No CEO wants to have to apologize to customers for a data breach or loss, or face the business disruption they cause. While the prospect of those scenarios would seemingly propel cybersecurity to the top of “to-do” lists across the C-suite, executive surveys continue to show a disconnect between the recognition of cyber threats and the way in which they are addressed.
As Secure Halo shared during a panel discussion at the U.S. Chamber of Commerce’s Chicago Cybersecurity Conference, the C-suite has a responsibility to foster cybersecurity at every level of an organization. They must support this through strategic communications with the workforce and through long-term investments in technology, process and training.
Yet despite the ubiquity of digital threats, the increasing sophistication of determined adversaries, and the havoc they can wreak on operations and sensitive business data, executive surveys show that a lack of planning, collaboration and shared responsibility on cybersecurity continues.
A new survey of Fortune 500 CISO/CIOs and IT executives by British Telecom and KPMG showed only 22 per cent of companies have a comprehensive plan in place to deal with major cybersecurity incidents, though 95 per cent have been the victims of a digital attack.
The IBM C-Suite Survey of executives across 18 industries released earlier this year, noted the low level of engagement of some key officials in cybersecurity initiatives. It showed the chief financial officer (CFO), chief human resources officer (CHRO), and chief marketing officer (CMO) feel “the least engaged in cybersecurity threat management activities” despite the fact they are “stewards of data most coveted by cybercriminals,” such as non-public corporate financials desired by competitors, confidential employee health and privacy information (which we know has enormous value on the black market), and proprietary corporate strategy information.
The survey found that 75% of those leaders “do not believe that cybersecurity plans include them in a cross-functional approach.” It is clear there is still much work to be done.
Departmental Threats Add Up to Enterprise Risk
As a provider of holistic enterprise security, Secure Halo understands that disengagement by key stakeholders creates dangerous scenarios that can contribute to successful attacks or breaches.
Take for instance, a department or division that unilaterally signs a service level agreement with a cloud service vendor without input from the IT and Legal team. In this basic scenario, the requesting department would not only be oblivious to the inherent vulnerability created by a third party relationship, but as a result, neglect to adequately review the vendor’s security practices or even question the contract’s legal language relating to indemnification and liability should data loss occur as a result of vendor negligence. Forsaking a cross-functional approach to security can mean the difference between victimhood and potentially avoiding a threat entirely.
Two Execs on the Cyber Frontline
The CFO should work with the CIO or CISO on discussions involving governance and data security and to help them whip up support from other executives to encourage greater enterprise collaboration. Because these executives routinely work with confidential documents such as financial statements, and due to the rise in financial fraud known as “business email crime” where billions of fraudulent financial transfers are being authorized through sophisticated phishing attacks impersonating leaders such as the CFO, these leaders’ role in security is an obvious one. As an example, how could development of formal policies and procedures governing the verification and authentication of accounts payable requests occur without their input and support?
For the Human Resources executive, not only must their department have an active and collaborative relationship with the CIO or CISO and IT due to the security role they play as it relates to network access requests for both arriving and departing employees, but these leaders also play a security role on background checks, BYOD, intellectual property protection, insider threat programs, social engineering, and basic data security. As the IRS has warned, savvy cyber criminals are increasingly targeting payroll and human resources personnel based on their proximity to employee privacy information, utilizing phishing attacks that prey on their susceptibility to manipulation and general lack of awareness on the threat.
And the list goes on. The threat posed from malicious actors in cyber space requires all organizations to implement a cross-functional and collaborative approach that aims to deter potential adversaries away and onto less-defended targets. As Secure Halo routinely reiterates, the objective of any basic cybersecurity plan – no matter the industry – should be to anticipate enterprise threats by assessing an organization’s unique threat profile. From there, holistic security controls can be implemented across multiple domains that posture the organization to effectively prevent, detect, correct and recover from attacks. However, as recent surveys have revealed, the effectiveness of such a plan will be predicated on the extent to which C-suite leaders collaborate and integrate with the CIO or CISO and with each other.
After all, cybersecurity is a shared responsibility – and one that can never be accomplished in silos.
