The challenge with CEO commitment
Most companies and security leaders I am talking to have the same challenge around getting sufficient commitment from the Chief Executive Officer (CEO). We all know why, because the CEO role has a lot on their plate already, and the cyber risk may at first glance look too tactical to be a C-suite and board room discussion.
CEO perception has to change
Why is that? Well, simply because CEO commitment is the single most cost efficient weapon to protect your company against the security threats. I know that for a fact, and have seen it unfold in practice.
If you look at the different business functions in a company, and understand how they work from a leadership perspective, then you may see where information and cyber security typically ends up in people’s mind. Most companies have a number of corporate functions, and underneath that another number of business lines – all depending on the size and nature of the company. Now most business lines are strategic, and the supporting functions are typically tactical, which security often will fall under.
Most tactical functions have their own leadership, and a number of tasks to undertake, and often they do not rely too much on others actually doing the work for them. With or without frequent top management commitment, they will get the work done, and be successful in their achievements.
Security cannot be compared with traditional support functions
With Information Security and Cyber Security, this is different, because security leadership is more than anything, an orchestration of the leaders of the entire company, very similar in its principles to the undertaking of the CEO.
So the difference between security and other business activities is that you rely on others prioritizing the security work amongst all the other things they do.
This goes for the business impact assessments, input to the risk analysis, the business continuity planning, the understanding and classification of data, just to mention a few of the more academic activities. It is also the case for most of the technical activities, such as patch management, perimeter security, having the HR work efficiently with the Identity and Access technologies, etc, etc.
That said, no security can be achieved without technology investments of different kinds, because of the amounts of data and the sophistication of attacks. In fact, in our recent IBM Chief Information Security Officer (CISO) Assessment, many of the security leaders view foundational and functional security technologies as the most vital components for their organization. But even in the technology field it becomes much more cost efficient if you have your strong top management commitment because the security leader will then have the authority to avoid fragmented solutions, and short term investments and less efficient solutions.
A real life example
I once worked for a CEO, who seriously catered to security, simply because he understood that most assets has a data-aspect to it, so he simply wanted to protect the company assets. He placed himself at the table-end of the Security Committee, and he personally followed the development over time with meetings every six months.
Imagine the effect that has on all leadership underneath him!
Just a minor re-prioritization meant the world of difference to the actual security level in a particular business unit, and just one polite letter from the CEO to a continuously nonperforming line manager, spread like a wildfire amongst his peers, and lot of commitment started appearing around the entire organization.
This is the single most efficient and low-cost weapon against the latest threats, and combined with efficient and coherent security technologies, experts and strong processes, you will become utterly unattractive as a victim to cyber threats. As you think about your overall security approach, consider the following questions:
- Do you have a CISO, or a similar position – a single, authoritative leader for information security?
- Do you have a security strategy that the Board and C-suite participates in developing?
- Do you understand enterprise risk and security’s role in it? Are you deeply integrated in risk processes?
- Do you have a broad set of metrics (technical, business, risk) that are communicated widely?
- Are you actively fostering strong relations and building trust with key business stakeholders?