You would think headlines about major data breaches on an almost daily basis would cause every senior executive to demand stricter cybersecurity measures. According to a new study conducted by MSI-ACI Europe, that’s not the case. More than six in 10 IT security professionals work with C-level executives who expect more lenient security measures for themselves. Not surprisingly, these expectations lead to more data breaches 65 percent of the time.
This mindset is completely backward. Instead of making decisions that increase security risks, executives should be pushing for stronger security. Cybersecurity has a direct impact on an organization’s bottom line and its reputation. In fact, one study from BAE Systems found that 85 percent of managers believe reputational damage is the top concern after a data breach.
Unfortunately, security is an executive blind spot. Many business leaders don’t know enough about their own company’s security protocols. Some find security to be inconvenient or a nuisance, or even weaken security through shortsighted cost cutting. Of course, they learn the hard way when they read news reports about their own data breaches and review financial reports that show heavy losses due to downtime, customer churn and bad publicity.
The fact is, cybersecurity is a responsibility shared by everyone across an organization. This should not only include the C-suite — it should startin the C-suite. The first step for senior executives is to learn and understand the organization’s security posture and risk. A security assessment conducted by an independent third party will highlight your strengths and expose your vulnerabilities, which should then be mapped to business risk. Depending on the level of risk, such an assessment should be scheduled annually, semiannually or even quarterly.
As important as these assessments are, senior executives need to do more than ensure they take place. To build a culture that prioritizes security, there should be real communication and collaboration between senior executives and IT. IT may be responsible for interpreting security assessments, but it’s up to senior executives to understand why this information is important and provide leadership when implementing new solutions.
Also, make sure the IT manager is involved in new business initiatives. Too many organizations add tools and services and make security an afterthought instead of a priority. Security should be baked in from the start. In a worst-case scenario, what’s your incident response plan? How long will it take to restore critical data and systems? Do you have cyber liability insurance? Work proactively to prevent security incidents instead of reacting to them and dealing with collateral damage.
Senior executives and IT should then work together to create and/or enhance training programs to ensure employees know that security is everyone’s responsibility at every level of the organization. Most training doesn’t happen frequently enough and isn’t updated frequently enough to account for new security threats. Your training program should serve as validation of how seriously your leaders and your organization take security.
Verteks can help you create and implement a strategy that fortifies your defenses and engrains security in your organizational culture. Let us get the ball rolling with a cybersecurity assessment and determine what steps need to be taken to protect your data and systems.
