The burden of a chief executive officer is that she is ultimately responsible for anything that might go horribly wrong at the company.
You might get one pass if the badness is not-so-horrible, for example the VP of sales is going to take a lot of the heat if the company misses a quarterly bookings target, or the VP of technology if your website goes down for a not-acceptable amount of time. But when the badness greatly affects customers, employees or shareholders the CEO will be held responsible, fairly or unfairly. Look no further than Gregg Steinhafel or Walter Stephan as examples.
If you run a company I assure you your company is under some kind of cyberattack as you read this. I would advise you to change your thinking from ‘we get attacked on a regular basis’ to ‘I get attacked on a regular basis’. Because any attack on the company is also indirectly an attack on the CEO. I might even surmise that the fastest way to get a CEO fired is to launch an effective and withering attack on her company.
So, resolve to get closer to your cybersecurity posture. How well do you individually know the executive in charge of security at your organization? How much time do you spend with them? Chances are the answer is ‘not enough’. Additionally, invest in training for those team members that are the most at risk for being compromised through spear phishing, business email compromise, or other means.
Do what it takes to understand the most likely breach vectors and how your company is actively defending against them. Review your IT and security budgets in context to total IT spend and compare them to industry standard (over 15% for companies improving their security posture). Ask for written incident response plans and whether the organization is running pen testing or red teaming exercises. Become conversant in the language of security because the chances are you will be put in a position to talk about it more than you prefer.
Understand the indirect security vulnerabilities you assume when you put sensitive information in the hands of external firms. Do you use Salesforce? Do you use a bank or payments processor for customer transactions? Do you use an email marketing vendor or HRIS? Every organization that puts customer data, employee data or corporate IP in the trust of an external vendor by definition puts that data at additional risk.
Review your communication plans. Who is responsible for communicating to customers and stakeholder, and when should you do that (as early as possible)? What does the internal communication tree look like and when do incidents get elevated? Don’t figure this out on the fly.
And finally, push this information out to the executive team and Board of Directors. Doing so will allow you to review what you have learned and bring security to a board-level topic where it duly belongs. It also demonstrates, in advance, that you are endeavoring to be proactive about security in advance of the next inevitable cyberattack.
Doing these things isn’t so much an effort to cover your own exposures so much as it is an effort to audit, improve and communicate your company’s current security posture. If the CEO takes a leadership position on security, so will the organization. And that’s a resolution worth making.
(About the author: Timothy Chen is the CEO of threat intelligence company DomainTools).
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access