Every business leader understands that, when it comes to cybersecurity, the stakes are extraordinarily high. CEOs tend to take notice when they read headlines about yet another big-name company being victimized by a massive data breach or about industry forecasts suggesting that the annual cost of crime losses and damage will hit $6 trillion by 2021.
However, does that mean top business leaders have meticulously prepared their organizations for a virtual worst-case scenario? The short answer: No.
In fact, a report by insurance firm Hiscox revealed that 73% of 4,100 organizations surveyed were not well-prepared for a cyber attack. And this is not because organizations are failing to invest in security — in the same survey, 72% of firms said they will increase spending on cybersecurity in the year ahead.
The first statistic above brings to mind the old saying that the first step to solving a problem is admitting that the problem exists. The second stat connects to the idea that trying to spend one’s way out of a problem is not the same thing as a solution.
The challenges include the fact that:
- Strong cybersecurity demands strong leadership from the top; however, most CEOs are not cybersecurity experts, and the technical nature of the subject matter can sometimes make discussions about it feel like a foreign language.
- Communication between the CEO and top IT security staff needs to be stronger.
- Finger-pointing is not uncommon when things go wrong.
- Every employee in every organization is a potential weak point but also a cybersecurity defender.
- The nature of the threat evolves continually as attackers come up with ever-more sophisticated strategies to commit wrongdoing.
So what can business leaders do to make sure they are truly walking the walk when it comes to effective cybersecurity leadership rather than just going through the motions? Well, there is no shortage of excellent reading material on this critical topic (see some of our recommendations below).
But because this issue is so important, we decided to try a different approach to shake things up a bit.
The following CEO Cyber Quiz examines the challenge facing executive and corporate leaders from a number of different angles while also offering valuable tips and information from the experts about leading an organization-wide cybersecurity program.
CEOs: Please Take a Moment to Complete This Cyber Security Quiz
Are you sufficiently paranoid about the risks your organization faces?
A robust cybersecurity strategy “is the bedrock of tomorrow’s intelligent business,” according to business consultant Accenture, whose advice to CEOs starts with the premise that “to accelerate the development of security capabilities, leaders must develop a healthy paranoia.” The good news: With billions at stake and nonstop reports of data breaches in the news, such paranoia would appear to be in strong supply.
Can you name five (5) organizations hit by a significant cybersecurity breach in recent years?
This should be an easy one thanks to the sheer magnitude and pervasiveness of the cybersecurity crisis, which has claimed victims across all types of public and private organizations including multinational corporations, governmental agencies, retail giants, restaurant chains, universities, social media heavyweights and more. Here is a partial list:
- The Department of Homeland Security, IRS, FBI, NSA, DoD
- Macy’s, Saks Fifth Avenue, Lord & Taylor, Bloomingdale’s
- Facebook, Reddit, Yahoo, eBay, LinkedIn
- Whole Foods, Arby’s, Panera Bread, Wendy’s
- Target, CVS, Home Depot, Best Buy
- Delta, British Airways, Orbitz
- Equifax, Citigroup, J.P. Morgan Chase
- The Democratic National Committee
- Adidas, Columbia Sportswear, Under Armour
- UC Berkeley, Penn State, Johns Hopkins
Is your organization vulnerable to cybersecurity finger-pointing?
Many organizations lack clear lines of responsibility when it comes to cybersecurity. A survey by BAE Systems found that “IT decision makers and C-suite executives believe the other is responsible in the event of a breach.” Specifically, 35% of C-suite respondents said their IT teams are responsible in the event of a breach; however, 50% of IT decision makers believed responsibility sits with their senior management and leaders.
This disconnect around potential threats, accountability and responsibility “creates gaps for attackers to exploit,” according to BAE, so it is imperative for CEOs to prioritize getting their organization on the same page.
Have you played any cyber attack “wargaming” simulation exercises lately?
You should consider this. C-level executives can now participate in “wargaming” simulations designed to prepare them for the most effective incident response in the event of an actual cyber attack. One such simulation, Game of Threats, was developed by PricewaterhouseCoopers to help senior executives and boards of directors strengthen their cyber defense skills. According to the narrator of a brief PwC video, “The interactive game challenges players and helps them to understand the steps they need to take to better secure themselves in a way that demystifies terminology and technology surrounding cybersecurity.”
What portion of your IT budget is invested in cybersecurity?
There is no right answer to this, but according to the Hiscox study cited above, the 4,100 companies surveyed reported spending an average of $11.2 million a year on IT, with 10.5% of that budget spent on cybersecurity. Overall, smaller firms (fewer than 250 employees) on average spent 9.8% of their IT budgets on cybersecurity versus 12.2% for larger organizations. Other reports suggest that funds dedicated to security typically make up 3-15% of an organization’s IT budget.
More important than the percentages is the need to invest wisely, according to Accenture. With the company’s “crown jewels” at stake, “funding means not only getting the basics right, but also using innovation to improve cybersecurity and data protection.
Have you ‘checked all the boxes’ to complete your cybersecurity due diligence?
This is a trick question. So if you answered “yes,” we need to have a serious talk. The correct answer is that effective cybersecurity leadership is NOT something that can be achieved with a “but I checked all the right-boxes” mentality.
How committed are you to creating a “security first” culture?
The reason we ask is that, even though conventional wisdom holds that cybersecurity is “everybody’s job,” for it to be truly effective, cybersecurity needs to be an organization-wide priority with leadership consistently, strongly communicated from the top down.
Does your company provide ongoing cybersecurity training for employees at all levels?
If you answered no, make plans to get started on this tomorrow morning. Ongoing training at all levels of your organization is essential. Employees should receive training in password management and how to avoid email phishing and other hacking attempts; training should also include best practices for securing mobile devices, avoiding social media threats and more.
Gamification has also become a popular trend to boost engagement in cybersecurity training among employees at all levels. Studies show that by employing activity-based exercises and incentives to encourage team-building around cybersecurity, the benefits of gamification include improved motivation, increased engagement, better performance feedback and enhanced productivity. Whatever protocols are used, experts emphasize that employee training must be ongoing since the nature of threats continues to evolve.
Does your organization have cybersecurity insurance coverage?
If not, you should explore the costs and potential benefits of obtaining coverage. Though the market for cybersecurity insurance is still in its relative infancy, most major carriers now offer a range of options for cybersecurity insurance, policies that are usually customized to the unique needs and risks of the insured.
Since 2012, the Department of Homeland Security has been encouraging engage key stakeholders (academia, infrastructure owners and operators, insurers, chief information security officers, risk managers) and others to “expand the cybersecurity insurance market’s ability to address this emerging cyber risk area.”
How familiar are you with the CIS Controls?
OK, nobody’s expecting you to name all 20 CIS Controls recommended by the Center for Internet Security as best practices to defend against cyber attacks. But you should have a working knowledge of these and other defensive frameworks (such as that put together by the federal government’s National Institute of Standards and Technology, NIST).
In fact, according to an executive summary and list provided by Tripwire, executives should not only be familiar with the CIS Controls. They should also “evangelize” them.
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- Maintenance, Monitoring and Analysis of Audit Logs
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
According to NIST, which of these 5 items are your responsibility as an organizational leader?
- Managing and mitigating overall cyber-related business risks
- Establishing effective governance controls
- Prioritizing and resourcing cybersecurity programs
- Safeguarding the sensitive information you rely on for planning and decision making
- Establishing a cyber-secure culture within the organization
Correct, all of the above!
Yes, when it comes to your organization’s cybersecurity, “you are ultimately responsible.”
That’s the message in “Cybersecurity is Everyone’s Job,” a National Institute of Standards and Technology publication in which NIST offers this advice/pep talk for executive leaders:
Work with cybersecurity experts — externally and those you hire internally — to establish sound guidelines, be familiar with those guidelines, implement them yourself, and ensure that your teams know what they’re expected to do. Don’t be afraid to ask questions. Nobody expects you to understand cyber as well as you understand finance or operations, but everyone expects you to mitigate risks to the business — and cyber risks are real. Your job depends on how well you address the real risks of an often-unfamiliar subject.
Quiz Complete: How Did You Do?
If you’re like most CEOs, you passed the quiz but still have work to do in confronting this uniquely 21st-century challenge.
Now, here’s that additional reading material we promised; it should prove helpful as you move forward, skillfully balancing that “healthy paranoia” mentioned above with a renewed commitment to continually educating yourself about the risks, the evolving nature of the threat landscape and the defensive protocols you can bring to the fight to keeping your organization as secure as possible.
- Cybersecurity Questions for CEOs — U.S. Department of Homeland Security
- Ten Key Questions CEOs Should Ask About Cybersecurity Readiness — Digital Guardian
- Four Cybersecurity Questions Every CEO Must Ask — Accenture
- What It Means To Have A Culture Of Cybersecurity — Forbes
- The Language of Risk: Bridging the Disconnect between the C-Suite and Cyber Security Experts — Tripwire
- Questions Every CEO Should Ask About Cyber Risks — U.S. Cybersecurity and Infrastructure Security Agency
About the Author: Michelle Moore, Ph.D., is academic director and adjunct professor for the University of San Diego’s innovative, online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher, author and cybersecurity policy analyst with over two decades of private-sector and government experience as a cybersecurity expert.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.