The 5 "C"s of CyberSecurity

Every company has concerns regarding their cyber-security capabilities and the protection of their assets. Most organizations rank it among their top four concerns. However, a deep dive into their security programs often reveals that the real concerns are about external image and costs. The primary responsibility for security usually rests on the shoulders of the Chief Information Security Officer (CISO) or the employee acting in that role. In smaller companies, this role might even be filled by someone as unlikely as the front desk administrator.

Why do I believe this? Just look at the evidence. Who in the company truly understands the current cyber landscape? It's the CISO (or the person fulfilling the CISO role) and their team. Who conducts continuous training on evolving cyber-attack strategies? Again, it's the CISO and their team. Who attends seminars and participates in associations focused on the latest cyber-attack trends? The answer remains the same: the CISO and their team.

The rest of the C-suite may claim they are focused on cyber-security, but are they genuinely contributing to making the company as secure as possible? Are they asking the right questions, staying updated with current knowledge, and providing input into the corporate security program design and awareness initiatives? In most cases, while C-level employees may understand cyber security superficially and keep up with news about current issues, they often lack a deep understanding of the underlying cyber-attack vectors and the controls needed to prevent and recover from attacks.

This is concerning because the top five operational C-level executives are involved in managing, operating, and funding the security program to some extent. Yet, they rarely have the current knowledge required to make fundamental support decisions and provide the direction needed to complement the CISO's knowledge and efforts. I have worked for companies on both ends of the spectrum and have been fortunate enough to work with a "C" team that was highly knowledgeable to the current cybersecurity landscape, making the job as CISO much easier to integrate into the culture and business needs of the company.

The alignment above creates a clear framework for assigning cybersecurity responsibilities to key executives within the organization. Cybersecurity is an all-or-none solution. If one employee (no matter what their role is) doesn’t support the cybersecurity program, they become the weak link that can compromise the entire program. One weak link can cause the chain that supports your cybersecurity program to fall apart, resulting in its ineffectiveness.

Now, I’m not stating that the other “C” levels should be experts in cybersecurity, but they should be up to speed and aware of cyberattack changes and the current landscape. This may involve attending a couple of two-hour seminars per month. The result would be a broader understanding of the cybersecurity landscape across the company and a better grasp of what can and should be done to protect the company as threats evolve. Changes in cybersecurity protections and processes come frequently and rapidly as attackers adjust their strategies.

There are two exceptions to the above knowledge increase of up to four hours per month across the C-level team.

The first exception is the obvious one: the CISO. They should be learning new things and researching changes in the cybersecurity landscape daily. If the CISO is not current and working with the correct organizations to stay updated, then your cybersecurity plan is outdated.

The second exception, which is equally important, is the CIO. The CIO is responsible for the controls and how they support regulations, provide resiliency, and promote continuity planning that supports quick recovery, minimal impact, and limited costs of a cyber-attack. The CIO and their team should be up-to-date on technology advancements and infrastructure security protocols, which are evolving much faster than they did five years ago. Five to ten years ago, a CIO was probably hired based on their knowledge of IT infrastructure (50%), leadership and business acumen (40%), and technology security (10%). This mindset must change. Outside of your employees (all employees) being your first line of defense, your second line of defense is your IT infrastructure, hardware, software, etc., which is controlled by the CIO. With the rapid changes in the cyber-attack landscape, the CIO and their team must provide solutions that are flexible, easy to manage, meet the business's changing risks and needs, and accommodate the ever-changing regulations and requirements of local, state, and regional governments and regulatory authorities. This shift has become a significant factor in hiring decisions for CIOs. Today, forward-thinking companies are looking to hire CIOs with some cybersecurity background, rather than just a technology background. I've seen examples of the knowledge breakdown for a modern CIO as follows: technology (30%), business acumen and leadership (30%), and cybersecurity knowledge (30%). With the rise of cloud services, AI, and the increasing technical expertise of the employees who support a CIO, this shift is not only acceptable but somewhat required. A strong foundation in cybersecurity for your IT leadership offers many advantages, especially in a landscape that is highly active and continuously changing, impacting a company’s bottom line and reputation (many businesses cannot recover from a major cyber or ransomware attack).

With the evolving roles and requirements for the full C-level team supporting cybersecurity, some may ask if an executive-level CISO is really necessary. The answer is unequivocally yes. The CISO remains the primary owner of the company’s cybersecurity posture. They need the time and resources to focus full-time on the ever-changing landscape. Their decisions and input are as impactful to a company as any other decisions made by the C-level team. Having your CISO as part of your executive team ensures that cybersecurity efforts are aligned with the company's goals and direction from the top down.

However, the combined effort of the 5 Cs is crucial. Each executive's involvement ensures a holistic and comprehensive approach to cybersecurity, where culture, compliance, currency, controls, and continuity are all addressed. This collective support and augmentation of the CISO's efforts create a robust security framework, enabling the company to effectively combat cyber threats and protect its assets. By working together, the C-level team can foster a resilient cybersecurity environment that adapts to evolving risks, ultimately safeguarding the organization's future.

The Importance of the 5 Cs

The 5 Cs of cyber-security—CEO/Culture, COO/Compliance, CFO/Currency, CISO/Controls, and CIO/Continuity—are crucial for supporting and augmenting the CISO and the company’s cybersecurity plan. When each C-level executive embraces their specific cybersecurity role, they contribute to a holistic defense strategy. This collaborative approach ensures that cybersecurity is integrated into every facet of the organization, creating a resilient and responsive defense against cyber threats. The combined efforts of the C-suite in promoting a security-aware culture, ensuring regulatory compliance, managing financial risks, implementing robust controls, and maintaining IT continuity provide a solid foundation that enhances the effectiveness of the CISO's leadership and the overall security posture of the company.