Educating the C-suite on risks, developing effective cybersecurity hygiene are both key
The most effective cybersecurity programs are top-down endeavors, where the security chief has the full support of the C-suite in identifying threats, setting the company’s risk tolerance and developing the cybersecurity strategy.
In fact, every C-suite executive – and not just the CISO or CIO – should be able to explain to the board how cyber risk impacts their specific area and what is being done to mitigate the risk.
Many executive teams are already there. They have seen companies hit by headline-making attacks and watched as peers struggled to respond and recover. Through that, they have become more informed and active proponents of a strong cybersecurity program at their own organizations.
Yet many other executives still don’t prioritize cybersecurity or their role in it.
Consider this figure: only 40% of all respondents to a 2022 PwC Pulse Survey listed more frequent and/or broader cyberattacks as a serious risk. (An additional 38% called it a moderate risk).
I’ve seen how this can play out in organizations, as I’ve worked with security leaders whose C-suite colleagues have been no-shows for critical meetings because they said their day-to-day activities were more pressing.
As a security leader seeking to strengthen your company’s security posture and prevent breaches, you must educate the other executives about the threat landscape, their role in defending the enterprise, and the importance of good cyber hygiene.
To start, get the CEO on board.
Get on the CEO’s calendar and walk through the current threats, the company’s level of preparedness, and the likely consequences of a successful attack – highlighting the impact that breaches have had on similar businesses.
Lay out the choice: invest now in an effective security strategy or pay significantly more later responding to a breach or ransomware attack.
Then engage the other executives. Emphasize how a strong cybersecurity program protects the company against attacks and supports its regulatory and compliance requirements. Explain how a robust security strategy enables and differentiates the company by demonstrating to employees, business partners and customers that it will adequately defend the proprietary and sensitive data it collects. Customize the message so it resonates with each exec.
The goal here is for executives to understand that cybersecurity is not an IT problem but rather a responsibility owned by all the leaders within the organization.
Additionally, you should be educating the C-suite on the roles they have regarding cybersecurity.
First, they should know that they are top targets of the bad actors out there and that they should be taking steps to safeguard themselves.
Detail for them what’s going on: that hackers target executives because they have financial authority and extensive access to information and that they use company website information, social media posts, and public statements to create sophisticated attacks.
Then provide higher-level training for them (and their executive assistants) so they’re well prepared to spot attack attempts, including even the most sophisticated social engineering schemes.
Once you have your executive team more engaged in the cybersecurity strategy, you can next enlist their help in educating their own teams and supporting the elements needed to build a solid cybersecurity program.
Have these executives enforce mandatory cybersecurity training for their employees and set consequences for those who skip or fail that training.
Ask those executives to identify employees on their teams who can serve as cyber champions capable of explaining to their co-workers the nuts and bolts of cybersecurity in business terms, advocating for following security best practices, and identifying potential gaps that need to be addressed.
Of course, throughout all this work, you must continue to advance the fundamental cybersecurity best practices (otherwise known as cyber hygiene) that form the foundation of every effective security strategy.
Make sure you have an updated inventory of the company’s assets and a current understanding of the company’s crown jewels.
Develop and run an effective vulnerability management program.
Implement multifactor authentication and other elements of the zero trust approach to further strengthen your security posture.
Run table-top drills that involve executives and other key risk owners practicing along with your security team.
And once you’ve got those basics down, build up your cyber hygiene by layering in more advanced practices.
For example, create a software bill of materials so you know the contents and code within your applications and then pair that SBOM with your vulnerability management tools to better identify and prioritize risks that need mitigation.
Consider implementing next-generation security technologies such as extended detection and response, or XDR, to improve visibility across your enterprise.
Push for network segmentation.
Despite the criticality of such actions, some C-suite execs may balk at that list.
So, you, as a security leader, must be ready to deliver a reality check, reminding them that the number and sophistication of threats are continuing to grow – as are the consequences of doing too little to counteract them.
And remind them, too, that investing in solid cybersecurity hygiene practices and a robust security strategy now has the best ROI today and into the future when compared to the costs of a successful cyberattack.