Have No Regret: Five Security Principles a CEO Should Prioritize

IBM is committed to raising the profile of security within organizations to ensure that the chief executive officer (CEO) and his or her peers are taking security seriously enough. C-level executives are starting to share the responsibility for security, beyond just the chief information officer (CIO) and chief information security officer (CISO). The topic of security is now unquestionably a priority for the entire C-suite, and any organization that delegates security matters solely to the CIO is compounding its risk factors.

Why has this become so important? Breaches are everyday news, and their cost is soaring. According to a 2016 report from the Ponemon Institute, the average consolidated total cost of a data breach has now reached $4 million, up from from $3.79 million the previous year. The risks are growing, and the impact is more serious. Organizations of all sizes and in all lines of business are being affected and without effective safeguards, their brands, their reputations and even their future in business are at stake.

So what must a CEO do to safeguard the organization? At a recent Think Forum, IBM CEO Ginni Rometty outlined five principles that she terms “have no regret” actions.

“As CEO, you can never be doing enough on this topic,” she said.

Because these five actions should be of utmost concern for all such executives in order to embed core security principles throughout their operations, the following is a short overview of the practical advance Rometty offers:

1. Increase the Security IQ of Every Employee

Ensuring a culture of security throughout the organization is essential and should cover every employee, whatever their role, and extend to business partners. Train them, test them on their level of awareness and follow up with phishing exercises to see how well they actually respond to threats.

2. Prepare to Respond Faster

Always assume a breach has occurred or will occur. Being unaware of a breach does not mean one hasn’t taken place. Today’s attackers are skilled and crafty. They will use any means available to get past defenses, so prevention alone is not enough. All organizations need to prepare to respond as quickly as possible. Plan, practice and make sure the right security tools are in place.

3. Safeguard BYOD

There is no turning back the tide with BYOD. IBM is fully aware of this and has enthusiastically embraced BYOD. However, there must be safeguards in place. In a recent study, nearly half of organizations reported that security incidents related to the use of mobile devices have cost their organization in excess of $250,000 to remediate. For every CEO, any security incident related to the use of mobile devices should be a serious concern. Technology solutions need to be backed up with effective governance, policies and workforce education.

4. Protect Your Assets

As stated in the 2013 report from the Commission on the Theft of American Intellectual Property, around 70 percent of the value of publicly traded corporations is estimated to be intellectual property. Protecting such valuable information needs to be a priority for any CEO as it requires both technology and considerable effort in identifying, classifying, protecting and prioritizing assets according to risk.

5. Leverage Security Intelligence

Given the number of threats every organization faces, manually sifting through data related to millions of events in a large enterprise network is a thankless task. Security is a big data problem. Applying big data analytics capabilities makes the task much easier, enabling organizations to sift through and analyze reams of data to gain actionable insight into what it actually means to the organization’s security posture. This way, more meaningful remediation decisions can be made.

Download the full IBM Report: Cybersecurity perspectives from the boardroom and C-suite

Treat Cybersecurity as a Business Risk

To ensure these five principles become part and parcel of everyday operations, it is essential that the CEO is actively involved, setting the tone, enacting an effective governance model and ensuring the right policies are created and adhered to, no matter how unpopular they are among employees. This cannot happen without actively engaged senior leadership.

By following these basic security principles, security can become an enabler rather than an inhibitor, as many have traditionally seen it. Organizations will then be able to reap the benefits of the use of the latest interactive technologies in a secure manner to keep employees productive, shield themselves from harm and protect corporate reputations.

By leveraging technologies that continuously monitor and analyze events occurring across the network, organizations will be provided with the actionable insight into the current situation in order to drive more informed decision-making and respond faster to events.

However, this can only happen with active executive involvement. The tone has to be set from the top and driven down throughout the organization. The CEO must be actively involved in setting policies and developing an effective governance model that encompasses all parts of network operations. Cybersecurity is too great a challenge to be left to chance. It needs to be given a firm direction.

With these five principles ingrained throughout the organization, it will be easier to ward off and recover from incidents that do occur, protecting its brand and reputation and preventing costly sanctions and revenue losses. Organizations will be better able to embrace new technologies and ways of working that foster productivity and contribute to their competitiveness in a secure and efficient manner, allowing them to pursue their goals, rather than spend their time putting out fires.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…