Integrating Cyber Security And Corporate Culture Starts With The CISO And C-Suite.

cybersecurity-corporate-cisoCaption: Oops. In the 3 seconds a sequence of events will start that, in two months time, could cost your business $250 million.

The C-Suite is being pulled in two directions. On the one hand, they know that the primary way to increase shareholder value is innovation. And technology is the key enabler for innovation. But technology also carries the highest risk. A cyber security failure can destroy a company’s reputation and value.

In a Harvard Review article ‘Cybersecurity Is Every Executive’s Job’ (link below), the authors quote a BAE cybersecurity survey of 300 US managers where 85% said that reputational damage was their #1 concern of a data breach, and 74% stating legal liability as their #2 risk.

Of course the direct costs hardly need highlighting. Target hack = $250m. Bangladesh bank = $100m. A global hacking cost for businesses of $2.1 trillion annually by 2019, according to Juniper Research.

But the worst aspect of cybersecurity for the C-Suite is that the problem is so hard to define. Company directors are used to assessing tangible, known key risk indicators. Yet in the same Harvard Review article, some 40% of C-level executives admitted they did not have a clear understand of the cybersecurity protocols within their own business.

What’s the first step to a solution? For many boards it’s elevating the role of the CISO and understanding their KRIs …

Why the CISO should be a board level appointment.

SecludIT CEO Sergio Loureiro says that a problem for CISOs at board level is that their success metrics are so nebulous. “For executives in charge of functions like sales, finance and IT, positive results can be measured. For example, sales have gone up by X%, EBITDA has increased by Y%, or system availability has risen by Z%. But for CISOs, their success is measured in terms of the absence of anything bad happening. That not-negative metric is counter-intuitive for many management teams. There is always the lingering doubt that ‘maybe nothing bad would have happened anyway'”.

In a blog post titled ‘How CISOs can work with the C-suite to define the cybersecurity risk level’, Help Net Security (link below) write that a CISO needs to develop a tailored cybersecurity policy for each function within the business. For example, the finance functions wants to avoid litigation and losses, and the IT team wants maximize uptime from their IT resources.

To quote HelpNetSecurity: “Each organization’s cybersecurity strategy needs to be holistic. The CISO plays a pivotal role in driving the security of the enterprise, but it is only with a combined commitment and support from all C-Suite partners can the organization truly reach a risk tolerance that all parties are comfortable with.”

SecludIT’s founder continues: “Inter-departmental co-operation is key to the success of a holistic cybersecurity strategy. The C-Suite needs to agree that corporate cybersecurity needs take precedence over individual departmental considerations.”

Co-operation between C-Suite functions.

In a 2016 blog post titled ‘The View From the Top: C-Suite Insights on Cybersecurity‘, Security Intelligence (link below) reported on a study by IBM.

The study – “Cybersecurity Perspectives From the Boardroom and C-Suite” – asked 700 C-suite executives from 28 countries and 18 industries a range of questions about IT security.

An interesting finding of the IBM cybersecurity study was that a lack of collaboration can make the work of hackers easier. Departments within an organization – either because of lack of awareness, rivalry, or corporate structure and distribution – might not share information and resources with other departments.

And two thirds of CEOs interviewed said they are reluctant to share information about their cybersecurity, or about successful intrusions, outside the company.

Contrast that with the hacking community who regularly share details about vulnerabilities on the ‘dark net’. In fact lone wolf hackers might stumble upon a vulnerability when probing a company … and then share the information with better resourced teams who are better able to exploit the weakness.

The takeaway is that the CISO needs to be in a position to create a pan-business strategy and culture for combating hackers and unauthorized intrusions.

And of course addressing the starting point for addressing the problem is understanding where the risks are in the first place …

Equally concerning is the fact that internal, cross-functional collaboration is weak, particularly among the three specific C-suite roles — chief human resources officer (CHRO), chief marketing officer (CMO) and chief financial officer (CFO) — that have stewardship of the most coveted data sought by cybercriminals (employee, customer and financial information, respectively). These three executives are also the least confident that their organization’s cybersecurity plans are well-thought-out and well-executed.

Security Intelligence.
IBM CyberSecurity report review.

 

Arrange a cybersecurity Key Risk Indicator audit for your C-Suite.

At SecludIT we’ve launched an automated network scan which dives deep into the network and produces a Cybersecurity Key Risk Indicator report for the CISO and the C-Suite.

This popular scan probes the network for over 60,000 vulnerabilities and, in addition to a the C-suite report, also gives a prioritized fix list – with remediation tips – for the IT team. The KRI report is based on the standards defined by three IT security bodies:

1. OWASP – Global security standards.
2. ANSSI – Secure trading in Europe.
3. PCI-DSS – eCommerce payments standards.

Our technical team will help you run a KRI scan on your cloud, physical or hybrid network. SecludIT’s ‘Elastic Detector’ has safely performed millions of scans for companies around the world. Our technology is low-overhead, so causes no user disruption and has no impact on network responsiveness or features. You will see the first actionable results in a morning.

 

 

More reading about cybersecurity, CISO and the C-Suite.

SecludIT blog.
Cyber Security Key Risk Indicators. An Automated Report For The C-Suite.
https://secludit.com/en/blog/cyber-security-key-risk-indicators-automated/

Harvard Business Review.
Cybersecurity Is Every Executive’s Job.
http://ht.ly/PJIT504s9Qk

HelpNetSecurity.
How CISOs can work with the C-suite to define the cybersecurity risk level.
https://www.helpnetsecurity.com/2016/06/30/ciso-define-cybersecurity-risk-level/

Security Intelligence.
The View From the Top: C-Suite Insights on Cybersecurity.
https://securityintelligence.com/the-view-from-the-top-c-suite-insights-on-cybersecurity/

IBM Survey request.
Cybersecurity perspectives from the boardroom and C-suite.
https://www-01.ibm.com/marketing/iwm/dre/signup?source=mrs-form-2986&S_PKG=ov43890&ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US

Leave a Reply