Does the c-suite give enough attention to cybersecurity? Multiple studies suggest many executives aren’t as engaged as they should be when ensuring their organizations are prepared to mitigate and manage cybersecurity risks, or respond when an incident does occur.
Nearly a quarter of risk managers polled by Advisen for its 2017 Cyber Risk Preparedness and Response Survey, sponsored by Experian Data Breach Resolution, said their senior managements’ cyber risk concerns did not closely align with those of their corporate risk management and IT departments. Nearly a quarter of insurance brokers and 16 percent of legal experts also said their clients’ senior management were not in step with the security consultants on cyber incident response.
Those insights echo ones from our Fourth Annual Data Breach Preparedness Survey, conducted by the Ponemon Institute. Fifty-seven percent of the IT professionals polled said their companies’ boards, chairmen and CEOs were not informed about or involved in data breach response planning. Sixty percent had leadership that didn’t want to know immediately when a material breach occurs, and 66 percent have boards that don’t understand the specific cybersecurity threats their organizations face. What’s more, 74 percent said their boards weren’t willing to take ownership for successful incident response plan implementation.
Creating greater engagement
The consensus seems to be that too many C-suiters approach cybersecurity with an attitude of “I don’t know and I don’t want to know.” Yet that kind of disengagement can seriously hamper an organization’s ability to quickly, efficiently and effectively respond to a cyber incident when one occurs.
To optimize their ability to help organizations protect themselves, cybersecurity professionals need to take steps to create greater engagement among the organization’s leadership:
- Pinpoint the greatest cybersecurity issues your organization faces and create descriptive verbiage that makes these risks as easily understood as possible. While many executives and even some board members may have a higher-level understanding of cybersecurity, others will not. Be sure to tailor your messaging for the level of knowledgeability you’ll be addressing.
- Engage in one-on-one meetings with key leaders to help them understand how cybersecurity risks affect not only the overall organization, but their domain as well. Be sure to listen, too, so you can understand what each leader’s security concerns are and how your team can best help him or her address them.
- Stage a cybersecurity “war game” for your C-suite, in which members role-play through a data breach scenario. This can help leadership understand how the company’s data breach response will be implemented, why cybersecurity is a whole-organization concern rather than just the purview of the IT department, and why their own role is critical.
Organizations can also take steps to ensure a more engaged relationship between cybersecurity teams, C-suites and other departments:
- Make the company’s chief information officer answerable directly to the CEO and/or board. A study by Accenture found 55 percent of CISOs report to IT heads, rather than to top managers. “Consequently, most CISOs focus on technology instead of concentrating on security from a business-centered holistic perspective,” Accenture reports.
- Train employees at every level of the organization to spot security risks, and to understand their role in protecting the entire organization from cyberattacks. Consider rewarding positive behaviors that support cybersecurity.
- Put cybersecurity on the agenda for every board and executive-level meeting, and incorporate it into quarterly state-of-the-company, all-hands meetings.
With cybersecurity threats evolving and escalating daily, companies need to make engagement in cybersecurity a priority that starts at the top and continues through every level of the organization.