Cybersecurity for Executives: Three Questions to Ask Yourself

Target. Sony. Anthem. The list goes on and on. What's an executive to do in this new world of digital (in)security? The best place to start is with yourself. If you are an executive, your organization's cybersecurity posture starts with you. Below are three simple questions your organization is demanding that you need to ask yourself today.

Give Authority

1.Take a minute to think through your relationship with your CISO. What is their role in your organization? It should be to preserve and improve the information security posture of the organization. But is it really? Now ask yourself this question: Have I given my CISO full authority to do their job? In many cases the answer is no.

I call this “Pull the Plug” authority. Your CISO should have the right and authority to stop, delay or change any internal or third party operation on the basis of risk to the organization. I can’t tell you how often a breach could have been prevented if executives had been willing and ready to listen to their head of security.

This authority should not be given out lightly. Your CISO must know that with such great power comes great responsibility. If they exercise that authority, they are accountable for the outcome. If you will entrust this sacred task of security to your CISO, they should rarely have to use it. But when they do, you’ll be thankful.

If you haven’t given out this authority to your CISO, you should right away. Endorse them, endow this authority and let your management team know.

Accept Reality

2. If you talk to any executive who has had to experience the nightmare of an information security breach, they’ll tell you one thing: “I can’t believe this actually happened to us.” That statement is telling.

Ask yourself this question: Why do I think a security breach wouldn’t happen to us? The truth is, it can happen. And it will happen. You must accept this attitude. This is the first rule of establishing a ‘culture’ of information security in your organization. And it doesn’t start with the CISO. It starts with you.

If you as an executive think your company is secure, your company does not have a culture of information security. Your organization is vulnerable to attack just as any other on the face of the planet. Accepting this fact will allow you to embrace a culture of information security. And if you don’t start the trend, no one else will do it in your stead.

Include Your Board

3. As the Chief Executive, you have one unique function at your organization that no one else likely shares. You report to the Board of Directors on all key issues at your organization. It is your sole responsibility to inform them of the finances, strategies, and high-level issues concerning your organization.

Ask yourself this question: When is the last time I brought up our information security posture at a Board meeting? If your answer is drawing silence, you aren’t alone. Many CEOs don’t bring the issue up to their Board for several reasons.

First, many CEOs are afraid of the reaction they’ll get among their directors who may not understand. Will they just yawn with eyes glazed over? Will they ask questions you may not know the answer to? Second, some CEOs don’t want to overburden their Board with matters that for years were simply trivial.

Fortunately for the CEO, a 2014 survey released by PricewaterhouseCoopers revealed that 65% of directors are ready to spend more time on IT risks including cybersecurity. If 65% are interested, the rest will likely follow suit.

Also, with the advent of social media and accessible news anywhere, your directors are probably more interested in Information Security than you think they are. Especially after Target, Sony and Anthem. So give it a try. Add Cybersecurity to your next Board agenda and watch the discussion just fly off the page.