CEOs need to defend their data and tackle cybersecurity, but they don’t have to do it alone

By Craig McDonald

“As seen in a number of recent high-profile public failures, data breaches often uncover poor governance practices and weak management at the heart of companies, while also hitting their revenues and intangible assets such as reputation and trust. Cyber risk should also not just be the preserve of tech specialists. Company boards also need to ensure they understand and can effectively oversee these very particular risks.”

That’s Ovidiu Patrascu, a Schroder’s research analyst talking about cybersecurity. Ovidiu is quoted in a Financial Times article looking at the way high profile data breaches have reshaped the corporate perception of cyber-threat management. The article, co-authored by Attracta Mooney and Jennifer Thompson, is a very interesting read. It takes a sobering, economically oriented look at cybersecurity issues, and the conclusion is that cybersecurity should be a top priority for corporate management. 

Every company is vulnerable

Even Facebook, one of the best-resourced companies on the planet with tech expertise to spare, was not invulnerable to an enormous data breach. Earlier this year Facebook suffered a major blow when the personal information of up to 87 million of its users was exposed. In the Financial Times article, Facebook is offered as a cautionary example to the reader.

“Facebook has been hit with a fine, a slowdown in user growth and a fall in its share price since news of the Cambridge Analytica data scandal broke in March,” the Financial Times reminds us. “For many investors, the fact that a huge technology company such as Facebook could suffer a data breach has hit home how vulnerable smaller or less tech-savvy businesses could be.”

This is a point that can’t be overemphasised. Those of you who’ve been reading my articles for a while will know that I come back to this issue repeatedly: no company is exempt from the risk of data breach.

Making an organisation’s data and systems secure is not a question of resources alone, but one of good management - tools, policy and process. A cybersecurity culture that is vigilant about controlling the flow of valuable IP and data, starts at the top. It’s the C-level management who need to take the lead.

We need to turn alarm into action

Protecting a firms IP and data requires thoroughly considered processes and policies that can mitigate issues arising from crises like the one Facebook has encountered thanks to Cambridge Analytica.

Whether exposure of a company’s data results from fraud, cyber attack or negligence, protecting the interests of a company requires the same kind of cybersecurity vigilance and planning.

Good data protection allows a business to do the right thing by their customers and shareholders, while also insulating them from the severe financial harm that data exposures can cause.

In the FT article, there’s a quote from Rupert Krefting, M&G Prudential’s Head of Corporate Finance. M&G regard cybersecurity as a key risk, Rupert asserts, but comments that it’s hard for investment companies to accurately assess whether CEOs and boards really understand cyber threats because “they are not prepared to talk about it.”

That’s a key point, I think. In my experience - and from what I’ve come to understand by talking with my colleagues in the financial services industry like Steve Ingram - it’s not that CEOs don’t want to talk about cybersecurity, it’s more that they lack the vocabulary. That’s creating a situation where the most important decision-makers in organisations are failing to address cybersecurity not out of a lack of concern, but because they don’t know where to start the conversation.

As Steve Ingram said at a seminar we co-hosted earlier this year: “People are often saying that CEOs and boards don’t get it but I don’t agree with that anymore. They’re not technical and they don’t understand the intricacies of the technology but they certainly understand that this is a business issue and it’s one that they need to move on pretty quickly... We’re having record levels of positiveness from CEOs; bullish about macroeconomic growth. What’s interesting though, when you get down to what are the day to day risks, they’re probably also more worried than ever. In the past, it was about changes in customer buying behaviour, but those issues aren’t really on the radar at the moment. Running through the top ten of what they are most concerned about, number four is cyber.”

Steve really knows his stuff in terms of CEO thinking. He’s Cyber Lead with PWC Asia Pacific, so he’s got a detailed understanding of the way company management are dealing with online threats.

PWC’s latest CEO Survey showed “extreme concern” amongst respondents about cyber-threats had risen to a record 53%, outstripping over-regulation (50%), geopolitical uncertainty (44%), and even terrorism (43%).

While CEOs are clearly not ignoring the cybersecurity issue they are not winning the battle either. PWC Australia conducted a comprehensive study of data breach incidents in July and found that a whopping 45% of companies were attacked by online criminals in the last two years.

There’s clearly a disconnect between the awareness of cybercrime threat and the ability of senior management to act. That’s understandable because cybersecurity is a complicated, fast-evolving subject. If you’re a CEO confronting the challenge of managing your company’s online security, it’s going to look like a daunting task.

Government regulators and the public are increasingly looking to CEOs for answers when data breaches occur, but the average CEO probably doesn’t have the technical background to handle the issue.

In the current climate of alarm about data breaches, it’s inevitable that fingers will be pointed at CEOs whose companies are hacked, or suffer data breaches due to lax security practices. But it’s unrealistic to expect senior managers, who don’t have specialised knowledge of cybersecurity to handle these problems in isolation. As Steve Ingram puts it: “Cybersecurity isn’t a problem that we can solve on our own. No one organisation, no one government can do it; we need everyone working together.”

Collaborative security culture

CEOs who want to create stronger defences for their companies need to focus on opening dialogue as a top priority.

Cybercrime and the necessity of data protection are here to stay. With the rapid evolution of the world’s integrated online economy, the importance of cybersecurity is only going to increase.

CEO’s can’t solve the cybersecurity puzzle themselves but it is their responsibility to create a cybersecurity culture in organisations.

C-suite executives don’t need to become cybersecurity specialists, but they need to feel confident they understand the real threat environment so they can hire the right people and implement the right defensive strategy.

Effective security policy is developed by looking outward to find better solutions and that can’t happen if companies are trying to use outmoded systems designed to tackle the cybercrime of five years ago.

As Prudential’s Rupert Krefting insightfully says in his comments to the Financial Times: “when we talk to companies about this, they often clam up, either because the CEO or chair doesn’t know about it or it is delegated to the chief information officer or someone below the board, or they say this is too sensitive. We want policies on governance and structures and how they are approaching cyber... We want to see processes and that they are doing testing and that the right controls are in place.”

A cybersecurity guide for CEOs

I've spent a lot of time talking to CEOs about their cybersecurity concerns over the last fifteen years.

I ended up feeling that there should be a simple, step by step guidebook for exec’s so they can confidently talk about cybersecurity issues.

“That’s a book we’d like to read,” I kept hearing, so I wrote it.

If you would like to learn more about the complex cybersecurity challenges facing businesses, please download my e-book Surviving the Rise of Cybercrime. This plain English handbook explains the most common threats and provides essential guidance on managing risk.

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal.

Download your copy of Surviving the Rise of Cybercrime for free, here.

... ... …

Hi, I’m Craig McDonald.

Follow me on social media to keep up with the latest developments in business cybersecurity; I'm active on LinkedIn and Twitter.

I’d really value your input and comments so please join the conversation.