The cybersecurity buck stops in the C-suite

President Harry S. Truman intentionally reminded himself of the scope of his office’s mandate with a nameplate on his desk reading, “The buck stops here.” Modern corporate executives have been slower to learn that lesson, especially when it comes to cybersecurity risk. However, input from boards and government agencies is increasingly pushing cyber risk from the domain of IT departments squarely into the C-suite. I was recently asked by the Board of a large utility to brief them on my perceptions of cyber threats in the operational environment.

We recently saw how security failures at Drizly drew the attention of the Federal Trade Commission, which then pointedly took enforcement action against the company and directly against its CEO. The director of the FTC’s Bureau of Consumer Protection, Samuel Levine, left no doubt about how boards and executives ought to interpret the action. “CEOs who take shortcuts on security should take note,” he said.

That announcement is likely to be less of a wakeup call and more of an accelerant for a trend toward cyber mandates already in motion. According to Gartner, 88% of corporate boards now view cyber threats as business threats, rather than technical issues. By 2026, Gartner believes at least half of C-suite executives will have cybersecurity risk requirements built into their contracts. Here are three actions executives can take now to ensure the buck stops with them.

1.    Dive into the details

First, executives should get educated on the prevailing standards and high-priority threats in their industry. In other words, they need to get a clear understanding of their current risk from their chief information officer or chief technology officer. This starts with learning what information is at risk: What digital data does the company collect? How is it stored? How is it protected?

It's also important to understand what sorts of events a company needs to protect itself against. At the moment, ransomware is at the top of the list across businesses and governments, because it’s prevalent and has a large financial impact on companies it affects.

Most crucially, executives need to understand that this education in cybersecurity can’t be a one-hour crash course. It must be an ongoing learning process that helps them analyze, evaluate and respond to risks as they continue to develop and evolve. I recommend CIOs brief their board on what risks they cover and also which ones they don’t given their budget.

2.    Raise your standards and get the board on board

Executives aren’t the only corporate actors who need to be up to speed on cybersecurity risk. Business leaders need to ensure their board receives an education as well. Communicating relevant standards can give board members clear benchmarks to evaluate cybersecurity strategies against. They need the appropriate knowledge to be able to effectively decipher those communications.

For example, government agencies are required to follow the cybersecurity framework developed by the National Institute of Standards and Technology (NIST). Those standards are voluntary for private companies, but if an organization decides to deviate from them, it’s a good idea to have a clear reason for doing so and to know that the board understands the implications of that decision. Similarly, if your company follows privacy rules like the European Union’s General Data Protection Regulation, you want informed alignment on putting the right controls in place to do so.

3.    Don’t just get on top of cybersecurity, stay on top

Since cyberthreats are always evolving, organizations responding to those threats must evolve along with them. As a result, cybersecurity is not the sort of line item, where a company can set a budget in Q4 and expect to stay precisely within its bounds in the year ahead. At the same time, an extra expenditure in a current procurement cycle to upgrade endpoint devices like computers and printers in a way that makes them more adaptable to threats could pay off if those devices are better able to keep pace with evolving threats. C-suite leaders need to be prepared to not only make such investments, but prioritize them.

The biggest takeaway here is the education executives receive about the threat environment and the organization’s relative risk always has an expiration date. Therefore, integrating regular counsel from experts both inside and outside the company is needed to help keep executives and their organizations current on evolving risks. This way, leaders at the top can help identify and mitigate threats as they are happening and before they grow large enough to threaten the business and its C-suite.

#cybersecurity #Csuite #threats #risks