Cyber Security Transformation requires a Cyber Committed CEO
Today, every enterprise is on the path to digital transformation. While digital processes create new business opportunities, they also open new doors for cybercrimes and attacks.
All enterprises face a wide range of risks from financial loss to reputational damage. As enterprises rely more and more on digital technologies in all areas of business, and the attack surface grows, a broader security strategy is needed.
Bottom-up and Top-down Approach
Information and cybersecurity implementation have generally followed two types of approaches – The bottom-down and top-down approach. Let’s take a look at these approaches.
Traditionally, enterprises have always taken a bottom-up approach wherein the CISO initiates the process then send their findings upward to the management as recommendations.
As the top management is not aware of the threat or its implications on the business, this approach does not always work in the best interests of the business.
The key advantage of having a bottom-up approach is that system vulnerability and any possible threats are addressed.
However, because of the differences between senior management and relevant directives, it does not always work out as the best solution for most of the organization.
Unlike the bottom-up approach, in the top-down approach, the initiatives are taken by the top management.
They formulate the policies, outline the procedures to be followed, determine the priorities and the results expected, and also determine the liability for each action.
As this approach includes everyone in the organization and has the strong support of the top management it is likely to succeed.
Why cybersecurity needs a top-down approach?
Cybersecurity is no longer confined to just to the CISO and the IT department installing firewalls and back-up servers.
As we saw earlier since the attack surface is growing day-by-day and hackers are using sophisticated methods, the stakes are high when you are the guardian of your customers’ IP and sensitive information.
To safeguard information against data breaches and prevent data loss requires a cyber committed CEO and a budget to meet the requirements.
It is important to build a culture where everyone in the organization realizes the importance of cybersecurity.
Only the CEO can establish the appropriate ‘cybersecurity tone’ for their respective organization. Every cyber-committed CEO should realize that cyber-attacks and security breaches will happen and it will hurt the business.
Compliance regulations and stricter security rules such as the General Data Protection Regulation (GDPR) have the power to impose huge fines in case of data breaches.
Moreover, information about data leaks can lead to reputation loss. While policies and procedures provide a secure baseline, it is important to maintain strict adherence.
They have to ensure that everyone in the organization receives adequate information about cybersecurity and proper training is provided. User access should be restricted and continuously monitored for breaches.
Apart from policies and procedures, every organization has to ensure they have appropriate tools.
Today insider attacks are more common due to human faults knowingly or unknowingly. Therefore, it is not enough to just protect the perimeter. CEOs need to be aware of it and empower their CISOs to adopt a Zero-Trust architecture. Identity and access management systems with single sign-on, multi-factor authentication lowers the risks.
Therefore, the organization may need continuous monitoring tools, data security tools, data classification tools, and data loss prevention tools. All these decisions can be only taken by the cyber committed CEO along with the CISO.
Is it enough for the CEO to be just cyber-committed?
The Accenture article ‘The Cyber Committed CEO and Board’ rightly talks about what it takes to be a cyber committed CEO. Drawing from the article, it is clear that it is not enough to be just a cyber committed CEO but rather to be an ‘Engaged CEO’.
The CEO should walk shoulder-to-shoulder with the CISO and assess the security risk in business terms. This requires a partnership between the two.
An engaged CEO feels part of the team and understands cyber risk to the same degree as any other business risk, is aware of the options, knows how to manage the risk and how it fits into the business to drive growth.
The article talks about three leading practices a cyber committed CEO should follow:
- Capture the strategic picture of cybersecurity in the business
- Speak the language of the business in all cybersecurity communications
- Build ‘Muscle Memory’ for threat response at the CEO and board level.
To get a buy-in from the CEO, CISOs should develop a strategy around cybersecurity that captures information about threats to the business, what is being done to address those threats, what is done to manage the risks.
While in the beginning, it may seem like a funding requirement, in actual it relates to where the responsibility for cybersecurity should reside with the business. Should it be part of the organization or should it be an independent function?
Such strategic discussions of the CISO with the CEO will help in creating a more engaged CEO. Secondly, the CISO should talk about the business value of cybersecurity initiatives.
Unfortunately, most CISOs fail on this front – they still talk about the technical language instead of the business language.
Thirdly, the article stresses that for a CEO to be engaged, they have to participate in the drills and stimulations. This way they can get a sense of what can go wrong and how to deal with them.
Whenever there is an opportunity the CISO has to educate the CEO. An ‘Educated CEO’ then becomes an ‘Engaged CEO’.
Does Data-centric Security too require a Cyber Committed CEO?
While so far, we dealt with the subject of cybersecurity at a broader level, we will now take a look at a more specific level – data-centric security.
A solid cybersecurity foundation requires secure data. Data is an asset and businesses that guard the data have a significant advantage over businesses that do not.
Large enterprises rely heavily on data and operations-hub like SAP for their business processes. These hubs store and transact vast amounts of data.
Due to uncontrolled user downloads, data leaks happen which have huge implications on the business. Most CEOs do not give importance to data-security until data leaks happen and are too late to rectify.
Therefore, it is evident that a cyber committed CEO needs to take a serious view of data-centric security and must empower and work in tandem with the security team. The protection of IP is as important as its creation and should have a robust data security practice.
SECUDE’s HALOCORE provides a dedicated data protection solution for SAP.