Skip to main content

Taking executive responsibility for cybersecurity

(Image credit: Image Credit: NakoPhotography / Shutterstock)

The ideal scenario for cybersecurity infrastructure is that it be neither seen nor heard, effectively doing its vital work without notice behind the scenes. It is not intended to slow or halt the flow of business, but that is sometimes the case as organizations seek to protect their critical data. It is often thought of a cost center as well, but when looked at from a broader perspective, cybersecurity could be the thing that enable growth or differentiates the company. How? By enabling investment in innovative ideas that provide entrée into new markets. 

It is true that cybersecurity can be expensive, and that it can inhibit business flow – frustrating employees, users and customers alike. C-level executives need to be aware of how their organizations’ security measures affect the flow of business. 

The events of the past three years make it clear that security is now everyone’s job. It is a potentially disastrous mistake for executives with non-technical backgrounds to simply assign responsibility for cybersecurity to the chief security officer, chief information security officer or IT team. C-suite executives might see the iceberg ahead, but do they really understand the size of the problem below the surface? 

Executive Participation is Key

Some causes can begin at the grassroots level and affect the whole organization, but in the case of cybersecurity, there must be executive involvement from the start. If the top executives are not involved directly, it can give the impression that cybersecurity is not a number one priority; employees can do it tomorrow or whenever they have time. When the board or CEO starts asking the management team about what measures the company has in place to avoid becoming a headline, then there’s a much bigger chance of real change taking place.   

This is no longer a mere suggestion or theoretical best practice; the boardroom is placing the responsibility for cybersecurity squarely on the C-suite’s shoulders. As we have seen in recent headlines, a particularly bad public data breach can ruin a CEO’s career. As enterprises and government agencies are required to follow NIST and other cybersecurity guidelines, more than just the CEO will be targeted for replacement. 

Establish Cybersecurity Leadership  

People who lack intellectual curiosity usually don’t make it to the C-suite. Executives must apply that mindset to the company’s cybersecurity efforts. The following best practices are a good place to start: 

1. Meet with the cybersecurity team: Ask questions to determine: What are they working on? What is their security posture, and what solutions are currently in place? What is the critical business decision-making process used to determine what infrastructure MUST be secured?  Where are the weak spots? How can the team see, control and maintain a more secure environment? Attend conferences and seminars to learn about what steps your peers are taking to protect their own companies. Make sure that you have knowledge of your current systems and the opportunities to improve – and as quickly as possible. Don’t wait for the next quarter or next year’s budget, because it might be too late.    

2. Make cybersecurity non-negotiable: Include security compliance and hygiene in compensation and reward packages (if they aren’t already). Make everyone in your organization aware of the risks and how they can keep the company safe. The goal is for everyone to understand the importance of cybersecurity to the company and your customers, and to underscore the importance of cybersecurity as a personal responsibility.  

3. Get ready for change: As cyber threats evolve, so must organizational thinking. Companies need to adopt practices that don’t affect their workflow and don’t disrupt the actual business in any way. Look to what universities, incubators and startups are producing, as they are the best sources for cybersecurity solutions and talent, and hire the expertise you need from that pool. Make sure your team is evolving with the threats.  

4. Find where cybersecurity affects flow: Are employees working around security measures in order to access business applications more easily? Have they created a shadow IT environment of unauthorized systems and solutions for their convenience? When used properly, cybersecurity can be an enabler of new business, protecting data in the cloud and allowing the company to take advantage of the cloud’s cost-saving agility and flexibility, for example. Finding ways to minimize the risk of human error, such as automating as many security processes as possible, can also help increase business efficiency.    

Trust and Security  

These best practices certainly add to the executive’s workload, but the effort pays off in spades. There are measurable business benefits for greater involvement in cybersecurity. If your network gets infected and your servers go down, that downtime will have a disastrous effect on your company’s bottom line, not to mention the sustained operational costs and damage to reputation.   

Your solutions, products and services must be perceived as trustworthy if your business is to survive. By leading from the top down, the C-suite can help ensure that the organization is protected appropriately while maintaining performance and ensuring that security measures do not disrupt operations in any way. Once the C-suite has established a security game plan for the organization and is confident that the team is performing on the right level, you can trust in your critical information flow and sleep better at night. 

Security from Top to Bottom 

No one has forgotten the fallout from the unprecedented number and size of data breaches in the past few years – least of all shareholders and customers. C-level executives must understand that cybersecurity is a shared leadership responsibility, irrespective of job title. Working together and getting educated on organizational security measures will help to create and reinforce a culture of data safety that ends up safeguarding executive jobs as well. 

Chris Riley, President of U.S. Operations, SSH Communications Security  

Image Credit: NakoPhotography / Shutterstock

Chris Riley
SSH’s Chris Riley has worked in IT and information security for more than 20 years. His experience in markets for identity assurance, data security, governance and risk management is extensive.