EXECUTIVE SUMMARY:

Your organization’s cyber security begins and ends with those at the very top of the organization. The CEO, along with the board, must comprehensively understand cyber risks and assume accountability and responsibility for cyber security management.

This is because a cyber attack doesn’t simply hit the IT department and wither away. Rather, an attack can affect 100% of business units, along with a company’s subsidiaries, suppliers and customers. In turn, an attack can have productivity, financial and legal implications.

But what types of actions should executives actually take regarding cyber security? The options can seem overwhelming, as executives have a lot of latitude. There isn’t an official manual, but this article provides excellent insights into how your top-level management can pursue a more active approach when it comes to overseeing and supporting cyber security.

Executives and cyber security

One of the most effective means through which executives can take action around cyber security consists of cultivating a cyber security culture. This refers to creating an environment in which employees adopt attitudes, views and values that influence positive cyber security behaviors.

All employees inherently adhere to their KPIs and general job descriptions. They will also make a point of adhering to requests outlined by the CEO and/or other top-level management. If an executive would like for everyone to become a “security champion” or to embrace a security-first mindset, employees are sure to accommodate.

In addition, executives should rely on the CISO to understand how cyber security funds are allocated, as to then provide insight into areas of risk that cyber security staff may be unaware of.

CISOs with limited financial resources tend to focus on protecting the “crown jewels” of an organization — the most sensitive data and/or assets. But these can change or expand over time, making it imperative for executives to sync with CISO.

Beyond that, executives may wish to work with the cyber security staff on a playbook to follow in the event of a breach. Collaboration in this area can set expectations. Executives will not find themselves assigned to unexpected tasks in the event of an incident, for instance.

Further, CEOs and top-level management should participate in cyber security tabletop exercises, as to align with the cyber security team around compliance protocols. It’s important for everyone to know how soon a breach needs to be reported to authorities, how to go about reporting, and how to efficiently alert communication channels, among other things.

Boards and cyber security

Boards retain oversight and fiduciary responsibilities, meaning that they have a unique role in managing and mitigating risks. When it comes to cyber threats, boards need to ask critical questions about risk exposure, budget and the effective allocation of resources.

One common struggle for boards is the lack of logical channel through which the board can explore and evaluate cyber security and compliance issues. In turn, this can lead to overreaction in some contexts and delayed responses in others.

Further thoughts

Fostering collaboration across top-level management functions and cyber security can enable everyone to leverage deep organizational knowledge in order to make more informed business decisions that proactively mitigate risk.

Addressing evolving cyber security risks, in tandem with organizational changes and growth, requires for everyone to remain flexible, agile and willing to collaborate across the business hierarchy structure.