November 19, 2014 By Marc van Zadelhoff 4 min read

Have No Regret: Five Security Principles a CEO Should Prioritize

IBM is committed to raising the profile of security within organizations to ensure that the chief executive officer (CEO) and his or her peers are taking security seriously enough. C-level executives are starting to share the responsibility for security, beyond just the chief information officer (CIO) and chief information security officer (CISO). The topic of security is now unquestionably a priority for the entire C-suite, and any organization that delegates security matters solely to the CIO is compounding its risk factors.

Why has this become so important? Breaches are everyday news, and their cost is soaring. According to a 2016 report from the Ponemon Institute, the average consolidated total cost of a data breach has now reached $4 million, up from from $3.79 million the previous year. The risks are growing, and the impact is more serious. Organizations of all sizes and in all lines of business are being affected and without effective safeguards, their brands, their reputations and even their future in business are at stake.

So what must a CEO do to safeguard the organization? At a recent Think Forum, IBM CEO Ginni Rometty outlined five principles that she terms “have no regret” actions.

“As CEO, you can never be doing enough on this topic,” she said.

Because these five actions should be of utmost concern for all such executives in order to embed core security principles throughout their operations, the following is a short overview of the practical advance Rometty offers:

1. Increase the Security IQ of Every Employee

Ensuring a culture of security throughout the organization is essential and should cover every employee, whatever their role, and extend to business partners. Train them, test them on their level of awareness and follow up with phishing exercises to see how well they actually respond to threats.

2. Prepare to Respond Faster

Always assume a breach has occurred or will occur. Being unaware of a breach does not mean one hasn’t taken place. Today’s attackers are skilled and crafty. They will use any means available to get past defenses, so prevention alone is not enough. All organizations need to prepare to respond as quickly as possible. Plan, practice and make sure the right security tools are in place.

3. Safeguard BYOD

There is no turning back the tide with BYOD. IBM is fully aware of this and has enthusiastically embraced BYOD. However, there must be safeguards in place. In a recent study, nearly half of organizations reported that security incidents related to the use of mobile devices have cost their organization in excess of $250,000 to remediate. For every CEO, any security incident related to the use of mobile devices should be a serious concern. Technology solutions need to be backed up with effective governance, policies and workforce education.

4. Protect Your Assets

As stated in the 2013 report from the Commission on the Theft of American Intellectual Property, around 70 percent of the value of publicly traded corporations is estimated to be intellectual property. Protecting such valuable information needs to be a priority for any CEO as it requires both technology and considerable effort in identifying, classifying, protecting and prioritizing assets according to risk.

5. Leverage Security Intelligence

Given the number of threats every organization faces, manually sifting through data related to millions of events in a large enterprise network is a thankless task. Security is a big data problem. Applying big data analytics capabilities makes the task much easier, enabling organizations to sift through and analyze reams of data to gain actionable insight into what it actually means to the organization’s security posture. This way, more meaningful remediation decisions can be made.

Download the full IBM Report: Cybersecurity perspectives from the boardroom and C-suite

Treat Cybersecurity as a Business Risk

To ensure these five principles become part and parcel of everyday operations, it is essential that the CEO is actively involved, setting the tone, enacting an effective governance model and ensuring the right policies are created and adhered to, no matter how unpopular they are among employees. This cannot happen without actively engaged senior leadership.

By following these basic security principles, security can become an enabler rather than an inhibitor, as many have traditionally seen it. Organizations will then be able to reap the benefits of the use of the latest interactive technologies in a secure manner to keep employees productive, shield themselves from harm and protect corporate reputations.

By leveraging technologies that continuously monitor and analyze events occurring across the network, organizations will be provided with the actionable insight into the current situation in order to drive more informed decision-making and respond faster to events.

However, this can only happen with active executive involvement. The tone has to be set from the top and driven down throughout the organization. The CEO must be actively involved in setting policies and developing an effective governance model that encompasses all parts of network operations. Cybersecurity is too great a challenge to be left to chance. It needs to be given a firm direction.

With these five principles ingrained throughout the organization, it will be easier to ward off and recover from incidents that do occur, protecting its brand and reputation and preventing costly sanctions and revenue losses. Organizations will be better able to embrace new technologies and ways of working that foster productivity and contribute to their competitiveness in a secure and efficient manner, allowing them to pursue their goals, rather than spend their time putting out fires.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today