As the CEO of an organization, it is your job to balance risk and reward within your company. Cyberthreats are not magic, hackers are not wizards, and the risks to your specific organization from a breach can be managed just like any other risks that you make decisions about every day. In fact, these risks can even be turned into opportunities for new cybersecurity innovation.
Where to begin? You want to avoid causing unnecessary work, but you are required to participate, and often lead, the conversation around addressing cyber risks. When the U.S. Government began working with members of the IT and critical infrastructure industry on a Cybersecurity Framework for improving critical infrastructure cybersecurity, a key point that arose was the need for nontechnical tools that could be used at an executive level. Technical best practices have existed in international standards and government agencies for years, but common problems such as a lack of investment, absence of high-level strategy, and failure to integrate into business operations still plagued many organizations struggling to address cyberthreats.
Seeing this tension in many of the organizations they were briefing on cyberthreats, the U.S. Department of Homeland Security worked with current and former executives to help capture five simple questions that a CEO could ask his or her technical team, which would also drive better security practices. They are:
- What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?
- How is our executive leadership informed about the current level and business impact of cyber risks to our company?
- How does our cybersecurity program apply industry standards and best practices?
- How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
- How comprehensive is our cyber incident response plan? How often is the plan tested?
The team that coordinated the Cybersecurity Framework also provided key recommendations to leadership, to align their cyber risk policies with these questions. First and foremost, it is critical for CEOs to lead the incorporation of their cyber risks into existing risk management efforts. Forget the checklist approach; only you know the specific risk-reward balance for your business, so only you can understand what is most important to your company.
It seems simple, but with cybersecurity, the default practice tends to be for organizations to silo considerations about risks into a separate category apart from thinking about their valuable assets. You have to start by identifying what is most critical to protect and work out from there. The process of aligning your core value with your top IT concerns is a journey and is not something that can be solved in one lump investment or board meeting. Just like any risk analysis, it requires serious consideration and thought about what is most important to your core business practices.
You can’t prepare your organization without a plan for cybersecurity governance. Get your copy of Navigating the Digital Age to learn from some of the top of minds in cyber.