6 Things Every CEO Should Know About Cybersecurity

Here are six areas within the company that are at risk which CEOs must ensure are being appropriately protected.

1.  Compliance
Compliance often takes shape as an internal framework that establishes communications and measurement procedures to ensure enterprises continuously meet government mandates. Understanding this framework enables the CEO to spot areas that are out of compliance and to take the necessary steps for passing a regulatory audit. However, CEOs should not confuse compliance with cyber-protection nor threat mitigation. While compliance advances industry and government collaboration, it is not a replacement for sound risk-based decision processes for cyber resilience.

“Organizations must treat privacy as both a compliance and business risk issue to reduce regulatory sanctions and commercial impacts due to security breaches.”

2. Privacy and Regulation
Most governments (particularly across the European Union) have already created, or are in the process of creating, regulations that impose conditions on the safeguard and use of personally identifiable information (PII), with severe penalties for organizations that fail to sufficiently protect it. As a result, organizations need to treat privacy as both a compliance and business risk issue, to reduce regulatory sanctions and commercial impacts such as reputational damage and loss of customers due to privacy breaches. Expect this to continue and develop further, imposing an overhead in regulatory management above and beyond the security function.

3. Reputational Damage
Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous and pose more risks to an organization’s reputation. In addition, the trust dynamic that exists between suppliers, customers and partners are targets for the cybercriminal and hacktivist. CEOs need to ensure their company is equipped to quickly deal with the reputational damage these attacks can cause. The faster you can respond to reputational attacks, the better your outcomes will be.

4. Risk Management
Over the past 2-3 years, we’ve seen cybercriminals increasingly collaborating, generating a degree of technical competency that caught many large organizations unaware. CEOs must prepare their companies for the unpredictable so they have the resilience to withstand unforeseen, high-impact events. Coupled with these trends, an under-investment in security departments can combine to cause the perfect threat storm. Organizations that identify what they rely on most will be well placed to quantify the business case to invest in resilience.

“CEOs should should direct their IT and operations leaders to close the most vulnerable spots in their supply chains now.”

5. Supply Chain
CEOs should be concerned about how open their supply chains are to various risk factors and should direct their IT and operations leaders to close the most vulnerable spots in their supply chains now. The unfortunate reality of today’s complex global marketplace is that not every security compromise can be prevented beforehand. Being proactive now also means you and your suppliers will be better able to react quickly and intelligently when something does happen.

6. Shifting From Employee Awareness to Changing Behavior
Today’s CEOs often demand return on investment forecasts even for something as simple as training employees to better protect the technology they’re given and to keep company information private. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how the proper behaviors can reduce that risk. Moving away from simple awareness toward behavior change that can be measured will help you better direct your CIO and answer board member questions.

The stakes are higher than ever before. High-level corporate secrets and critical infrastructures are constantly under attack. CEOs must stay on top of important trends that have emerged or shifted in the past year, as well as those coming in the future.

Organizations of all sizes are operating in a progressively cyber-enabled world and traditional risk management isn’t agile enough to deal with the risks from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness that evaluates the threat vectors from a position of business acceptability and risk profiling.

CEOs must take the lead in these areas to ensure their organizations are prepared to deal with ever-emerging challenges.


" Steve Durbin : Steve Durbin is Managing Director of the Information Security Forum , where he focuses on the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments.."