Just as all organizations are vulnerable to data breaches, all leaders within an organization are responsible for trying to prevent such breaches. Though CIOs and CISOs are often the face of cybersecurity efforts, every executive has a role to play in understanding and assessing implemented security protocols, developing relationships with the CIO/CISO, carrying out security procedures and promoting the importance of security within the organization, according to a Harvard Business Review report.
A survey conducted for multinational defense and security company BAE Systems found 85 percent of managers across industries said reputational damage is the largest ramification of a data breach, but just 40 percent of respondents said they don't fully understand the cybersecurity protocols within their organization. This gap should be an "urgent wake-up call to executives," wrote Bill Sweeney, CTO of Americas at BAE Systems, in the HBR report.
Mr. Sweeney outlined key steps for executives who aren't CIOs and CTOs to take to help bolster cybersecurity.
First, he wrote executives should know the protocols currently in place and conduct annual security risk assessments. If the residual risk is low — the number and scale of attacks likely to successfully hit an organization — an annual review should suffice, according to Mr. Sweeney. But if the residual risk presents concern, then organizations should consider semiannual or quarterly reviews.
More importantly, executives should form strong relationships with CIOs and CISOs. Mr. Sweeney wrote establishing these working relationship are "the best and most effective means for senior executives to guarantee change" in the realm of cybersecurity. BAE Systems' survey found 90 percent of CISOs are directly connected to their company's top leadership team, and half are formally part of that team. Engaging CISOs at a high level will help organizations be proactive and see results, according to Mr. Sweeney. Additionally, senior executives should be responsible for prioritizing and executing security protocols, sponsoring the CISO's threat assessments, he wrote.
As company leaders, senior executives are also tasked with spreading the message and culture of prioritizing cybersecurity. Mr. Sweeney recommends heightened education and training for midlevel and junior staff that includes role playing, scripts mimicking real life attacks and testing systems and policies to determine their effectiveness.
"Defending against attacks is now a permanent part of senior executives' job descriptions. It's no longer enough to leave cybersecurity to annual reviews or a lone CISO," Mr. Sweeney wrote. "[Senior executives] need to establish the right partnership with the CISO so that security is part of every company initiative, not an afterthought."
More articles on cybersecurity:
Security, PHI and workflow: The why's and how's of ensuring smart mobile device deployment
Privacy & data security report card: Does your approach make the grade?
Why cyberattacks aren't harming hospital finances