CEO: If You Want to Control Cyber Risk, Don’t Shoot the CISO
“…while 65% of C-suite executives are highly confident their cybersecurity plans are well established, only 17% are actually ‘cybersecured’ – demonstrating the highest degree of preparation.” – “Securing the C-Suite,” IBM. How can CEOs and CISOs work together effectively to control cyber risk?
IBM recently conducted a comprehensive survey of C-level executives, and it revealed how lacking most cyber risk management programs are. CISOs often carry the bulk of the cyber defense and attack prevention responsibility, and their average tenure is estimated to be 18 months. With cyberattacks growing in scale and frequency, trying to control risk by replacing the CISO isn’t a winning strategy.
C-level executives are learning that, even with the best technologies in place, one unaware employee who clicks on a phishing link can cost the company millions in financial liability, repair, and reputation management (with a chance that one unaware individual could even be the CEO). There’s a growing realization that controlling cyber risk can’t be relegated to one person or one department. It’s an enterprise risk and business problem, not an IT one. It’s tandemly paramount to have the highest leadership at an organization—the board of directors—supporting the C-suite in their efforts to engage a collective cybersecurity effort across an organization’s operations. With this formula of collective cyber consciousness and top-down prioritization of cybersecurity risk mitigations, organizations can exponentially increase their cyber defenses, and therefore exponentially decrease the possibility of a multimillion dollar liability.
“94% of CxOs believe it is probable their companies will experience a significant cybersecurity incident in the next two years.” – “Securing the C-Suite,” IBM Institute for Business Value
What does it take to create a cyber-conscious culture? Who needs to become involved? What should CISOs and CEOs talk about – daily, weekly, monthly, quarterly, annually – to ensure cybersecurity awareness is upheld at all corners of the enterprises? How should they communicate these risks, and what are the parameters of the relationship between a CEO and the person running their IT and cybersecurity programs?
Here are four CEO actions to improve the CISO relationship and enhance the organization’s ability to manage cyber risk within its people, processes and policies:
- Demonstrate a strong commitment at the top to control cyber risk throughout the organization.
A CEO must communicate the importance of managing cyber risk for the entire organization. For example, he or she can add cyber risk governance objectives to performance measures. The cyber risk posture of the organization needs to be a regular topic at board meetings, and board members should be kept informed between meetings. - Elevate the CISO to the C-suite.
CISOs and CIOs have opposing agendas: CIOs are responsible for saving money, and CISOs are responsible for spending it. A CIO’s motivation to increase efficiency can hamper effective security spending. By making the CISO report to the CEO rather than the CIO, the CISO learns to express cyber needs in business terms and the CEO gains better visibility into cyber risk. - Institute a cyber risk governance program that engages key stakeholders across the enterprise.
Clear assignment of responsibilities is vital, and key stakeholders need a shared view of their organization’s cyber resilience status. Groups who are responsible for protecting crucial data, like HR, procurement, and marketing, must become cyber-conscious and accountable. The table below shows a few examples of non-CISO responsibilities that should still be considered for cybersecurity risk mitigation.
Domain Responsible Party Controls Workforce HR New hires are vetted using background checks. External Dependencies Procurement Identified cyber risks from supplier, partner, and customer relationships are entered into the risk register. Continuity of Operations Risk Management Activities that are required to sustain minimum operations are identified. - Augment these risk governance activities by transferring personal and corporate liability.
Some sources of risk may prove too intractable or too expensive to address directly. Transferring corporate risk to insurance is an ideal way to deal with challenging issues. Employing vendors who have been vetted and approved by DHS under the SAFETY Act can reduce directors’ and officers’ liability as well. [Full disclosure: Cybernance received a DHS SAFETY Act Designation.]
With focused board support and company-wide participation in building a cyber conscious culture, CEOs must lead in making the cyber risk posture of their organization a strategic issue. In doing so, they not only improve the long-term viability of their business; they also protect executives and board members from personal liability from improperly managing cyber risk.