A week does not seem to go by without breaking news of a new data security breach affecting numerous, well-known organizations in the United States. This fact alone has made information technology an important functional area of any business entity. So, it is now incumbent upon any Chief Executive Officer (CEO) to stay on top of all aspects of the information technology roles in their organization, especially as it relates to data security. Technology permeates every aspect of a business, and IT must be managed from the top!
Historically, the role of technology or “IT” staff was to facilitate increased staff productivity. The advent of advances in cloud technology and the widespread access to low-cost internet allow cybercriminals to wreak havoc from across the street or across the globe. This means that data protection, privacy and security are now more important than ever to the IT professional. The regrettable truth is that a major cyber breach could result in the loss of proprietary and/or confidential information that could result in a business losing important sales revenue streams, exclusive intellectual property, and enormous profits—as well as its reputation. All too often the worst case happens and the organization does not survive.
The Outside Threats. C‑Suite managers have read and been presented with a host of security recommendations in great detail. These include everything from a patch management regimen to firewall and backup software/hardware to external auditing and testing…and the list goes on!
The Weakest Links Are Inside. Security precautions are put in place by IT staff to reduce the threats from hackers, adversaries, competitors and the like, but the weakest links reside inside the organization and relate to the internal corporate staff. Some examples of security precautions include: an employee’s unsecure home/remote network potentially due to a game device used in the home by a child; a laptop stolen or left at an airport screening area; staff sharing sensitive corporate data on cloud-based services such as DropBox that do not have adequate security measures in place; a disgruntled colleague expressing his/her anger by going outside security policies and sharing key data in an external environment. The list can go on and on. The CEO must pay attention to these and other internal threats and establish policies that are communicated, enforced, and updated. They should include an ongoing staff cybersecurity training and testing program to reduce these risks.
Questions to Ask. Whether relying on internal or external resources to manage the IT role in an organization, top management must consistently ask these questions to keep the staff on top of things: What is the current risk level and business impact of a cyberattack to our company? What is the communication and action plan in case of any breach? What industry standards exist for our organization and how do we compare to those standards? What is our cybersecurity insurance posture and is it adequate? When did we last execute a cybersecurity risk assessment and what were the recommended outcomes and tasks? What is our overall cybersecurity and disaster recovery plan including prevention, resolution, and remuneration?
Lead by Example. Successful CEOs lead by example and keep important issues top of mind. Be sure to consistently remind all employees of the importance of cybersecurity and their role in minimizing risks. Stay informed and vigilant. Never trade convenience for security. Leverage the expertise of your team and you will succeed!