Headlines and horror stories establish that cybersecurity and data privacy must be top priorities for industry and government. Yet too many organizations remain in reactive mode rather than taking sufficient proactive steps to prioritize cybersecurity and prepare for security incidents. Companies increasingly are judged by clients, customers and the public, as well as by regulators and civil litigants, on how well they respond to cyber attacks. An effective response requires thoughtful, swift and sensible action to ensure the incident is detected, contained, mitigated and, when relevant, properly disclosed. To ensure success, leadership should consider cybersecurity risk and strategies holistically, throughout the entire organization, and prioritize core concerns. It is critical that the executive leadership team and board are sufficiently knowledgeable, and appropriately engaged, in cyber risk management as part of an enterprise-wide strategy.
I was delighted to present at the Executive Alliance Security Leaders Summit in New York City this month. The audience was a knowledgeable, highly engaged group of senior cybersecurity professionals, predominantly from large enterprises. Speaking on Cybersecurity and Privacy Challenges: Beyond the Headlines, I discussed nuances, challenges and trends regarding cybersecurity and privacy, as well as best practices and solutions for developing a strong cybersecurity awareness and approach within an organization. Executive Alliance conducted audience polling during the day, which provided interesting insights regarding key challenges.
Notably, 64 percent of audience respondents who had direct board interaction did not think their board asked challenging or informed questions; instead, respondents said the board was focused on just staying out of the cybersecurity horror-headlines…or was not focused on cybersecurity at all. Also, 40% of respondents identified that a “dysfunction,” and lack of cooperation among groups was a key challenge to improving cybersecurity at their organization, while another 40% of respondents identified as a key challenge insufficient budgets to address risk.
To address these issues, it is essential that we diligently train and inform executive leadership teams and boards regarding cybersecurity risks before the incidents occur. This is important to help prevent attacks by building greater awareness and understanding to support stronger cybersecurity programs and protocols. These discussions also help to support and justify requests for sufficient resources to address cybersecurity and privacy challenges based on a discussion and understanding of the organization’s risk. Moreover, having the executive leadership team themselves participate in proactive cybersecurity training helps bring cybersecurity to the forefront for board, budgeting, resource allocation and risk management discussions. Expert briefings, updates and exercises, including risk discussions, tabletop exercises, and training on key risks including phishing and business email compromise, should include senior levels of the organization. These are key ways to help build awareness, encourage deeper questions and involvement by management, and more effective oversight by the board. Also, engaging business leaders in cybersecurity governance will help them to spring into action faster, and more effectively, when the crisis hits.
Proactive cybersecurity and privacy governance discussions, projects and exercises at the executive leadership team level can help to address organizational dysfunction and improve coordination among enterprise stakeholders. Sometimes, these efforts are vastly improved with the aid of an experienced external advisor who can help guide communication and productive interaction across organizational silos, and helping stakeholders navigate potentially competing budget, time and resource priorities. Ensuring the right decision makers within the organization are in communication and understand each other’s roles and priorities is critically important.
Effectively addressing cybersecurity and privacy challenges requires an interdisciplinary approach that brings together many aspects of the organization, including, for example, from technology, security, legal, regulatory, privacy, compliance, human resources and communications. Having an engaged executive leadership team and a sufficiently aware board is a key need to properly address critical risks related to cybersecurity and privacy. The time to prepare is now.