You hired a top-flight CIO to create your cybersecurity strategy. So, your company can rest easy.
Well, not quite, Steve Durbin argues.
“Cybersecurity isn’t just about technology,” said Durbin, managing director of the Information Security Forum. “A very significant proportion of cybersecurity is about people, it’s about the culture of the organization, it’s about how we perceive our role in that technology/people interaction. And I think leaving it all to the CIO is a mistake.”
Even with a CISO added to the mix, cybersecurity remains a huge challenge for any organization, at every level. And big gaps can open in any company’s strategy. Especially if the end goal falls short of a fully cyber-resilient culture.
That means cybersecurity needs to be top of mind for the board, the senior leadership team, and workers at every rank.
And it’s up to the CEO to tie it all together.
The CEO must make security central to every discussion, whether about innovation, new initiatives, or expected business outcomes.“It has to come from the top,” Durbin explained. “This is a leadership issue, and the CEO is the person who is putting together the team. The CEO sets the tone across the enterprise.”
That means the CEO must make security central to every discussion, whether about innovation, new initiatives, or expected business outcomes.
“These conversations are complicated,” Durbin added. “They do need to go into all different elements of exactly how the business is structured, how it is using technology, how it is gathering and storing information, but also about understanding the overall risk profile and what is acceptable.”
When, Not IfCybersecurity discussions simply must include the board, Durbin stresses. Only then can a company be prepared for a worst-case scenario.
“The CEO’s job is also to bring the board up to the right level of understanding around the cyber profile that he or she is creating across the enterprise,” he said, “and prepare the way, I think, for the day when a breach happens. Because now we have to talk about not if but when.”
That means thinking beyond a breach’s immediate impact on operations, the stock price, or brand equity. A cyberattack also undermines the very heart of an organization. And if leaders are not careful, a culture of bold innovation will be replaced by one of caution.
“It’s very difficult during that time to encourage more innovation,” Durbin warned. “Your focus is going to be getting things back on track, getting things back up and running, reassuring your board, reassuring your stakeholders, your employees, your customers, your third parties.”
Difficult, but not impossible, Durbin adds. Relentless preparation ensures that a company will be ready to resume a high level of competition as quickly as possible.
“The key to all of this is to rehearse the breach,” he explained. “Because we know it’s going to happen, to then go through how you are going to react from the point at which you discover it right through to the rehab process.”
That planning should encompass every corner of the company.
“We need to be going through the process very clearly,” he said, “in detail, at all levels of the organization. All of the C-suite have to make sure that that then permeates down through the departmental level to each and every individual employee. From the perspective of how do we, yes, get back up and running, but how do we make sure that it doesn't adversely impact the overall strategic direction.”
For starters, Durbin stressed, employees should stop viewing security teams as “traffic cops, giving out parking tickets.” Instead of a rules-based cybersecurity strategy, every employee should feel part of a larger mission — with the awareness that a serious breach can begin with one thoughtless click or errant flash drive.
“I always encourage organizations to engage much more with the business leaders, with the heads of HR in particular, to really look at how they can embed a positive cyber culture across the enterprise.”
HR, he adds, is but one under-used resource for spreading higher security consciousness.
“We have to be playing a much better team game across the enterprise,” Durbin said. “We do have to be including people who do this for a living. I'm thinking in particular of marketing.”
Cyber-Resilience: It’s All About GrowthThe days when technology could be left to the technologists alone are gone, Durbin stresses. Today’s CEOs don’t have to be certified technical experts. But they do need to assimilate the best advice from carefully selected advisors and convey a clear message of cyber security as a driver of growth and innovation.
“It’s about articulating the overall direction that the business is going to be taking,” he clarified, “and explaining the implications from a technology standpoint of achieving that [along with] the cost. It’s about trying to bring all of those together in a way that is acceptable to the business but also in a way that is acceptable to the board.”
Cybersecurity has to be at the center of that overall direction. And despite the daunting challenges of an ever-expanding threat landscape, the message can be positive.
“When I think about a cyber-resilient culture,” he said, “it is not about preventing people from doing things. It is one that says, ‘We have fantastic opportunities.’ Cyber has enabled so much in terms of business. The flexibility that people have to work remotely, the access that people have to information that they wouldn't otherwise be able to get a hold of.”
Cyberthreats aren’t going away anytime soon, especially as new technologies like AI up the ante. But a security-conscious culture — and vigorous leadership from the CEO — can go a long way toward lessening risk and ensuring a future of growth and innovation.
“It does present challenges,” Durbin concluded, “but actually it’s a very, very positive message. And so, when we then look at cyber resilience, it isn't about damping any of those down, it's about saying, ‘Given this environment that is so very exciting and fast-moving, what can we do to be safer, to be more effective?’ "