“Securing the C-suite,” a 2016 report from IBM, notes that while 65% of C-suite members are confident the organization has solid cybersecurity plans, CEOs had the lowest level of confidence with only 51% sharing that view.
A three-part series at Security Intelligence says “all eyes are on the CEO” and that while it could be tempting for a CEO to leave warning signs to other parties, “doing so would signal to the rest of the C-suite that cybersecurity isn’t much of a concern.”
Many CEOs may be complacent about cybersecurity. A study by KPMG revealed that only one in five CEOs says IT security is their top concern and of those, only half had appointed a cybersecurity executive or team. “If there’s a disconnect, the CEO must send a clear signal that all parties are to work out their differences—or in some cases their indifference—to own up to their responsibilities and help lead the organization toward a healthier cybersecurity posture,” according to Security Intelligence.
The IBM report said the most important recommendations were engagement and collaboration among members of the C-suite. CHROs must address the need for ongoing security awareness and anti-social engineering efforts. They must also protect employees’ personal information and enforce cybersecurity training. CMOs should be concerned about big data and keep the CIO or CISO in the loop.
CEOs also need to ensure the appropriate leaders are overseeing security. HealthcareITNews.com reported that running IT security under a CFO or chief administrative officer can be “problematic” because they typically lack a background in technology. Mansur Hasib, a cybersecurity professor at the University System of Maryland, said improving cybersecurity requires executives to “inspire loyalty, trust and innovation” in their IT employees.
The Security Intelligence article says “top leadership is under the spotlight when it comes to achieving an acceptable cyber posture.” Doing so requires good governance, appropriate attention and support from the top to maintain oversight, detect and correct possible security weaknesses.
Raytheon Corporation, a government leader in cybersecurity reported in the Washington Post that “behind every good cybersecurity strategy is good information about how the company works. And to get that information, CEOs must ask the right questions.” Raytheon said CEOs need to consider collaboration, how the company is managing risk, the security of acquired companies, employee training, and the protection of personal information.
“Technology alone cannot solve the security issue; it requires a human touch,” said Security Intelligence.