By this point in our series on security and the CEO, it should be clear that security isn’t just a technological issue. It’s a cultural one, and you must improve your organization’s security culture, as well as its security processes and technologies. To accelerate your digital transformation, security must become part of your company’s very DNA. That’s where the CEO comes into play.
Employee buy-in starts at the top; your CEO’s actions and priorities set the tone for the entire organization. By now, your CEO and the rest of your executive leadership team should be on board to lead your security transition by example. Through their visible and active involvement in security initiatives, your C-suite will communicate the fact that security is every individual’s responsibility, not just IT’s.
So, how can your CEO and other company executives create a culture of security? Here are a few ways:
Lead employee and partner training initiatives
As we’ve mentioned before, security isn’t just IT’s job. It’s everyone’s job. And it isn’t just a technology challenge, but also a business challenge.
As such, employees and partners must be made aware of the threats they face and the role they can play in either shutting down those threats or enabling them. Your C-suite should be the first to receive training and should sponsor further initiatives to train and hold employees and partners accountable for their security practices. As the security champion at your company, you should organize training sessions on how to identify and stop fraud, such as phishing scams. Write double and triple checks of suspicious emails into corporate practices, and encourage that these best practices are followed.
In fact, make cybersecurity training a part of performance reviews and make following best practices a clear expectation from day one of employee onboarding.
Set the standard with your BYOD policies
Security is no longer centered on hardware and the physical corporate perimeter. Thanks to mobile computing and “bring your own device” (BYOD) culture, the days of network and data security through IT control over desktops and perimeter security are gone.
And while this new, perimeterless reality can greatly boost productivity, it can also put your organization at serious risk. A Check Point survey found that with the near-universal increase in BYOD adoption came an increase in the frequency and cost of security breaches. A whopping 42 percent of surveyed companies suffered mobile-device-related security incidents that cost more than $250,000 to remediate.
The best solution to this new challenge is to a set a clear, organization-wide BYOD policy, and adopt modern identity and access management (IAM) tools that can institutionalize your governance so that it is a daily reality, rather than part of a never-read employee handbook.
Contextual, risk-based, and other adaptive authentication methods should also be used for devices accessing corporate data while outside the corporate network. There are a number of cost-effective options out there to enable extra security on smartphones, such as push authentication and one-time passwords.
But addressing this issue isn't just a technological fix— it also requires cultural changes.
For employees used to having free reign with their devices, MFA and strict BYOD policies can make logging in and out of their favorite apps feel like a burdensome, overly obtrusive user experience. Just as with security training, in order to increase user buy-in, your executive team should be early adopters (and cheerleaders) of MFA and BYOD policies. By acting as the beta users for your new initiatives, your C-suite sets the standard for the entire organization by demonstrating how truly important these measures are. When executives act as evangelists for new security initiatives, it can normalize the process for employees, and make what was once an abstract inconvenience into an important task.
As an added bonus, by locking down your CEO’s devices first, you’ll also probably secure some of your most sensitive data.
Champion an incident-response plan
Smart CEOs and security leaders start with the assumption that their organization has already been breached. Just because a breach isn’t obvious doesn’t mean it hasn’t happened. Just look at Hillary Clinton’s email server breach or the 24 percent of organizations with no way of knowing if user credentials had been stolen. Having the right IAM tools in place, such as privileged access management and contextual or risk-based authentication, will help prevent intruders from compromising credentials and freely moving around in your network. However, even with those tools in play, you need to be prepared. Being ready for an incident with a proactive response can go a long way toward minimizing the impact of a breach.
As a security champion, it’s the CEO’s responsibility to demand such a plan and to make sure that everyone is effectively briefed and prepared to act on the plan.
To that end, part of that incident response should be effective crisis communication. You don’t want to be making up your internal or public responses on the fly, after the fact. Instead, look to the mistakes of others to inform your own plan. Sony, for example, took a week to publicly acknowledge that a breach had occurred and committed a number of other gaffes as well. With the fate of your company at stake, make sure you know how you’re going to limit the fallout of any potential security incidents.
Monitor and Measure
Pull all this together with regular monitoring and reporting up and down the program—from the executive level down to employees. The more specific your evaluations can be, the better. Make device security metrics, such as days without a breach, part of the overall performance scorecard. Let those metrics serve as a constant reminder of the continuing importance of strong security practices.
The costs of security breaches are just too high for the C-suite to leave cybersecurity to IT. It must be treated as a top strategic and corporate priority, and achieving that demands that your CEO and C-suite champion the cause. The impact of your executives’ leadership in security initiatives will work wonders at setting the agenda and changing your organization’s culture to one that puts security first.