How CEOs can be proactive in cybersecurity
There’s a worrying disconnect between the real risks of cybercrime or data breaches and most organizations’ ability to prevent or respond to and recover from such attacks.
Although nearly 40% of the manufacturing companies surveyed for a Deloitte/MAPI report suffered a cyberattack over a one-year period, half of them also said they are inadequately protected. And such discrepancies between reality and preparedness are not limited to the manufacturing sector alone.
Robust cybersecurity is an intangible asset — the money saved from avoiding an attack doesn’t reflect directly in your profit and loss statements. Too often, cybersecurity is relegated to the sidelines because its benefits are difficult to measure, the company executives may not understand the issues or worse, think an attack can’t happen to them.
Cybersecurity is one aspect of business where you can’t afford indifference or complacency. Here are four ways CEOs can foster a proactive rather than a reactive approach to cybersecurity.
Create a company-wide culture of security
It might be more convenient to shove cybersecurity responsibilities over to IT, but cybersecurity is a business issue.
Sure, cybersecurity often involves technical solutions and IT is involved, but things like determining cybersecurity risks (and related legal and regulatory implications) of various product and service offerings, deciding what types of data an organization will collect and maintain – and how long to maintain it — as well as methods of interaction with customers and suppliers, are all business decisions. It’s important to make sure cybersecurity is a part of your culture so those responsible making those business decisions understand and evaluate the cyber risks of those decisions.
Security awareness is another key contributor to a strong cybersecurity culture. Institute frequent training about the latest strategies to keep company data safe. Insist that all associates practice good password hygiene — and explain why. Sharing the reasons for your safety protocols and reviewing them frequently with all associates will improve buy-in instead of taking a rigid top-down approach.
Specify cybersecurity responsibilities
If you have room, hire a chief information security officer (CISO) as part of your management team. Even if you don’t recruit one, start by recognizing that cybersecurity and IT are not one and the same, but they perform a delicate dance together. You need to bring all players to the table, understand and validate their concerns and draft a cybersecurity strategy that everyone can support.
Your CISO should help assess your cybersecurity risks and define and implement relevant cybersecurity controls throughout the organization. Additionally, this role needs to be responsible for reporting cybersecurity issues and risks to top level executives and any board committees overseeing governance of your organization.
Develop measurable KPIs
You won’t be able to understand how effective your cybersecurity practices are without measuring performance. You’ll need to make sure those responsible for cybersecurity are not only tracking basic activities, but also measuring performance and determine whether the organization is achieving it’s intended cybersecurity outcomes.
For example, tracking how many cybersecurity incidents occurred within the month is interesting, but it doesn’t tell you if your team is doing a good job. A good key performance indicator would look at the time it took for the team to resolve an incident once it was detected, and whether that interval was within expectation. Now over the course of a month, what percentage of those responses were resolved within expectation? This type of reporting will give you a more accurate window into how and where to funnel resources.
Develop an ongoing strategy
Since all companies are dipping into the cybersecurity talent pool, there’s a severe shortage of trained professionals. An estimated 3.5 million jobs in the field will remain unfilled by 2021. So, if you’re unable to recruit help directly, consider outsourcing all or part of your cybersecurity management function.
You can engage a “virtual CISO” to gain access to cybersecurity executive leadership on a part time basis. Or you could engage a managed detection and response (MDR) service provider to monitor your environment, detect suspicious activity, as well as managed the response to a cybersecurity incident. These experienced professionals efficiently complement your in-house talent. Equally important: Because MDR services focus exclusively on threat detection and response, they’ve likely seen similar attacks elsewhere, therefore MDR teams typically recognize and thwart breaches faster than in-house staff.
Cybersecurity is not a fix-it-and-forget-it recipe where what you prepare once will still be good tomorrow. Technology is constantly evolving and cybercriminals are sophisticated and persistent, so you need to continually monitor your risks and adjust your safeguards as needed. It’s a great practice to hire an independent set of eyes to test your defenses annually or after you’ve made major technology changes.
How Wipfli can help
Weaving cybersecurity into the very DNA of your company will set a strong foundation for a proactive instead of a reactive approach. Given the steep costs of a data breach — $8 million on average per incident — you simply cannot afford to leave cybersecurity to chance.
Learn more about our cybersecurity services on our web page or watch our Cybersecurity for Business Leaders webcast.