Engaging your Leadership in Cybersecurity
by Natalie Sjelin, Assoc. Director of Training, CIAS-ISAO
Over the years, the security industry has been encouraging the highest levels of leadership to become more involved and knowledgeable in cybersecurity. Survey results show that there has been some improvement over the past five years, but there is still a lot of work needed to bring leadership up to speed on cybersecurity issues.
Organizational leaders that need to be aware of cybersecurity are at all levels. Leaders can be the CEO, the board of directors, the school superintendent, a department head or a team lead. These leaders do not focus on the cybersecurity day-to-day details, but they do have unique roles in helping their organizations manage cybersecurity threats. Now is a great time to work with the leaders in your organization to be more cyber-knowledgeable and cyber-prepared.
To begin improving your organization’s leadership, consider some of the following areas and actionable steps you can take today:
1. Educate Leaders
Leaders need to have a good understanding of what the cyber threat is and how an attack can impact the organization. At a minimum, they should receive regular briefings that include this type of information. Some additional areas to emphasize in these briefings are how:
- Cybersecurity is more than protecting data. – Leaders worry about data loss. These incidents may include personal information being leaked, customer lists being stolen and credit cards being used fraudulently. These are still issues, but cybersecurity is about more than just protecting data. We also need to recognize our operations are leveraging technology in many ways, such as connecting our systems to control systems, managing large equipment remotely, and having supply chains linked with automatic ordering and fulfillment processes. Technology is utilized in every aspect of our organization, and cybersecurity has taken on a much larger position in our threat landscape. Poor oversight can mean more than paying fines because data was not protected appropriately.
ACTION: Facilitate briefings that educate leaders on the real picture of the cyber-physical and cyber-digital threats their organizations face.
- Cybersecurity is an organizational problem, yet cybersecurity is often perceived as a technology area. Consider:
- 28% of respondents believe cybersecurity is entirely a technology area
- 41% of respondents believe cybersecurity is mostly a technology area with some business aspects of cybersecurity
- 11% of survey respondents believe cybersecurity is only a regulatory compliance area
Regardless of the perception that cybersecurity is a technology concern, many cybersecurity problems occur because of human error. A study from Stanford University revealed that 88 percent of data breach incidents were caused by employee mistakes.
ACTION: Aligning all employees, not just the cybersecurity team, around practices and processes to keep the organization safe is not a technical problem—it’s an organizational one. Cybersecurity requires awareness and action from all members of the organization to recognize anomalies, alert leaders and ultimately to mitigate risks.
2. Leaders Must Participate in Cybersecurity
Our organizations cannot be 100 percent secure. Our security budgets are not infinite. Difficult decisions must be made. Make sure your leadership and board of directors know the answers to a few questions. Work with them to know they should be asking these questions:
- What are our most important assets and how are we protecting them?
- What layers of protection do we have in place?
- How do we know if we have been breached? How would we detect a breach?
- What are our response plans in the event of an incident?
- What are our business recovery plans? Is our information backed up?
- Is our cybersecurity investment enough?
Leaders have an important role in cybersecurity. They often have oversight and fiscal responsibilities that can enhance and make our cybersecurity programs much more effective. Incorporating special cybersecurity training for our leadership can make our cybersecurity program much more effective in the future.