View original article published on Forbes here
If you are a senior business leader today, it is becoming much harder to ignore cybersecurity as a significant enterprise risk. Even if a CEO and their leadership team has the right awareness and interest in reducing the organization’s risk, just throwing money or insurance at the problem and moving back to core business issues may do more harm than good.
This article is a starting point, designed to help business leaders to educate themselves, avoid common pitfalls and reduce the intimidation of getting more involved in a traditionally technical topic.
“Leaving it to the experts” is a common phrase that can signal a lack of interest or personal commitment to addressing an issue. In cybersecurity, the predominance of technical solutions and the historically IT-focused nature of most programs can be intimidating and can drive a desire to delegate or minimize its importance. As a senior company leader, limiting your engagement denies valuable insights to security leaders on the human, process and company culture challenges that need to be solved to enable transformational change.
Consider this analogy: A manufacturing company experiences a fire. If the CEO had faced previous building fires, safety issues and preventative control failures (e.g., employee training, safety procedures, cultural change tactics, fire drills, exercises with local fire departments, etc.), would “leaving it to the experts” in the facilities and engineering team be appropriate?
Similarly, would writing an insurance policy for fire-related losses make that CEO feel like the problem was solved? Of course, a CEO wouldn’t design and install a fire suppression system by themselves — but solving and overseeing the changes that are complicated and in need of executive support is important.
Unfortunately, it’s easy for companies to fall into the following common traps in information security:
• Oversimplifying the issue and making snap decisions
• Buying the “latest and greatest tool” and paying for uninvested consultants to install it
• Purchasing insurance and hoping not to use it
• “Delegating” and leaving cybersecurity to the technologists in IT
If this trend continues, nothing will change. Cybersecurity will continue to be a weekly headline, and companies won’t move the needle on the problem-solving that is needed to restore consumer trust.
Despite the trend, there is good news. Protecting your information and systems doesn’t need to be intimidating, and senior business leaders can become personally vested and invested in helping their companies — without a Ph.D. in computer science.
Like any other topic where the business leader is not an expert, figuring out how to ask insightful questions of yourself and your staff members is a great place to get started:
1. What elements of our business and operation would be most impacted by a cybersecurity or insider threat compromise? How can I help validate or prioritize answers to this question for our business?
2. What threats and types of compromises could affect us most based upon the threat landscape that we see within our industry that could be specific to our business? How are we using this intel to prioritize our focus?
3. How mature is our program today, and where do we see the biggest opportunities and gaps? Help me understand the top priorities based upon opportunities and gaps. I want to make sure we have prioritization and focus to maximize our progress and that any distractions are not getting in your way.
4. What is our road map of improvements, and how will we achieve our goals? Are there any barriers to achieving these goals that I could help reduce?
5. How do we measure our progress to know if we are winning or losing the battle? How can I help tie measurements to broader company measurements so that our organization can reach the right amount of accountability and visibility?
6. How are we involving our workforce at all levels and driving culture changes? How can I help enable this to ensure the right engagement across my leadership and their staff members? Is there anything I can do to set the tone at the top?
7. How well is information security partnered across internal groups such as physical security, compliance, legal and privacy? How can I help maximize these partnerships and enable efficiencies?
8. Do we have a cybersecurity incident response plan, and have we practiced it? How should my leadership team and I get involved in a rehearsal so we know what to do if a cyberattack occurs?
9. What are your biggest concerns that we haven’t already discussed? How do we ensure we have an open communication channel and trust so we can work through challenges as a company together?
10. How can my leadership team or myself further support you and your team to maximize your success?
With these 10 simple, nontechnical questions, business leaders can evaluate their company risk posture, identify the priority activities to reduce risk and learn where they can engage to help their org achieve results.
I will be writing subsequent articles focused on empowering business leaders to reduce their company cybersecurity risks and enable their teams to maximize their success. Some forthcoming topics will include:
• Understanding and managing insider threats to information security
• Prioritizing cyber investments using top business risks
• Workforce awareness, behavior and culture change for cybersecurity
• Incident response planning and executive cyber simulations
About the Author
Aaron Pritz is senior IT/Security/Privacy/Risk leader with over 20 years of experience including at a large pharmaceutical company in the Midwest. Aaron co-founded Reveal Risk in 2018 after seeing significant corporate leadership and “execution of strategy-to-operations” capability gaps in the cyber security and privacy consulting industry. He is a creative thinking strategist that brings strategies to life through engaging approaches and teamwork. He is an active industry influencer and speaker on the topics of business-driven risk management, insider theft, and cyber security in healthcare, and is no stranger to helping companies progress both before and after incidents/breaches (ideally the former!).