Cybersecurity is a problem that every level in an organization faces, one that goes well beyond the purview of a Chief Security Officer. Leadership and all members of the executive management team must be committed, and that commitment must radiate throughout every level of every department.
A laissez-faire attitude toward cybersecurity is like a bad stomach bug – it only takes one person to infect the masses, then everyone suffers. If a cybersecurity program isn’t supported by operations, production, finance, sales, marketing and IT, your company will be left vulnerable to bugs and plagues that will eat away at your profits and reputation. In addition, the safety of the public may be at risk, and for those in the government, your mission will falter, and your citizens will not be served.
We’ve seen what happens to enterprises that lack commitment at the top. Yahoo’s request that customers change passwords after a recently discovered breach was not accompanied by an aggressive and mandatory program to enforce better cybersecurity. Reports that hundreds of millions of accounts may have been compromised have shaken confidence in Yahoo’s core business. The Office of Personnel Management (OPM) of the United States Government has seen the compromise of millions of sensitive personnel records of government employees and applicants. These events signal enterprise-level failures, the consequences of which may endure.
Enterprise failures such as those at Yahoo and OPM are preventable. Top leadership is in a role to do what no one else can do: communicate the importance of cybersecurity throughout the organization. Leaders must pay attention to cybersecurity issues. They must be visible and vocal, and they must demonstrate knowledge of policy and regulatory requirements that impinge on their business.
CEOs and other C-suite executives know that Sarbanes-Oxley requires the presence of effective accounting controls. These same executives must take responsibility for putting in place the controls required for effective cybersecurity. Anything less is inexcusable.
But, does this happen? When the Office of Personnel Management suffered two breaches last year, the former director told Congress that no one was individually responsible except for the perpetrators. If top leadership isn’t responsible for putting programs in place, or for managing people who do or for requesting performance data on cybersecurity, who is? Top leadership is in a role to ask questions and to communicate the vision and value of a company. These are the things only leadership can do. That’s why they are leaders. Leaders are responsible individually and collectively for what their enterprises do and don’t do.
How to instill responsibility in everyone
Everyone in the organization needs to know their role in protecting the company’s intellectual property, its mission, customers, employees, and the public. They must be competent at execution in times of crisis and before disaster strikes. Regular communications about cybersecurity policies and procedures are required to align with and support the enterprise cybersecurity program and its execution.
When leaders spell out the corporate priorities, they should discuss the value of information and intellectual property to the enterprise and the need to safeguard it.
Business unit managers, team leaders and supervisors, need to be explicitly accountable for the secure operation of their units within the organization. They should also regularly discuss best practices with their team.
Employees should see and read daily reports on cybersecurity best practices. They should have immediate access to information via corporate networks and other materials. Regular cybersecurity training should be mandatory.
Stay ahead of potential crises
A well-defined strategy leads to more effective communications around the enterprise-wide cybersecurity program. Leaders should ask the right questions and consider options that help define a cybersecurity strategy. They need to take an active interest in identifying and managing potential gaps that typically hinder organizations, including:
- Integration plans driven by acquisitions should address cybersecurity – Leaders should ask what new cybersecurity threats and vulnerabilities are inherited from an acquisition.
- Keep cybersecurity managers during economic or corporate downturns – Companies that drastically reduce the number of people who oversee cybersecurity as a result of a downturn may create more security problems and potential costs than if they kept a robust team in place.
- Take ongoing inventory of technology assets – This is particularly important as companies grow and change. Leaders need to know what information is vulnerable, and they need to maintain important records, such as who has administrative privileges to important files and systems.
- Plan for breaches of social media platforms – Social platforms represent significant problems as they are a common vehicle for spreading malware. Cybersecurity managers should know what teams use social media and put in place policies to prevent malware from infecting these platforms.
- Know what information is at risk for ransomware – Leaders should keep an inventory of information that is valuable enough to be a likely target for ransomware and have a plan in place to handle scenarios should they occur.
- Have a good communications plan in place – If a breach occurs, employees, shareholders, regulators, customers, suppliers, and partners need to know what’s going on, what leaders are doing about it, and their ongoing commitment to resolving the situation and preventing similar incidents. A thoughtful communications plan must be driven by the needs of leadership to their constituents in an unhurried, thoughtful, and effective way. Use that level of communication before a breach is detected to build stakeholder commitment throughout the enterprise.
A commitment to cybersecurity has to be institutionalized. Cybercrime is more organized and sophisticated than ever before. Leaders must be mindful in their approach to planning and communication, and outline with great clarity ownership and responsibility to all.
This article is published as part of the IDG Contributor Network. Want to Join?