When it comes to security no one poses a greater threat than uncommitted executives. Lets imagine for a second back to when we were kids. Our parents were the managers of the home, but how safe would we have felt if our parents decided to neglect the safety of our home. They decide to leave all doors open day and night. How safe would the house really be from outside threats? Not really safe at all. When it comes to your organization, lack of executive commitment could be an open invitation not just for outside criminals but for insider threats too.
Why exactly are executives not committed to security? The risks are very high not to protect their operation. Due to market forces the roles of the c-suite has become much more integrated into information security, much more than most executives are willing to admit. Consumers are holding the C-suite responsible whenever there is a data breach that compromises their credit cards. Investors are holding the C-suite responsible when there is a data breach because of the financial losses that occur and the devaluation of the company on the market. Can any executive honestly claim information security is not their responsibility?
To get straight to the point, no one feels security is their direct responsibility, well besides the CIO maybe. In a survey conducted by Nasdaq revealed that 90% of executive respondents admitted they cannot read a cyber security report and would not know how to respond to a breach. 40% of executives said that cyber security is not their responsibility. While on the surface it may seem like it is not their responsibility, the reality is much different, because security is the practice of mitigating risks. However this argument is not enough to secure executive buy-in. Likely from hearing about everything being a business risk, executives prioritize what they know best. So in discussions with executives it becomes important to engage them based on their role and how security affects their responsibilities. The companies that have heightened their security awareness either have government contracts where requirements had to be met or they were the victim of a severe data breach. Each area of security needs to be covered which includes: prevention, remediation, detection, defense, response, and risk management.
The following will be a breakdown of how information security applies to an executive role and what they can do to contribute to being an effective executive.
The head of management, and the de facto human face of the company brand. Information security to the CEO should be frame in the context of “when” assets will be jeopardized in the future and how they can help mitigate fall out, or prevent the breach entirely. Lack of commitment from the CEO will translate into a lack of commitment or drive from all other executives. CEOs are the first to get pulled if there is an information security breach. CEOs are the first to know the regulatory landscape when it comes to security. They need to anticipate what will shape the market going forward and how to best position the company to thrive. CEOs are the leaders of the security team and must be active in making information security a point of discussion and engagement in meetings with the c-suite, investors, and partners. The cost of non-commitment from the CEO is increased insider threats and significant asset losses.
Unless cyber criminals are targeting intellectual property, the financial systems of an organization are always a target, directly or indirectly. Even something such as a DDoS attack can have significant financial repercussions for an organization. In addition to having the responsibility of ensuring sustainable growth, the CFO must also keep track of the financial risks to the organization’s supply chain. Information in an organization is most at risk from cyber criminals when they decide to breach smaller companies in the supply chain. Anything that puts capital at high risk is of principal concern to the CFO. The CFO, often, has the final decision of what is a good financial investment for the long term growth of the organization. CFOs have the responsibility of presenting the financial case for the investment into information security. CEOs may face the brunt of stakeholder relations, CFOs are always scrutinized for their decisions by investors. Investment into information security would affect cash flow in the short term, it will have savings over the long run by protecting against cyber attacks; which are a given in today’s world.
CMOs are the most directly tied with customers/clients, as a result they have a responsibility to ensure their data is protected. The public has been subjected to an onslaught of scams and fraud attempts. If your organizations cannot provide them the security they need during the sales process then they will move on to a competitor who can provide security. If a consumer’s card is compromised their bank will likely provide them a new one while informing them of what organization was breached. In addition to news outlets, brand influence can quickly erode if a company loses the ability to protect customer data. This of course is a public relations nightmare for any organization, avoidable if information security is priority.
Costs of Non-Commitment
It is easy, and simplistic to identify one figure as how much your company is at risk. However that figure is never reality as things are context dependent. So instead of a number, here is a list from Deloitte of seven hidden costs that come with a cyber attack on your organization.
- Insurance premium increases
- Increased costs to raise debt (interest rates)
- Operational disruption or destruction
- Lost value of customer relationships
- Value of lost contract revenue
- Devaluation of company brand
- Loss of intellectual property
What these costs actually calculate to for your organization will likely be large. Information security is not something to be taken lightly. The executive team absolutely needs to be committed to information security to protect from severe bottom line losses.