Home » Technology » Cybersecurity » A CEO’s Guide to Effective Security Compliance

A CEO’s Guide to Effective Security Compliance

A main concern for CEOs is whether business is running smoothly. But while sales and operations are top of mind, the security of the company needs the same awareness and care.

While juggling many business functions, CEOs just don’t have the time to worry about small intricacies. New security breaches like ransomware make security a more pressing concern for enterprises than ever before.

With security experts in place, the IT staff needs to be trusted to make the infrastructure operate without data breaches. Without getting into the weeds, CEOs should know the company’s security processes and how to keep the business running without being breached. Here’s how CEOs can keep tabs of their security landscape without being entrenched in every time-consuming detail.

1. Train individuals for cybersecurity. Cybersecurity awareness training should be at the top of the agenda. Security awareness training is one of the most effective ways of reducing a company’s exposure to cybersecurity threats. It simultaneously increases both detection and incident response.

It is highly recommended that training start at the top of the organization and work down. CEOs should appoint a cybersecurity ambassador within each department to assist in the detection and incident response for potential cybersecurity threats and risks. This helps expand the efficiency of any IT security team, while ensuring there is someone in the organization who is accountable for implementing and maintaining cybersecurity measures.

“Companies need to invest more to detect when employees inside the secured perimeter are potentially engaging in malicious activities and reduce the breach dwell time.”

2. Encourage separate passwords. As we get older, it becomes increasingly harder to memorize which one of our two to three go-to passwords we used for a certain login. Most likely, we use our same personal passwords for our work passwords. And when a very complex password is required, many employees revert to writing them down due to difficulty in remembering them. This leads to a possible external threat which companies should continuously assess.

In an advanced threat, an attacker will spend a large amount of time researching a list of potential targets, gathering information about the organization’s structure, clients, etc. Employee social media activities will be monitored to extract information about the systems and forums favored by the user and any technology vulnerabilities assessed. Once a weakness is found, the next step the attacker will take is to breach the cyber perimeter—the basic security most companies adopt—and gain access, which, for most attackers, is easily done. To avoid such an impact on business, CEOs should ask the CIO to implement a company-wide password change every so often and provide suitable training for employees on best practices for password choice.

3. Have a small access circle. A CEO needs to implement the concept of “least privilege.” Least privilege means that the employee will only be granted access to the resources and applications they require to do their work and therefore do not have elevated privileges that could result in a cyber catastrophe. Take a quick count of who has privilege to what access and redistribute access rights, if needed.

Companies need to invest more to detect when employees inside the secured perimeter are potentially engaging in malicious activities and reduce the breach “dwell time.” It’s an average of 205 days before an attack is detected; a time in which the attacker has gained access, avoided detection, taken information and left without a trace.

4. Be deceptive and unpredictable. Having predictable security procedures can make the company vulnerable. Establish a mindset with your staff in which systems are updated and assessed on an ad hoc basis. Most organizations look to automation to help assist in their cybersecurity defenses. But for many, this lends itself to predictability.

Scans are run at the same time every week, patches take place once per month and assessments are made once per quarter (or even per year). As the CEO, be one step ahead of the hackers and randomize your security activity. This will increase the company’s capability in detecting active and potential cyber attacks and breaches.

About Joe Carson

Joe Carson
Joe Carson is a cybersecurity professional with 20+ years’ experience in enterprise security & infrastructure. Joseph is a Certified Information Systems Security Professional (CISSP). An active member of the cybersecurity community, Joe is a Director at Thycotic.