Playing the Blame Game
Companies around the world lost an estimated $445 billion due to cybercrimes last year. Despite the financial hit these organizations sustained, a survey by Goldsmiths revealed that more than 90 percent of executives and other C-Suite leaders aren’t prepared to handle future attacks. However, alarmingly, 40 percent of those leaders say they aren’t losing any sleep over the potentially enormous repercussions of a data breach. Instead, they are claiming ignorance and turning to their tech teams for damage control.
The problem with this approach is that sooner or later C-Suite members will be the ones held accountable. Boards members are paying closer attention to cybersecurity as a corporate priority, with more than 80 percent of directors making cybersecurity “a topic that is discussed at nearly every meeting.” While discussing cybersecurity at board meetings can help alleviate some legal stresses cybersecurity can place on a company, more needs to be done.
Of particular concern is how a breach can impact an organization’s reputational standing with customers and investors. Board members expect their executives to step up and take charge when a breach occurs. In fact, when it comes to assessing blame, the board will only call themselves out after they’ve called out the entire C-Suite, executive leaders, and security leaders.
In order to improve their security posture, there are two key initiatives that C-Suite members and the entire executive team must embrace to meet the board of directors’ expectations:
1. Close the Education Gap
Not only do more than 90 percent of executives feel ill-prepared to handle an attack, they also can’t make sense of a cybersecurity report. Lack of knowledge around the subject continues to be an issue that needs to be taken seriously.
For starters, the C-Suite should take advantage of educational and training opportunities that cybersecurity firms offer. With the chance to learn more about the different forms of risk cyber threats present, they will not only be able to better communicate those risks to the board, but they can also weave those risks into a corporate risk management strategy. It’s essential that boards equip their leaders and their staffs with appropriate knowledge resources and support.
2. Bring the Boardroom Together
While only representing two-months of data, a study The Economist conducted from January through February showed non-security personnel and security executives are sharply divided on how to handle cybersecurity. Chief Information Security Officers (CISOs) and Chief Data Officers placed cybersecurity as the top of the priority list for 2016. Meanwhile, CEOs, CFOs, and COOs ranked cybersecurity next to last on their list of major corporate initiatives.
The two sides of the room must be on the same page to develop a holistic cybersecurity plan that aligns with corporate policies and procedures. As it stands, non-security C-Suite members are responsible for leading the cybersecurity strategy for their respective departments, especially given how much critical data they manage.
Caleb Barlow, vice president at IBM Security explained, “While CISOs and the board can help provide the appropriate guidance and tools, CxOs in marketing, human resources, and finance, some of the most sensitive and data-heavy departments, should be more proactively involved in security decisions with the CISO.”
C-Suite executives may feel pressure from the board to improve cybersecurity preparedness, but they don’t have to shoulder the load on their own.
Delta Risk LLC provides training and educational services to help companies assess and prioritize their cybersecurity risks. In our latest whitepaper, we outline steps board members can take to establish a culture of cybersecurity throughout their company. Download our latest white paper to learn more, or contact us to speak with one of our consultants