The Cyber Buck Stops with the CEO
President Truman had a sign on his desk that read “The Buck Stops Here.” The slogan represents the idea that a leader must assume ultimate responsibility for the organization they lead. When it comes to cybersecurity, the buck stops not with the CISO or the CTO, but with the CEO. What does a CEO need to ensure his/her company has a cyber resilient posture?
The path to cyber resiliency requires a dynamic approach – one that promotes positive cultural changes across an organization and empowers innovative defense strategies including both literacy and technology. The successful CEO can arm his/her organization with the knowledge and capability to defend against tomorrow’s complex and ever-evolving cyber threats.
Ask and You Will Receive
There are lots of questions the CEO should be asking himself/herself, the executive team, and the board. Here a few questions that CEOs should be considering.
- What makes our company an appealing target?
It’s important to think objectively about your business. Do you know why someone would target your organization? Would someone target you personally to get to your organization? As the CEO your cyber hygiene should be paramount. You have the ultimate access to anything a cyber criminal might want – from financial information to intellectual property to the next acquisition your company is considering.
- What are our crown jewels?
Crown jewels represent the data that most needs protecting. As the CEO, it’s your responsibility to help ensure that your executive team and board are all in agreement on what most needs protecting. It’s impossible to lock down everything so make sure that your most valuable assets are as close to 100% secure as possible. For some organizations, customer data is the Holy Grail. For others, it’s a recipe. Think about Coca Cola. One of its most-coveted crown jewels is the Coke formula. What about your organization?
- What are the potential impacts if our crown jewels were targeted by a cyber attack?
Now that you’ve defined what is most important to protect — your executive team, board and security team are all on the same page — what happens if you are targeted by a cyber attack? Do you have an incident response plan? You need to plan for the worst and understand all of the impacts. This is a key role for the CEO. Ask the right questions and make sure that you are clear on the decisions you will need to make should your more important data be breached.
- What are the cyber risks to which our network infrastructure, business partners, acquisitions, vendors, and other third party service providers expose us?
Understanding cyber risk is a big undertaking. There are risks everywhere that need assessing. Do you think about cyber risk as an enterprise risk? Using an Enterprise Risk Management framework will allow you to examine cyber risk across your enterprise and include cyber risk in every decision. Think about your next acquisition. Do you realize that the company you’re considering acquiring has its own cyber attack surface that will become your problem when you acquire it? How about a new third party provider? What types of cyber risk do they present to your business? Can someone get to your data through that third party? While you executive team should understand the risks and ensure the integrity of your security and data, if you’re not asking the right questions, then you are not leading your organization the way you should.
- How is our organization prepared from the top down?
Few companies are truly prepared. Do you have a cyber incident response plan? Do you practice it? Think about elite athletes. They practice and practice so that when they execute they can be flawless. And, if they can’t be flawless or the landscape changes, then they are prepared to make decisions and adapt to the situation.
Cybersecurity Starts at the Top
Unless you are a Chief Executive who really enjoys feeling the heat from your Board of Directors, you need to personally own all risk issues (including cyber). You are the captain of your ship. A good CEO will not wait to be informed of an issue. Be proactive and drive action using the crew you command.
It’s important to continually ask questions of your crew, but remember, you are their captain – they are also awaiting your orders. To avoid letting your hull get breached, let your organization know you take cybersecurity seriously by doing the following:
- Communicate frequently and consistently about the importance of cybersecurity.
- Ensure you and your leadership team are informed on current trends in assessing roles, skills, and competencies to meet your long-term business needs.
- Ensure that policies accurately represent the expectations related to the risk tolerance level you have set for your organization.
- Require and promote employee participation in cyber awareness training. Do not exempt yourself or your executive team.
- Budget appropriately for professional development opportunities for your cyber workforce, or if outsourced, for the right level of protection.
Get Ahead of Hackers
Don’t wait for a breach to establish your cyber posture and plan. As the CEO, this is one of your most important responsibilities. Ensure your organization is prepared so that you can recover quickly if a breach becomes your reality. Each member of your C-Suite has a unique role to play but you need to lead by example. Take an active role. Position your company for success by ensuring that your C-Suite and board aren’t only cyber aware but cyber literate.
If you aren’t ready with these five starter questions and answers then you’ll want to join us as our Cyber Resolve seminar in NYC on May 1. Prefer private training for your executive team or board? Contact us. We’ll bring the education to you.
CEO, remember not only does the cyber buck stop with you, but also all the rest of the proverbial bucks stop with you. Ensure you and your leadership team are cyber literate and the rest will follow.