Modern Governance

CEOs: The Key To Data Breach Prevention Is Culture

Galvanize's HighBond platform to support mission critical audit, risk management, and compliance workloads for Department of Defense and government agencies

It's safe to say that cyber security is a top concern for CEOs today-a recent survey by PWC found that 87 percent of CEOs feel somewhat-to-extreme concern about cyber security. And it should be. CEOs are being held increasingly accountable for their company's data breach failures, and in extreme cases like Target and Sony, have lost their jobs as a result.

Yet as data breaches continue to occur in record numbers, it's painfully obvious that there is no silver bullet when it comes to securing sensitive data, and massive vulnerabilities remain. Recent breaches like Yahoo!'s serve as shining examples of how lax security practices can quickly wreck havoc on a company's reputation. In Yahoo!'s case, the need to create better interfaces and boost user retention took precedence over enhancing security practices.

This begs the question: with all we know about breaches and the solutions to prevent it, why are hackers still one - and in some cases several - steps ahead of us?

Many point fingers at inadequate security protocols, the use of antiquated or incomplete technology or internal resource limitations as reasons why companies have not yet cracked data protection. As a CTO who has evaluated and managed the application of numerous security technologies and related processes, I ultimately believe that the need for a sound security culture is even more important than the basic building blocks of protocols and software.

Establishing a security-oriented organizational culture is difficult to do, yet it is vital to closing the security gaps that exist in even the most technology savvy and risk-aware organizations. In my opinion, the most effective programs start from the top, putting the onus on executive leadership to set the tone that all employees should follow. This means changing behaviors, breaking habits, following through and reinforcing a new mindset for the entire company as a whole. Here's how you can start creating and enforcing a culture that puts security first.

Stay Informed and Provide Resources

Cyber security education is almost as important as enforcement. Thus, it's crucial for CEOs and other leaders to be well versed in how the company is guarding against and ready to respond to cyber threats. This requires close collaboration with those closest to security strategy & implementation.

However, this may not always be the case. For example, according to a survey from ISACA and RSA Conference, only 1 in 7 CISOs report to the CEO, creating an environment where critical strategies and priorities may be misaligned. To boost effectiveness, there are a few ways CEOs can better work with security/technology leadership to ensure that information is available and easily accessible to all executives, as well as the rest of the organization. These include the following:

  • Hold regular check-ins with key security stakeholders, including those that are central to security-related crisis response management.
  • Work to build an internal portal to house all security documents, policies and procedures. Make it accessible to all employees at all times.
  • Mandate security computer based training (CBT) from everyone, executives included, to guard against threats.
  • Continue to learn from resources from the web and attend industry conferences.
  • Regularly encourage questions from all employees and answer them quickly. At Diligent, there is an email address that streams questions to the security team, myself included. This not only helps provide answers when advice is needed, but it also keeps the security team aware of any red flags that need to be evaluated further.

Eliminate Exceptions to the Rule - Starting with You

When it comes to effective data security, employees from the mailroom to the boardroom must be held accountable to following established security protocols. Yet senior-level executives, including board members, are often the worst offenders. For example, it's not uncommon for a time-constrained executive to seek a 'just this one time' exception or worse, his/her own work-around, in an attempt to stay connected to the office (often insecurely) while on the road.

Allowing exceptions also sends the message that the same behavior may be acceptable next time. In short, 'just once' can quickly spiral into new workflows that go against the grain of proper security and put the organization at risk.

As a CEO, you must be the most stringent follower of the rules set by your security leaders. This means requesting security access if you need a classified file, properly disposing of confidential documents and following policies on personal devices, networks and the cloud. Employees will soon recognize your unwavering commitment to upholding your company's data security and privacy standards, and will feel more accountable for doing the same, ultimately reinforcing a corporate culture that holds security in the highest standard.

Assemble a Top-Notch Task Force

For CEOs that want to put data protection and security first, they must have direct support and buy-in from others in the c-suite, as well as other key influencers within the organization. Consider these the people that will not only sit at the helm of your risk management/incident response strategy, but also those that will reinforce your security culture within your individual lines of business.

At Diligent, for example, our crisis response group proactively practices various security scenarios and responds to issues as they arise. This group is specifically comprised of senior leadership from the company, ensuring that each person is aware of his/her responsibilities as well as the security implications and consequences if protocols are not followed. It also prepares executives for multiple scenarios that may arise and helps to keep security best practices top of mind. In the case of a breach, the scenario would have been practiced and planned for, leading to a smoother recovery process.

As a CEO, formalizing this type of task force will ensure that all senior-level leaders - technology, HR, finance, marketing, sales etc. - receive specialized training and preparation needed to help manage all evolving security threats to the business.

Properly Incentivize Executives

While monetary incentives and rewards may work for most employees, the executive team is motivated by different means-job security, brand reputation, regulatory compliance and stock valuation are all powerful motivators for the c-suite. Some may also have vested interests in the business, so they care deeply if the value of the company falls in the aftermath of a breach incident. Any CEO looking to incentivize those at the top should consider the following:

  • Discuss risks with third-party partners and learn from past horror stories. Partners are often open to sharing insider details and lessons learned from finding a resolution.
  • Set up hypothetical situations to predict the financial and reputational impact to the company.
  • Meet with other CEOs to compare and discuss security matters. Sometimes the persuasions of a peer can inspire/scare the need to boost security and meet compliance.

Set an Example - Walk the Walk

Most people like to think that CTOs and other c-suite executives have significant leniency and unrestricted access in their organizations. While I lead and manage about 50% of my company's total technology, I still believe that it is essential for everyone-myself included-to follow the same set of rules on everything from gaining access to systems to secure file-sharing.

For example, I don't allow myself access to any system or locations that are not necessary for my role. If I do need access, I'll submit a formal request through my IT security team, limiting my access time. This also serves another purpose-documentation, ensuring that all 'non-traditional' permissions are recorded and can be referred to in the case of an incident. In the world of cyber security, no one is above the law. By following strict protocols, I am setting an example not only for my team, but the broader organization at large that consider me an authority. My advice to CEOs and other executive leadership? Follow suit and do the same. Set the example, and hold yourselves to the same standards you expect your employees to follow.

As more and more systems and services become digital, companies are involved in a continuous game of chase and be chased by the growing number of hackers looking to capitalize on sensitive data. While security is everyone's job, ultimately, the tone comes from the top. CEOs must personally live and breathe security best practices everyday, and hold their employees accountable for doing the same. Combined with the use of technology, this will be the only way companies will be able to fortify their operations enough to get a leg up in today's hacker economy.