The C-Suite Gets Serious About SecurityBy Guest Author | Posted 02-22-2016
By Steve Durbin
There’s a long train of alphabet sets running along the top of most enterprises these days, and we keep hitching up new C-cars. The rapid advance of cloud technology, data analytics and cyber-crime has prompted wider adoption of roles such as the Chief Security Officer (CSO), Chief Information Security Officer (CISO) and Chief Digital Officer (CDO).
As we add more moving parts to the enterprise, there’s certainly more high-level strategy and decision-making to be done. But more cooks in the kitchen create confusion and inefficiencies when roles are not clearly defined, or collaboration is lackluster. When it comes to cyber-security, it’s more important than ever for the core executives—especially those not directly involved with deploying security programs—to participate and contribute in defined, strategic ways.
The roles of the CEO, CFO, CIO and CMO have undergone significant transformation over the last 10 years or so. Public scrutiny of business leaders is at an all-time high, in part due to massive hacks and data breaches. It’s become increasingly clear in the last two years that in the event of a breach, the hacked organization (ostensibly among the victims of the crime) will be blamed and held accountable. That means everyone in the C-suite is potentially on the chopping block.
There’s nothing like the threat of a public pillory to make executives pay more attention to the security measures protecting their organization’s assets, data, employees and customers. That’s actually good news. Awareness and engagement are finally expanding to meet the threats, but building a solid line of defense requires ongoing, strategic collaboration.
Covering all the bases—defense, risk management, prevention, detection, remediation, and incident response—is better achieved when leaders contribute from their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives.
The CEO sits at the center of the storm. They are most in the spotlight and being pulled in every imaginable direction. They face an influx of new regulations and risk factors related to the IT infrastructure and services that fuel modern enterprise. These challenges can only be addressed through collaborative teamwork. Building a robust, encompassing cyber-security program requires strong leadership from the CEO and a willingness to coordinate with the board and other executives to bridge traditional silos and redefine roles. By keeping security programs aligned with strategic business objectives, CEOs can help their organizations develop competitive advantage and dive into emerging opportunities with confidence.
The CEO must actively solicit and distill security-related concerns, opinions and contributions from multiple stakeholders in order to maintain an accurate, big picture understanding of their organization’s security preparedness. It’s important to make sure your team thinks of security breaches in terms of “when”, not “if”—cyber-attacks are so numerous and sophisticated, it is folly to think they can be entirely avoided.
The faster you can respond to a breach, the better your outcomes will be. Credibility is bolstered by evidence of regular, concerted effort across the enterprise. To be ready with a quick and effective incident response, you must intentionally build resilience through security analysis, training, planning, and testing across the enterprise. The CEO is tasked with leading the way by emphasizing the importance of ongoing communication and collaboration. Championing a culture of security awareness throughout the organization and supply chain strengthens your defenses; “insider threats” are still the most common attack vector.
While CFOs have not always been intimately involved in security measures, this is changing rapidly. Cyber-criminals attack financial systems directly and indirectly, and data breaches of all kinds impact an organization’s bottom line. They are also concerned with loss of funds through theft, waste and supply chain issues, all of which can originate or proliferate in the cyber-realm.
Every part of a CFO’s role, from internal operations to investor relations, involves highly sensitive data that must be controlled and protected. To fulfill their fiduciary duties, CFOs must cultivate a thorough understanding of where this vital information is, who might want to steal it, and how they might gain access to it. Their responsibilities include disclosing to the board the potential impact of a cyber-attack. This includes integrating security risks into the larger decision-making processes around investments, procurement and partnerships. More specifically, analyzing the feasibility and cost of effectiveness of cyber-insurance and security solutions also falls in the CFO’s area of expertise. Finally, CFOs should be intimately involved in crafting and rehearsing the portion of the organization’s incident response plan that involves communicating with shareholders, partners, suppliers, and customers.
CFOs have always played an important role in advocating for and pursuing critical investments that promote long-term business growth. Given the risks inherent in a technology-driven, global enterprise, CFOs today must focus on cyber-security as a primary method of protecting reputation, stock price, financial resources and sensitive information.
Traditionally, the CIO role is most closely connected to cyber-security responsibilities. As such, CIOs may have the most to gain from a broader, more collaborative approach. A united front that recruits champions from across the organizations is stronger than a thin, overwhelmed line of defense made up on only IT team members.
CIOs have new directive: they must excel at calm, clear communication with all stakeholders in order to obtain better funding and support for security initiatives. They have to speak the language of business and risk in order to convince board members and other leaders of the crucial link between IT enablement and risk management. Boards want regularly updated metrics and assessments they can compare over time as well as a way to form these into an accurate, holistic picture of information technology risk.
Maintaining an effective, working balance between technology benefits, security controls and risk management is at the heart of the CIO’s mandate. By aligning their efforts with strategic business objectives, CIOs will partner more closely with their colleagues in the C-suite to shape business decisions, competitive strategy and sustainable innovation.
The CMO’s role vis-à-vis cyber-security has seen the most change in recent years. The CMO oversees a digital realm that is more closely tied to the customer than ever before. The intelligent connections made possible by mobile marketing, social media, ad tech and big data have prompted a meteoric rise in the amount of consumer data that is gathered and analyzed for marketing and sales purposes. Part of managing this data, much of which falls under privacy regulations, is securing it against theft and abuse. After all, cyber-criminals are just as interested in that data as you are. Data-driven marketing depends on customer trust, and repeated headlines about spectacular (and often avoidable) breaches are eroding that trust.
CMOs are responsible for brand management, and all too frequently, we see brands and customer relationships damaged in the aftermath of an attack. In the event of a breach, CMOs will find themselves front and center, so they should make sure they are part of the incident response and data security planning. On of the big lessons learned from recent incidents is that financial and reputational damage will be amplified or mitigated depending on how quickly, credibly, and efficiently the enterprise responds.
Going beyond incident response, CMOs drive digital based growth. The board and executive team rely on them to proficiently lead brand, product, and innovation efforts to competitive advantage, without coming into conflict with data privacy legislation. It’s the CMO’s job to make sure the brand stands out—but for all the right reasons.
The Big Picture
The executive team sitting at the top of an organization has the clearest, broadest “big picture” view. A serious, shared commitment to common values and strategies is at the heart of a good working relationship between the C-suite and the board. Without sincere, ongoing collaboration, complex challenges like cyber-security will be unmanageable.
Given the rapid pace of business and technology, and the myriad elements beyond the C-suite’s control, traditional risk management simply isn’t agile enough to deal with the perils of cyberspace activity. Enterprise risk management must build on a foundation of preparedness to create risk resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the surest way to secure assets and protect people.
Successful cyber-security programs require careful planning and sustained effort throughout the enterprise, with executives leading the charge and flying the banner high. Organizations that sow and fertilize a deeply rooted culture of security are most likely to be resilient and competitive in the face of ongoing threats and challenges. As the players, targets and stakes shift in response to geopolitical and financial forces, leadership must remain vigilant—keeping up on trends and emerging threats, drawing lessons from incidents at other companies, reassessing plans and priorities and collaborating closely with security experts.
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.