Have No Regret: Five Security Principles a CEO Should Prioritize

IBM is committed to raising the profile of security within organizations to ensure that the chief executive officer (CEO) and his or her peers are taking security seriously enough. C-level executives are starting to share the responsibility for security, beyond just the chief information officer (CIO) and chief information security officer (CISO). The topic of security is now unquestionably a priority for the entire C-suite, and any organization that delegates security matters solely to the CIO is compounding its risk factors.

Why has this become so important? Breaches are everyday news, and their cost is soaring. According to a 2016 report from the Ponemon Institute, the average consolidated total cost of a data breach has now reached $4 million, up from from $3.79 million the previous year. The risks are growing, and the impact is more serious. Organizations of all sizes and in all lines of business are being affected and without effective safeguards, their brands, their reputations and even their future in business are at stake.

So what must a CEO do to safeguard the organization? At a recent Think Forum, IBM CEO Ginni Rometty outlined five principles that she terms “have no regret” actions.

“As CEO, you can never be doing enough on this topic,” she said.

Because these five actions should be of utmost concern for all such executives in order to embed core security principles throughout their operations, the following is a short overview of the practical advance Rometty offers:

1. Increase the Security IQ of Every Employee

Ensuring a culture of security throughout the organization is essential and should cover every employee, whatever their role, and extend to business partners. Train them, test them on their level of awareness and follow up with phishing exercises to see how well they actually respond to threats.

2. Prepare to Respond Faster

Always assume a breach has occurred or will occur. Being unaware of a breach does not mean one hasn’t taken place. Today’s attackers are skilled and crafty. They will use any means available to get past defenses, so prevention alone is not enough. All organizations need to prepare to respond as quickly as possible. Plan, practice and make sure the right security tools are in place.

3. Safeguard BYOD

There is no turning back the tide with BYOD. IBM is fully aware of this and has enthusiastically embraced BYOD. However, there must be safeguards in place. In a recent study, nearly half of organizations reported that security incidents related to the use of mobile devices have cost their organization in excess of $250,000 to remediate. For every CEO, any security incident related to the use of mobile devices should be a serious concern. Technology solutions need to be backed up with effective governance, policies and workforce education.

4. Protect Your Assets

As stated in the 2013 report from the Commission on the Theft of American Intellectual Property, around 70 percent of the value of publicly traded corporations is estimated to be intellectual property. Protecting such valuable information needs to be a priority for any CEO as it requires both technology and considerable effort in identifying, classifying, protecting and prioritizing assets according to risk.

5. Leverage Security Intelligence

Given the number of threats every organization faces, manually sifting through data related to millions of events in a large enterprise network is a thankless task. Security is a big data problem. Applying big data analytics capabilities makes the task much easier, enabling organizations to sift through and analyze reams of data to gain actionable insight into what it actually means to the organization’s security posture. This way, more meaningful remediation decisions can be made.

Download the full IBM Report: Cybersecurity perspectives from the boardroom and C-suite

Treat Cybersecurity as a Business Risk

To ensure these five principles become part and parcel of everyday operations, it is essential that the CEO is actively involved, setting the tone, enacting an effective governance model and ensuring the right policies are created and adhered to, no matter how unpopular they are among employees. This cannot happen without actively engaged senior leadership.

By following these basic security principles, security can become an enabler rather than an inhibitor, as many have traditionally seen it. Organizations will then be able to reap the benefits of the use of the latest interactive technologies in a secure manner to keep employees productive, shield themselves from harm and protect corporate reputations.

By leveraging technologies that continuously monitor and analyze events occurring across the network, organizations will be provided with the actionable insight into the current situation in order to drive more informed decision-making and respond faster to events.

However, this can only happen with active executive involvement. The tone has to be set from the top and driven down throughout the organization. The CEO must be actively involved in setting policies and developing an effective governance model that encompasses all parts of network operations. Cybersecurity is too great a challenge to be left to chance. It needs to be given a firm direction.

With these five principles ingrained throughout the organization, it will be easier to ward off and recover from incidents that do occur, protecting its brand and reputation and preventing costly sanctions and revenue losses. Organizations will be better able to embrace new technologies and ways of working that foster productivity and contribute to their competitiveness in a secure and efficient manner, allowing them to pursue their goals, rather than spend their time putting out fires.