Cybersecurity is among risks under executives' and board members' fiduciary responsibility, says IT expert
When talking with business leaders about cybersecurity, we often hear responses like, “My IT guy takes care of that.”
While that may be true for things like the company firewall and other technical devices, the “IT guy” is not ultimately responsible for the company's cybersecurity.
Information security and privacy is an ever-increasing concern for business leaders. Boards, CEOs, CFOs, and other executives have fiduciary responsibility to manage business risk, which includes cybersecurity risk.
But when we tell executives it's their job, not the job of the IT guy, we often hear the questions: “How am I, without a lot of technical skill, supposed to manage security?”
Unfortunately, there is no easy answer to this question. While executives don't need to go out and get computer science degrees, they do need to educate themselves about a few key issues.
First, business leaders need to establish company risk tolerance.
Executives must understand the cyber threat environment and determine what level of risk the company can tolerate. For a simple example, only upper management can determine if the company can survive having all computer systems down for a few days as a result of a ransomware attack. How about a few weeks?
Maybe your company would suffer grievously if systems were down for even a few hours? And it's not just the company's ability to perform normal business activities; leadership must also consider impact to reputation, losses to competitors, cash flow, etc.
The IT guy cannot answer these questions. Business leaders answer these questions, and IT staff then implement the appropriate level of controls.
Once the appetite for risk is established, executives must then allocate sufficient resources to implement controls to reduce risk to the acceptable levels established by leadership. This includes not only allocating funding for key security safeguards, but also providing sufficient personnel resources to manage these controls. Security systems like web filters, intrusion detection systems and malware protection systems don't manage themselves.
When considering the cost of information security systems, take into account the time required to manage them, including all the alerts, log entries, and ensuing research they demand (to determine whether or not there is a breach or not). There is no such thing as “set it and forget it” when it comes to cybersecurity systems. And, don't forget that, just like leaders need training, so do the rest of the company's employees.
Similarly, leaders must open clear lines of communications about cybersecurity. Personnel with responsibility for security must be empowered to do the right thing. And they must be able to report directly to executive staff about issues, such as test results and incidents, without fear of reprisal. The threat landscape is daunting, and no IT guy (or entire IT team) can ensure an impenetrable computer system.
If IT personnel, or even ordinary employees, fear sanctions for allowing a breach, they will be less inclined to report an incident. Making sure there are open, reprisal-free communications about security issues is essential.
Business executives are also responsible for transferring risk, through strategies including outsourcing security operations to third party vendors and cyber-liability insurance. Typical executive-level participation include things like examining how much risk the vendor will actually take on, versus contracts devoid of actual assurances.
When it comes to transferring risk via insurance, leaders must scrutinize policies, and make sure there is clear delineation of what constitutes a covered breach, and what expenses the policy will cover. Additionally, business leaders must make sure cyber-liability applications are completed with candid answers; over-stating the company's cyber safeguards in order to get a lower premium will backfire when a claim is denied.
Ultimately, the most important thing a business leader can do to support cybersecurity is to lead by example. Culture trumps strategy every time, and it's up to leaders to establish a culture of cybersecurity. If the company's executives circumvent company security policy, why shouldn't rank-and-file employees also cut corners?
It's up to leadership to follow the policies and procedures that are in place, e.g. use strong passwords, don't use cleartext email for sensitive communications, follow remotes access safeguards, etc. If leadership doesn't make cybersecurity part of the conversation, no one else will.
Lastly, executives need to thank employees, and customers, for putting up with the inconvenience of security controls and remind them that we're all in this together.