By Chris Riley, President of U.S. Operations, SSH Communications Security
The need for cybersecurity is clear and critical, yet it still meets with quiet resistance in some quarters. Why? It is notorious for interfering with the flow of business. It’s easy to view data security efforts as a cost center that slows down business and frustrates employees, users and customers alike. C-level executives need to be aware of how their organizations’ security measures affect business processes and productivity.
Cybersecurity is far too important a topic to simply assign responsibility for it to the chief security officer, chief information security officer or IT team. C-suite executives with non-technical backgrounds might see the iceberg ahead, but do they really understand the size of the problem below the surface? Failing to take responsibility here is a potentially disastrous mistake.
Security is Everyone’s Job
Demonstrating the importance of cybersecurity is a top-down affair. If executive leadership is not involved directly, it can give the impression that cybersecurity is not a number one priority; employees can do it tomorrow or whenever they have time. When the board or CEO starts asking the management team about what measures the company has in place to avoid becoming a headline, then there’s a much bigger chance of real change taking place.
If leaders don’t read the current cybersecurity atmosphere properly, they could be headed for dire consequences. The boardroom is placing the responsibility for cybersecurity squarely on the C-suite’s shoulders. As we have seen in recent headlines, a particularly bad public data breach can ruin a CEO’s career. As enterprises and government agencies are required to follow GDPR (see below) and other cybersecurity guidelines, more than just the CEO will be targeted for replacement.
The deadline is fast approaching for compliance with the General Data Protection Regulation (GDPR), which will take effect in May 2018. This regulation will have a major impact on the European Union and international companies with access to European citizens’ sensitive data. The GDPR expands the definition of sensitive data to include online identifiers, such as an IP address or cookies.
In short, organizations must account for all sensitive data and the access granted to it. If a company is found to be in violation of GDPR, it can be fined up to four percent of annual global turnover or €20 million, whichever is greater. This maximum fine is issued for the most serious infringements, such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines for lesser offenses, but the monetary amount is still painful. C-level executives can help their companies avoid that pain and brand damage by committing to taking an active role in cybersecurity.
Now is the time for executives to dive in and gain a detailed understanding of the company’s cybersecurity efforts. The following best practices are a good place to start:
- Identify the cybersecurity sand traps: Do employees work around security measures in order to access business applications more easily? Have they created a shadow IT environment of unauthorized systems and solutions for their convenience? When used properly, cybersecurity can be an enabler of new business, protecting data in the cloud and allowing the company to take advantage of the cloud’s cost-saving agility and flexibility, for example. Finding ways to minimize the risk of human error, such as automating as many security processes as possible, can also help increase business efficiency.
- Keep your eyes open: As cyber threats evolve, they require the C-suite to adopt a totally new way of thinking. Companies need to adopt practices that don’t affect their workflow and don’t disrupt the actual business in any way. Look to what universities, incubators and startups are producing, as they are the best sources for cybersecurity solutions and talent, and hire the expertise you need from that pool. Make sure your team is evolving with the threats.
- Ask and assess: Go to the knowledge base of your organization – meet with the cybersecurity team. Ask questions and assess: What are they working on? What is their security posture, and what solutions are currently in place? What is the critical business decision-making process used to determine what infrastructure MUST be secured? Where are the weak spots? How can the team see, control and maintain a more secure environment? Attend conferences and seminars to learn about what steps your peers are taking to protect their own companies. Make sure that you have knowledge of your current systems and the opportunities to improve – and as quickly as possible. Don’t wait for the next quarter or next year’s budget, because it might be too late.
- Re-focus the company culture: Create awareness across the organization of the risks and how everyone can keep the company safe. Build security hygiene and compliance into compensation and reward packages (if they aren’t already). The goal is for everyone to understand the importance of cybersecurity to the company and your customers, and to underscore the importance of cybersecurity as a personal responsibility.
Security Builds Trust
Those who put in the extra effort will be rewarded with a safer organization. Conversely, if your network gets infected and your servers go down, that downtime will have a disastrous effect on your company’s bottom line, not to mention the sustained operational costs and damage to reputation.
Without trust, businesses do not flourish or grow. Trust must be built into your company’s solutions, products and services. By leading from the top down, the C-suite can help ensure that the organization is protected appropriately while maintaining performance and ensuring that security measures do not disrupt operations in any way. Once the C-suite has established a security game plan for the organization and is confident that the team is performing on the right level, you can trust in your critical information flow and sleep better at night.
The Cybersecurity Mandate
People are reluctant to do business with or invest in companies they don’t trust. The massive breaches of the last several years shine a bright light on the topic of corporate cybersecurity, and the responsibility for it lies squarely on the shoulders of the C-suite. Executives cannot afford to ignore this foundational aspect of company success – for their own sake as well as that of their business.
Chris Riley has worked in IT and information security for more than 20 years. His experience in markets for identity assurance, data security, governance and risk management is extensive. At SSH, Chris is responsible for all U.S. business operations, including customer success and marketing. Chris is passionate about the work being done by SSH customers and associates regarding governance for trusted access and how that makes the world a safer place given the evolving threat landscape. Prior to joining SSH, Chris spent more than 10 years at RSA Security in various leadership roles around enterprise sales and customer success. Chris is a graduate of Merrimack College in North Andover, MA, where he majored in finance and minored in economics. He also holds a Master of Business Administration degree from Northeastern University in Boston.