When a high-risk situation like Target’s data breach takes place, CEOs shouldn’t need to wonder, “how tight is our security?” Or, “could this happen to us?” Going forward, there will be no excuse for not knowing the answers to the tough questions.
Without micromanaging, how can you ensure that everything possible is being done at your firm to protect valuable data from being hacked and at the same time protect yourself from fallout?
We offer four suggestions:
1. Regularly discuss cyber-security with your CIO. As part of your executive leadership team, you are already meeting with the CIO regularly. If cyber-security is not currently on your discussion list, start including it. When a news story runs about a company being hacked, ask your CIO to present to the leadership team the specifics of that situation and how and why it would not happen to your company. If those questions cannot be answered, then part two of that discussion should be which tools and solutions need to be acquired to achieve your security goals.
2. Do a walk-through (or virtual-walk through) of the data center. Have your CIO show you (and the rest of the C-suite) exactly how your hacker protection tools, firewalls, etc. work. This will give everyone an opportunity to ask questions and pose hypothetical scenarios. Also, ensure you are on the distribution list for the results of all quarterly or annual cyber-security tests.
3. Set cyber-security goals and add security metrics to your dashboard. Cyber-security is not a one-and-done process. Just like revenue and cost goals, it needs constant monitoring. Adding a metric to your dashboard, such as “number of potential breaches vs. number of actual breaches this month” will ensure that you are constantly on top of the cyber-security situation.
4. Hire a hacker (or someone hacker-like). Talk about money well spent. Imagine being able to report to your board on a monthly basis that you have a “zero” track record for hacker penetration. You can, by employing or contracting with a programmer who uses the latest tricks of the trade to try to break through your server walls, and then shows your IT team how to stop him.
To coin another catchy title, this one from Forbes, Target’s dismissal of CEO Gregg Steinhafel “isn’t just about the breach.” It’s also about lack of ability to react quickly, lack of transparency when they found out, and the fact that the company wasn’t on very solid footing before the breach happened. These are all areas for which the CEO is responsible.
Like it or not, maintaining cyber-security is now part of every CEO’s job description. It’s not enough to assume IT has it under control. You are going to have to ask them to prove it to you going forward.