In previous blogs, we discussed Commander’s Intent for CEOs and introduced 10 questions CEOs should be asking their teams.
This week covers the final question in the series but does not complete the cybersecurity conversation for CEOs. This should never end. Security must be an ongoing program that changes over time with your business. I’ve tried to keep these blogs concise because I understand how valuable your time is. That being said, security professionals need your help building a culture that supports security and minimizes cyber risk. In today’s world, cyber is business and cybersecurity keeps the business up and running. We must evolve our thinking at every level to achieve the goals of information security.
Today we ask the tenth (and final – for now) question:
“What do I need to know today that I don’t already?”
This question will give the team managing the security and availability of your systems the ability to bring up anything that may have changed or that you may need to know.
CEOs and executives continue to be targeted. The most famous attack group is “Dark Hotel.” This group has been around for more than 10 years and continues to change tactics to target CEOs and business travelers around the globe. Threats vary depending on what your company does, who you work with, and where you do business. Asking this question will allow the team an opportunity to give you information to help protect you on travel or at home.
Certain parts of the world are a cesspool of malicious actors waiting to go after your data as soon as you connect. Allow your team t to educate you and give you situational awareness. If you were going to a part of the world where the chances of physical kidnapping were high you would probably want to know, right? You may take steps to protect yourself from it. Cybersecurity is no different except most organizations can’t see the crime until it makes the news.
Cybersecurity is fast moving and what was true yesterday may not hold to be true today or tomorrow. Projects may fail to achieve goals. People may come or go in the organization. New applications are launched all the time. The bad guys are crafty. They share data, change rapidly and it can be very hard for companies to keep up.
Sometimes, these rapidly changing circumstances require something to take priority that didn’t before. Maybe it’s a patch that needs to be put out in the middle of a work day, maybe it’s less intrusive. Whatever the case may be (and don’t be fooled), there will always be a case. Asking this will give them an opportunity to explain the issue and get support for the path ahead. The team will need an opportunity to bring up anything not previously covered by the other nine questions.
I wrote this series to educate business leaders out there. I see a lot of mistakes being made. I see the same things tried over and over and results that end up costing everyone. It’s almost everyday we hear about another breach and, as a consumer, it worries me how these incidents are being handled. Breaches will happen. Make no mistake about that. Consumers aren’t asking for perfection, but they are asking for honesty and transparency when it comes to their data. Don’t ever forget that some other CEO is responsible for your data. None of us depend on our teams alone. I encourage all of you to meet and talk about cybersecurity as well as business development.
CEOs are being fired for cyber negligence now. They have appeared on Capitol Hill. Consumers are demanding secure and private data. National security compels positive action on cybersecurity. You may not think you are a target, but consider someone you do business with. Consider your customers. Consider our democracy.
There are no shortcuts in cybersecurity. It takes a steady focus on the people, processes, and technology in your organization. It takes everyone in the organization playing their part to mitigate risk. We need more leaders to step up on this issue. We can’t do this without you. We need leadership from the top down to achieve a world safe from cyberattacks. As a leader you must think of cyber risk the same way you think of business risk. If you begin to do that, I can’t promise there won’t be bumps in the road but they won’t hurt as bad when you do hit them.
Cybersecurity is about constant iteration, failing fast, and making rapid changes. If you can help create and foster an organization that embraces cybersecurity, you have a real shot at staying secure for the entire lifespan of your company.
Consider that the biggest risk to your company from a technology perspective is cybersecurity. It’s up to you to build an organization that’s resilient from cyberattacks. In the end, it always comes down to leadership.