5 Things the C-Suite Must Do to Oversee Cyber Security
Many C-suite executives suffer from cognitive dissonance when they’re thinking about the importance of Cyber Security. Last February, American International Group (AIG) released results from a poll of executives, which were reported on by The Wall Street Journal. According to AIG, more executives are worried about cyber security than being worried about property damage or investment risks. In fact, 85 percent of executives rated themselves “very” or “somewhat” concerned about cyber risks.
At the same time, a recent Carnegie Mellon CyLab Governance survey found that over one-third of executives do not take responsibility for cyber governance. Half of companies do not place full-time personnel in cyber governance roles. Fifty-eight percent of executives haven’t reviewed their insurance coverage for cyber security threats and data breaches. In other words, execs claim to be worried about Cyber Security, but many aren’t doing anything about it.
Experts, including Carnegie Mellon researchers, suggest the following five steps to get the C-suite more involved with cyber security. The steps encompass personnel, procedures and communication in the company.
1. Conduct Regular Risk Assessments Related to Enterprise Security
Data breaches involve more than just the IT department. They are tied to finances, customer service, regulatory compliance and public relations. Regular company risk assessments should evaluate IT risk drivers within all business missions. Also, executives should make sure that both their strategic partners and managed services providers also perform risk assessments. Employing an ethical hacker can uncover unknown vulnerabilities. Based on the results, both the business and its partners should develop and meet remediation timetables.
2. Develop a Corporate Cyber Security Policy and Incident Response Plan
Executives should utilize information uncovered in risk assessments both to assemble a cyber security policy and to update it annually. They should also tap IT expertise to understand common network threats. Incident management should include a specific escalation matrix, and IT should regularly rehearse incident responses.
3. Stay Informed About Risks and Breaches
ISS Source recommends that executives know the answers to these five questions about Cyber Security at all times:
1. How are executives informed about current cyber risks and their potential impact on business?
2. What are the current risks and what is our plan of action?
3. How are we applying industry standards and best practices to our cyber security program?
4. What’s the threshold for escalating a cyber security incident to the C-suite?
5. How often do we test our cyber incident response plan, and is it working?
Maintaining situational awareness of cyber threats, testing and coordinating cyber incident response plans and knowing your company’s cyber risks and critical assets must be included in the executive to-do list. These tasks should be part of regular risk assessment, corporate governance and business continuity plans. In the end, this strategy is the most cost-effective way to manage cyber risks.
4. Separate IT Security and Privacy From the CIO’s Budget
When determining the CIO’s budget and spending, C-suite execs should evaluate IT security and privacy as priority line items. Companies are raising their IT security budgets by over 40 percent each year, and CIOs are spending 25 percent of their time — which is more than one day per week — dealing with cyber security. Instead of looking at the master figure on the CIO’s budget and giving blanket approval, the CEO should make a point of looking into the amount devoted to Cyber Security. If the company needs to dedicate resources in this area, then the CEO should make them available.
5. Purchase Sufficient Cyber Insurance Coverage
Part of understanding the company’s risk profile through risk assessment is evaluating whether or not the company has adequate insurance coverage for cyber threats. Sufficient coverage can make the difference between surviving a breach and going out of business. Many policies, such as Cyber Security by Chubb and Sons, cover costs related to customer notification, regulatory fines, business interruption and even public relations for damage control. These costs aren’t covered by general liability policies.
Tom Kellermann is Vice President of Cyber Security for Trend Micro. Tom is responsible for analysis of emerging Cyber Security threats and relevant defensive technologies, strategic partnerships and government affairs. Tom is a Professor at American University’s School of International Service and a Certified Information Security Manager (CISM). He co-authored the book “E-safety and Soundness: Securing Finance in a New Age.”