When it comes to cybersecurity, the chains of communication that exist within an organization, if they exist at all, are often a mess. Multiple conversations about cyber risks are happening across a multitude of divisions in isolation.
At the same time, members of the C-suite are measuring their potential impact using different metrics — financial, regulatory, technical, operational — leading to conflicting assessments. CEOs must address these disconnects by creating a culture that promotes open communication and transparency about vulnerabilities and collaboration to address the exposures.
Organizations of all sizes across all sectors are experiencing an exponential increase in their exposure to cyber risk. The number of endpoints that need protecting is exploding as consumers demand more digital interactions and smart devices. (Gartner estimates there will be more than 20 billion connected devices by 2020.) Adversaries have evolved from individual bad actors to highly capable organized crime groups and nation states. The regulatory landscape is increasingly shifting and, at times, conflicting at local, national, and international levels. High-profile cyberattacks — ranging from the one suffered by Sony Pictures in 2014 to the global ransomware attacks that occurred last May and June — highlight the huge financial and reputational stakes.
CEOs committed to staying on top of this ever-evolving threat must break down the silos that exist in the organization in order to assess the full dimensions of the risks across the enterprise and address these exposures holistically. The consequences of not doing so could cost them the trust of their shareholders and customers and even their jobs — as the recent Equifax hack demonstrated.
Members of the C-suite often aren’t speaking the same language around cyber risk, and reporting lines are reinforcing silos. For instance, the general counsel thinks about the issue in terms of compliance with information security regulations such as the European Union’s General Data Protection Regulation. The chief information security officer (CISO) or chief information officer (CIO) reports the technical vulnerabilities that his or her team has successfully remediated. The chief risk officer (CRO) looks at the problem in terms of risk transfer and cyber insurance purchased. And the chief financial officer is looking at the potential financial impact.
This lack of communication and coordination across functions makes it very difficult to assess the impact of cyber risk on the business as a whole or create any common metrics for doing so. This makes it difficult to prioritize the risks that need to be dealt with most urgently and more challenging to appropriately direct efforts and resources.
There are several steps that CEOs should take to create a common language around cybersecurity in their organization.
First, CEOs should bring together the different members of the C-suite so that all stakeholders are communicating and working in partnership to create a realistic and integrated picture of the business’ exposure. This includes: identifying critical data and assets that could be at risk; assessing technical vulnerabilities; understanding the threat landscape; appreciating the potential regulatory and compliance consequences of cyber attacks; quantifying the financial implications of attacks (e.g., business-interruption costs, lawsuits, remediation costs, loss of enterprise value, and damage to brand and reputation); and gaining a more accurate picture of the impact on shareholder value.
The second step is to create a culture that encourages employees to speak openly about cyber-risk exposure without fear of negative repercussions. It’s rare that a CEO motivates key members of the C-suite — especially the CISO or CRO — to report the seriousness of a company’s exposures as they evolve. Because cyber risk is dynamic, CEOs must create an environment where there are continual conversations about the impact on security of new events — such as the introduction of new technologies and systems, new cyber threats, and mergers and acquisitions that involve combining different organizations’ information systems and security cultures.
As part of this effort, CEOs should proactively get to know the people outside of the C-suite working in the security trenches. The more CEOs speak with system engineers and technical teams, the more comfortable they will be asking questions about the organization’s security. If the CRO and the CISO are only reporting on what’s going well, then alarm bells should be ringing.
Third, CEOs should prepare for cyber attacks to ensure everyone knows what to do and can communicate effectively with each other during an incident. There should be a customized incident-response plan that is routinely tested via simulated attacks, which can also test a company’s vulnerabilities. A plan can help minimize business disruption, reduce the time attackers have to steal critical data or money, and reduce the amount of damage.
An incident-response plan should include four phases: preparation; detection and analysis; containment, eradication, and recovery; and post-incident.
The preparation phase is the most important since creating a response plan during an incident will not work. Planning helps all stakeholders understand their role and responsibilities, from what constitutes a security incident to who initiates the plan. It also helps leadership communicate with confidence during a real incident both internally to senior executives and members of the board and externally to customers, outside counsel, insurance companies, regulators, and law enforcement.
In the detection-and-analysis phase, the security team determines the scope of the incident and collects the data necessary for analysis. The third phase is about containment: stopping the attack from spreading by removing any infection from the system and fixing any vulnerabilities uncovered. The post-incident phase is a review of what went well, what went wrong, and what can be done better next time.
Outside cybersecurity experts can help develop the plan. If they aren’t involved, CEOs should at least consider having one test the plan’s effectiveness and crucially, ensure they have engaged external firms on incident-response retainers ahead of an incident. You don’t want to be struggling to negotiate the fine print of contract terms during an attack.
Finally, companies should create an internal function, led by a chief vulnerability officer, to conduct regular audits of the company’s preparedness. This unit, which should report directly to the CEO, should also stage simulated attacks on the business — in addition to those carried out by the CISO or CIO. It should leverage external cyber experts with up-to-date perspectives on the latest cybersecurity methods, threats, and trends to provide unbiased perspectives and help challenge management decisions.
A CEO should enlist all functions in the effort to establish common metrics to assess cyber risks so everyone is speaking the same language and should build a culture of security through open dialogue, planning, and testing. Then, when he or she asks questions — such as “What are our greatest risks?” “What are our critical assets?” “Who has access to them?” “What is our current information security policy?” “What is our incident response plan?” “When was it last tested?” — they will yield a more accurate picture.
Only when a CEO understands the business’ true exposure to cyber risks can he or she prioritize the allocation of resources to manage them.