service, brought into sharp focus the responsibility of the top brass when it comes to cybersecurity. Coming in the wake of similar cyber incidents that resulted in heads rolling at Equifax, Home Depot, and FACC, amongst others, the fallout underscored the need for a focused and collaborative approach of the C-Suite to establishing an effective cybersecurity plan.
Who wears the hat
Let’s face it. The IT Department has long shed the mantle of custodians of organizational data. Gone too are the days of it being pigeonholed as a ‘non-profit’ center. Instead, we now have the Security Operations Center (SOC) and the cybersecurity team, headed by the CISO/CIO. Yet, such is the nature of cybersecurity – encompassing as it does strategic, operational, and financial elements that necessitate top-level decision-making – that it is short-sighted to continue saying that the responsibility of cybersecurity rests entirely with the CISO. Lisa Levy, a leading light on data security is unequivocal (1): ‘The (entire) C-Suite has a crucial part in shaping the overarching cybersecurity strategy, determining the risk tolerance, and ensuring the appropriate resources are allocated to effectively safeguard the organisation’s assets.’
But while the entire C-Suite takes collective responsibility, the buck stops with the CEO, who as Levy says should be the ‘ultimate champion for a culture of security, making it an inherent part of the organization’s DNA.’
Why the C-Suite needs to be involved
It’s easy to see why the C-Suite needs to be involved. As custodians of the organization’s fortunes, the C-Suite assumes the responsibility not only for its productivity, revenue, jurisprudence, compliance, and reputation but also for its safety. Cybersecurity has the potential to impact all of these and can result in severe productivity losses, lowered revenue/profits, irreversible loss of reputation, erosion of customer bases, crippling data losses and severe regulatory and administrative fines. Data breaches in particular are the bane of organizations, accompanied as they often are by ransomware demands. Take a look at the IBM Cost of a Data Breach Report (2) which puts the average cost of a data breach at USD 4.88 million, up 10% from the previous year. Other studies show the level of devastation – on average, it takes 204 days for organizations to identify a data breach and 73 days to contain it.
Regulatory bodies have increasingly stepped up their scrutiny of company boards, introducing a slew of regulations and measures intended to make organizations more vigilant, accountable, and integrated in the cybersecurity process. The Securities Exchange Commission (SEC) (3) has mandated boards to have a cybersecurity director with ‘experience and qualification’ and The Cybersecurity and Infrastructure Security Agency (CISA) has called for a collaborative approach to achieve cyber performance goals. New SEC rules (5) make it mandatory for organizations to report ransomware demands within 24 hours, and cyber incidents within four days.
On a personal level too C-Suite executives are squarely in the hot seat. Thought leader Gartner opines that future cyberattacks could result in “personal liability” for 75% of CEOs by 2024 (6). Their unique position as custodians of the crown jewels makes them soft targets for extortion and arm-twisting.
The touchpoints for the C-Suite
While the development of the cybersecurity plan may rest with the CISO/CIO, key considerations /contributions from the C-Suite today could be:
- Strategizing the use of Generative AI tools that are increasingly providing attack surfaces for cybercriminals
- Monitoring events and activities on a global and national scale, considering the fallout from disinformation
- Strengthening resolve to meet ransomware threats using a proactive approach and remediation plan
- Overseeing vulnerability and risk assessment
- Instituting a robust, sustainable, and scalable cybersecurity eco-system, geared to proactive and predictive threat-hunting, alerts, and response plan
- Ensuring the cybersecurity plan aligns with actual operations
The C-Suite cybersecurity playbook
How successful a cybersecurity plan is, depends on how invested the C-Suite members are. At an organizational level they will need to align their core responsibilities with the cybersecurity plan. On a personal level, they will need to ‘walk the talk’ since they are generally looked up to within the organization. Often they set the tone for third-party interactions. It therefore makes good sense for them to:
- Clearly understand the cybersecurity landscape associated with their organization – the risks and impact involved, and the compliance and reporting requirements
- Consistently engage with the organization’s security machinery – its experts, processes, threat surfaces, security architectures, training, data assets, and response measures
- Stay abreast with industry standards, regulatory policies, best practices, and new cyber attack trends
- Clearly and consistently communicate the importance of cybersecurity as a business risk and the role played therein by all stakeholders
- Stringently follow security awareness/training initiatives and employee exposure reporting measures (4) that embed a strong cybersecurity culture, ensure a resilient cybersecurity posture, and infuse good cyber hygiene practices
- Strive to invest in and integrate new and advanced systems in a manner that is commensurate with the business risk
- Adopt a zero-tolerance approach to non-compliance, either by way of internal negligence or external statutory reporting
- Ongoing risk assessment, vulnerability testing, and scrutiny of the efficacy of the cybersecurity plan (and not just at the time of a data breach incident)
- Demonstrate by personal example their engagement in cybersecurity measures
The C-Suite wars
Despite all that is said and done, the fact remains that C-Suites are not always fully invested. Many still believe the responsibility for cybersecurity lies with the CISO or the team comprising the CISO, CTO, and the CIO. One study indicates that as much as three-fourths of CHROs, CMOs, and CFOs do not believe the cybersecurity plans include them. Another study (7) reported CFOs as having the lowest level of engagement with cybersecurity at 38 percent, followed by CHROs at 41 percent and CMOs at 43 percent.
A notable disconnect seems to exist between the CMOs, CFOs, CHROs and the organizational cybersecurity canvas – which is alarming because these executives between themselves are responsible for the customer, financial and employee data of the organization, all of which are coveted by bad actors.
Final words
As cybersecurity matters escalate and organizations regularly encounter malicious actors, C-Suites find themselves at the epicenter of the seismic activity. They will need to stand together. They will need to collaborate. And they will need to believe in their plan.
But if recent studies are anything to go by, there is still some way to go. Only 65% (8) of C-Suite members are confident that their plans are well-established. New studies show only 12% (9) of Boards have a dedicated board-level cybersecurity committee. Further, there is a notable trend for organizations to invest in the latest cyber tools, but ignore the need for monitoring its effectiveness and upgrade.
Happily however, C-Suite and Boards are increasingly classifying cybersecurity as a business risk, as opposed to a technology risk.
That is perhaps a harbinger of the shape of things to come. In an area where a top-down approach is the rule rather than the exception, it is perhaps some indication that the C-Suite will make a world of difference to cybersecurity approaches in the days ahead.
References:
- Cybersecurity starts in the C-suite: why every role matters | Business Chief North America
- Cost of Data Breach in 2024: $4.88 Million, Says Latest IBM Study – SecurityWeek
- New Cybersecurity Legislations: Guiding Organizational Action and Beyond – Aurora Systems Consulting Inc. (aurorait.com)
- The Importance of Employee Reporting in Cybersecurity – Aurora Systems Consulting Inc. (aurorait.com)
- New SEC rules give companies four days to report cyber incidents | CSO Online
- The C-suite Guide to Cyber Safety | 7 Steps to Securing Your Organization (sentinelone.com)
- Securing the C-Suite, Part 2: The Role of CFOs, CMOs and CHROs (securityintelligence.com)
- Securing the C-Suite, Part 1: Lessons for Your CIO and CISO (securityintelligence.com)
- A Cybersecurity Primer for The C-Suite, SMBS, and Organizations | LinkedIn