4 Key takeaways for a cyber committed CEO to be Cyber Resilient
In the earlier blog, we saw why cybersecurity transformation needs a cyber committed CEO.
In continuation with that let’s look at four key takeaways for a cyber committed CEO to know if his organization is truly cyber resilient.
Traditional security measures are no longer adequate to reduce cyber risks and threats which are becoming more and more sophisticated.
Organizations need a cyber resilience strategy that can protect against cyberattacks, offer adequate risk control for protecting information, and ensure continuity of operation even during a threat.
Accenture outlines four key takeaways to know if an organization is truly cyber-resilient.
- Engaged CEO – Does the top management understand what’s at stake for the business?
- Cultural Change -Does the organization have a culture of putting security first before others?
- Right Funding – Does the organization know what the right amount of funding for cybersecurity is?
- Right Metrics- Does the organization use the right metrics to measure and monitor?
Let’s dig a little deeper into each of these to understand better.
1. Engaged CEO
Does the top management understand what’s at stake for the business?
While the top management is gearing up to build a cyber-resilient organization what they need to understand is that they need to have the right kind of engagement with their CISOs.
While the CISOs need to talk “business language” instead of only “technical jargons”, the top management has to bring the CISOs into the inner circle.
CISOs have to work along with the top management in building sound risk management strategies that will support the business goals and objectives.
2. Cultural Change
Does the organization have a culture of putting security first before others?
Cyber resilience requires a huge cultural change and the right mind-set. Cyber resilience should go hand-in-hand with operational performance management.
It is not enough if an organization has frameworks, security controls, and tools in place. These become less effective in the absence of a robust cyber resilient culture.
There are no quick fixes to this, building a cyber-resilient culture takes time. It is important to identify, establish, and communicate a desired set of behavior.
It is a new competence that needs to be built and this has to be backed by proper investment and action from the top.
3. Right Funding
Does the organization know what the right amount of funding for cybersecurity is?
This is the toughest part of this whole equation. While it is very difficult to determine how much the right amount to build cyber resilience is, one cannot take this lightly.
With the rise in the number of data breaches and new cybersecurity risks organizations are at a dilemma.
Accenture says that organizations must follow a twin-strategy of first breaking the budget into two parts – one regular budget to get the basics right and two to allocate funds for research and innovation.
Remember, getting the basics right isn’t an easy task. This implies making it extremely difficult for intruders to attack and limit the damage to a minimum if an attack does happen.
Here, one must note that protecting data is very important as data is an asset. Any data breach can cause a huge loss financially and will also break customer trust.
Securing only the network doesn’t work, protecting the data is a must. It is data that can move off the safe system where it becomes vulnerable to cyber-attacks.
Organizations have to take into consideration all aspects before allocating funds. Secondly, once the organization is confident that it has the basics in place then it should focus on research and innovation.
Once innovative products demonstrate their security ability they have to be scaled and only a cyber committed CEO can empower such scaling.
4. Right Metrics
Does the organization use the right metrics to measure and monitor?
Cyber resilience metrics are generally related to the goals of withstanding or recovering from adverse conditions, attacks, and compromises.
Defining metrics for cyber resilience in a particular environment is quite challenging.
No single cyber resiliency metric or metrics is conducive for all environments. Also, low, medium, and high compliance scores do not give a clear picture of the business risk.
Therefore, the responsibility rests with the stakeholders and top management in deciding which metrics will protect customer information and data.
It is not enough if they receive reports related to patchworks and software updates but they should be aware of how the production environment is maintained.
- How data is protected?
- What happens if data moves out of the system?
- What impact will that have on the business in case of any data breaches?
In addition to that, top management has to become part of the system monitoring. They should take part in security drills and mock crisis scenarios that serve to track improvements and lessons learned.
The top management has to be directly involved for an organization to be cyber resilient and they have to keep in mind the above points to truly build a cyber-resilient organization.
While cyber resilience umbrellas the entire security aspect, don’t forget that data is equally important and data protection is one that will provide complete cyber resilience.