The Chief Operating Officer (COO) role is a tough one and often misunderstood. Modern business literature says that while no two COO positions are the same, there are some guiding principles for all: (1) identify key issues and opportunities for the organization, (2) align the firm and leverage all areas of consensus, (3) attract and retain top talent, (4) drive the strategic planning process, and finally, (5) create a culture of constant improvement.
That is a substantial set of things for one role to be concerned about! In today’s environment, a key area of importance, focus, and concern for the COO is the Information Technology used in the business—specifically, the security and protection of that data. To become a “smooth” COO who minimizes cybersecurity risk, below are some important considerations.
Governance: Establish a cybersecurity policy that conforms to all legal and industry guidelines and standards. Define roles and responsibilities throughout the organization for all security matters. Ensure that key personnel have an open door to relate all security concerns upwards toward the executive suite. Gain the endorsement of the CEO in the importance of all cybersecurity investments and policies.
Assessment: Conduct a full cybersecurity risk assessment and present key findings to the CEO and Board. Put in place plans to lower risk consistently. Risk assessment would include: documenting assets and their reliance on technology, identify where threats exist in priority order and address them, buy cyber liability insurance, and put all needed protective measures in place, monitoring for updates as needed. Additionally, it’s recommended that you have an outside expert run a penetration test on your network to identify any possible weaknesses.
Culture: Ensure cybersecurity is a consistent agenda item at management level. Put in place cybersecurity training as part of new staff onboarding and on an ongoing basis. Have all employees sign documents agreeing to adhere to all cybersecurity policies and procedures. Establish ongoing cybersecurity training and testing for all staff. Institute an annual review of the firm’s cybersecurity posture and policies. Put in place multi-factor authentication (MFA) policies for any sharing or access to any level of company data.
Software and Hardware Basics: Ensure the following are in place:
- Schedule Ongoing Backups. Having an up-to-date backup in place is the antidote for all these catastrophic events. A backup can be used to recover anything stored on the device in the event of an attack or other debacle.
- Manage Access to Data. Prevent access to your data from unauthorized individuals. Ensure that a strong, secure password policy is in place as well!
- Ensure Endpoint Security. All key hardware and software should be kept up to date by downloading software and firmware updates as they are deployed by each vendor. This is an often overlooked first line of defense for all networks. That includes having an anti-virus solution in place on all hardware and ensuring it is current.
Outside relationships: Evaluate all potential vendors considering their policies relating to the sharing of key organizational data. Evaluate potential strategic partners and potential acquisitions in the same vein.