When it comes to upper level executives and their IT security teams, there seems to be a disconnect when it comes to the level of support IT needs to protect the enterprise. In order to better prevent a security breech from happening, it’s important that the C-level executives are aware and on the same page with your enterprise security team. Only 12% of C-suite executives expect a major, successful attack on their organization in the next 90 days. In addition, two out of five CEOs, other C-level executives, and non-executive directors feel they are not responsible for the repercussions of a cyber-attack. Any breech that is caused by the void between these important roles has serious costs associated with them.
What are these costs? The responsibility of the CEO is enterprise performance, including profitability, which the costs of a breach effect, both directly and indirectly. Breach costs may include forensic investigation, customer notifications and free credit monitoring, reputational damage, lost customers, lawsuits, dropping stock prices, and increased scrutiny by regulators. In addition, boards of directors have a role in corporate governance and risk management, including cyber security oversight, and shareholders can potentially sue members of the board for failing in these duties when it comes to security.
So how can you close the gap between executives and your enterprise’s IT security? Keep reading to find out.
How to Close the Gap between Executives and Enterprise IT Security
1. Knowledge is Power
Most executives climbed their way to their position through less technical roles. This means they don’t have the technical experience to fully understand what their IT security team is doing. Top leaders need to work with security teams to ensure that risks and strategies are communicated in language that business leaders can understand, and tie security recommendations to business outcomes whenever possible.
2. Don’t Be Overconfident
It’s critical that executives understand and accept that no security technology is impenetrable. Even the slightest change to software, for instance, can weaken security, so security controls must be embedded throughout operations. Technology on its own is not a strategy that can keep an organization safe. Additional effort, such as training and development of policies and procedures, is required.
3. Manage the Human Error Risks
What may seem like a minor misstep by an employee, contractor, or other person who has access to the enterprise’s physical or virtual assets can unravel all of the business’ security technology. One wrong move is sometimes all an attacker needs to crack an organization’s defenses wide open, especially when you consider that the majority of all incidents are in part caused by a human error. Indeed, managing the risk of human error is the foundation of every enterprise security program.
4. Distorted Views of the Security Budget
Unfortunately, while there may be significant annual increases in security budgets within your enterprise, threat levels are outpacing these budget increases. It’s important that your executives understand this. Many times there is a perception that the increase in the budget is enough, without understanding that threats such as ransomware and phishing scams are increasing in frequency and ability to penetrate organizations at a faster rate. Add into this that new security concerns are cropping up for emerging technology including the Internet of Things.
5. Use Opportunities to Lead.
Your enterprise executives and high-level leaders can help to close the gap by simply expressing an interest in the organization’s security. For example, leaders should ask their security team about important initiatives that are currently unfunded. In addition, leaders should communicate broadly that the Security team is not solely responsible for security any more than the Sales team is solely responsible for sales. Neither Sales nor Security thrives within a strict organizational silo. Both benefit from interdepartmental collaboration and support.
By educating, having a clear understanding of the budget and its reach, as well as managing human errors and taking the opportunity to lead, your executive team will be well on its way to closing the dangerous gap between themselves and your enterprise’s IT security. Need more help determining how to educate and manage human errors? Check out our white paper titled "Connecting Executive Leadership with Enterprise Security".