Cybersecurity Is No Longer Just the CISO’s Job
April 27, 2017 No CommentsFeatured article by Chris Riley, President of U.S. Operations, SSH Communications Security
Cybersecurity is often seen as a necessary evil in terms of business flow and budget. In 2020, organizations are projected to spend $101.6 billion on cybersecurity software, services and hardware, according to IDC. In addition to depriving businesses of money that could be spent elsewhere, cybersecurity is seen as an impediment to productivity and customer satisfaction.
However, the best cybersecurity infrastructure is unobtrusive, working quietly in the background. Instead of a cost center, as many view it today, cybersecurity should be seen as a growth enabler or differentiator, by permitting the type of innovative investments that allow the company to scale into new markets.
C-level executives need to be aware of how their organizations’ security measures affect the flow of business. It is a potentially disastrous mistake for executives with non-technical backgrounds to simply assign responsibility for cybersecurity to the chief security officer, chief information security officer or IT team. C-suite executives might see the iceberg ahead, but do they really understand the size of the problem below the surface?
Top-down Cybersecurity
Cybersecurity is truly a scenario in which leadership must be actively involved. If the top executives are not involved, it can give the impression that cybersecurity is not a number one priority; employees can do it tomorrow or whenever they have time. When the board or CEO starts asking the management team about what measures the company has in place to avoid becoming a headline, then there’s a much bigger chance of real change taking place.
The boardroom is placing the responsibility for cybersecurity squarely on the C-suite’s shoulders. Executives who fail to understand this sea change are setting themselves up for dire consequences. As we have seen in recent headlines, a particularly bad public data breach can ruin a CEO’s career. As enterprises and government agencies are required to follow NIST and other cybersecurity guidelines, more than just the CEO will be targeted for replacement.
Taking Responsibility
It is clear that security has become part of every C-level executive’s job. Leaders must take an interest in and become intimately familiar with the company’s cybersecurity efforts. The following best practices are a good place to start:
1. Learn from the experts in your midst: Talk with your cybersecurity team. What are they working on? What is their security posture, and what solutions are currently in place? What is the critical business decision-making process used to determine what infrastructure MUST be secured? Where are the weak spots? How can the team see, control and maintain a more secure environment? Attend conferences and seminars to learn about what steps your peers are taking to protect their own companies. Make sure that you have knowledge of your current systems and the opportunities to improve – and as quickly as possible. Don’t wait for the next quarter or next year’s budget, because it might be too late.
2. Find the cybersecurity issues: Are employees circumventing security measures in order to access business applications more easily? Have they created a shadow IT environment of unauthorized systems and solutions for their convenience? When used properly, cybersecurity can be an enabler of new business, protecting data in the cloud and allowing the company to take advantage of the cloud’s cost-saving agility and flexibility, for example. Finding ways to minimize the risk of human error, such as automating as many security processes as possible, can also help increase business efficiency.
3. Build cybersecurity into the culture: Compensation and reward packages should factor in security hygiene and compliance. Make everyone in your organization aware of the risks and how they can keep the company safe. The goal is for everyone to understand the importance of cybersecurity to the company and your customers, and to underscore the importance of cybersecurity as a personal responsibility.
4. Think fast and flexible: Companies need to adopt practices that don’t affect their workflow and don’t disrupt the actual business in any way. Look to what universities, incubators and startups are producing, as they are the best sources for cybersecurity solutions and talent, and hire the expertise you need from that pool. Make sure your team is evolving with the threats.
Building Trust
The above activities take executives outside their traditional roles, but the rewards are real. There are measurable business benefits for greater involvement in cybersecurity. If your network gets infected and your servers go down, that downtime will have a disastrous effect on your company’s bottom line, not to mention the sustained operational costs and damage to reputation.
If customers and partners can’t trust your company’s solutions, products and services, that’s the end of your business. By leading from the top down, the C-suite can help ensure that the organization is protected appropriately while maintaining performance and ensuring that security measures do not disrupt operations in any way. Once the C-suite has established a security game plan for the organization and is confident that the team is performing on the right level, you can trust in your critical information flow and sleep better at night.
Security: Good Business and Everyone’s Business
Consumers and shareholders have not forgotten the megabreaches of the last several years, nor their impact on personal data and stock value. When a breach occurs, heads will roll – unless executives can demonstrate that they did their cybersecurity due diligence. Everyone is responsible for data safety now; no one is exempt. Business leaders who make cybersecurity their business, regardless of their title, are doing themselves and their organizations a big favor.
About the Author:
Chris Riley has worked in IT and information security for more than 20 years. His experience in markets for identity assurance, data security, governance and risk management is extensive. At SSH, Chris is responsible for all U.S. business operations, including customer success and marketing. Chris is passionate about the work being done by SSH customers and associates regarding governance for trusted access and how that makes the world a safer place given the evolving threat landscape. Prior to joining SSH, Chris spent more than 10 years at RSA Security in various leadership roles around enterprise sales and customer success. Chris is a graduate of Merrimack College in North Andover, MA, where he majored in finance and minored in economics. He also holds a Master of Business Administration degree from Northeastern University in Boston.