This is the third in our series of C-level officer (presidents, owners, and board members) cybersecurity perspectives.
We recently conducted a survey of CEOs. Our survey found 67% of CEOs are very concerned about cybersecurity. However only 22% have some degree of confidence their real costs of a cyber breach would be covered by their insurance. A simple radar graph of survey findings indicates a very common cybersecurity profile for CEOs. As a group they are “concerned” (33%) or “very concerned” (67%) about cybersecurity. However, the survey revealed their confidence in preparedness to handle a breach is significantly lower, with 44% either disagreeing or strongly disagreeing with being prepared. CEOs can take some comfort in realizing their company is “about average”. Average isn’t good enough, though. Recent breach events are telling us government and society in general hold company executives to a higher standard.
The trends also tell us there is both a growing awareness of cybersecurity and an increasing rate of exposure to cyber breaches. Ransomware demands have increased from tens to hundreds of thousands of dollars. Because nation states and organized crime syndicates are involved in multiple breaches we must understand even the loss of only limited data from your organization can be combined with data from others to build vast repositories of knowledge these groups are using to steal identity, rob bank accounts, and expose corporations to huge recovery and remediation efforts. Under these changing circumstances, when damage to individuals, governments, and enterprise happens, how blame will be assigned is a total unknown, but there are some predictable targets.
CEOs will ultimately be held accountable for their enterprise cybersecurity effectiveness. And based on the public expectation of “it is not how hard you try, but how well you meet the standards for your industry and company profile”, CEO’s are advised to act now. You are not alone in having inadequate cybersecurity protection, and your situation is typical. But, under the heightened awareness of the damage cybersecurity breaches are causing across our society and economy, it is highly recommended CEOs become more proactive. Protecting all stakeholders from cyber breaches should be one of the top three priorities for CEOs in 2018.
Again, we compare Cybersecurity management responsibility to Financial management responsibility. Virtually every company knows it is critical to have an outside professional service involved in their financial management. This can range from a bookkeeper service to an engagement with firms to perform reviews, audits, and provide expert advice. CEOs should use this proven model in their approach to cybersecurity. Engaging an outside cybersecurity resource is becoming a business necessity. The rationale for this is like the independent audit firm rationale — put simply, it provides an objective viewpoint not tainted by internal politics to attempt to make something look better than it is. One model emerging as a preferred solution in this area is to engage a firm with experienced executive cybersecurity leadership to manage your internal cybersecurity program. Furthermore, in cybersecurity it is insufficient to only review history, cybersecurity must be forward looking. Assessments alone are, therefore, insufficient.
In our research, we found CEOs to be receptive to the model, however their top of mind awareness of the available resources is limited. The financial justification is compelling. With a strong cybersecurity program many enterprises are finding lower cost cyber business insurance rates. A strong cybersecurity defense program can protect against damaging security breaches the remediation of which would far exceed the cost of the investment in an effective cybersecurity defense program. Additional benefits may include IT infrastructure and system performance improvements that reduce your IT operating costs.
CEOs and board members can meet government, client, and consumer expectations by following the emerging supplemental leadership engagement model. One firm that can provide executive level leadership to your organization’s IT and cybersecurity is Fortium Partners.
Next in the series:
- Cybersecurity from the Chief Financial Officer (CFO) perspective
- Cybersecurity from the Chief Operating Officer (COO) perspective
- Cybersecurity from the Chief Marketing Officer (CMO) perspective
- Cybersecurity from the Chief Sales Officer (CSO) perspective
Authors: Mike Bestul and Paul Lucking