Organisational leaders have a growing stack of priorities on their desks. Now among them is information security, which until relatively recently, was a responsibility delegated to IT departments.
That began to change in May 2014 when Target’s CEO Gregg Steinhafel resigned in the aftermath of a data breach that exposed the credit card and personal details of 110 million customers of the mega-retailer. The scale of the breach was unprecedented and cost the company at least $252 million. It was the first time a high-profile corporate leader had been ousted for failing to act promptly after a cyberattack. “Suddenly, business people took notice,” says Dr. Dale Meyerrose, president of The MeyerRose Group and lecturer at Carnegie Mellon University’s Institute for Software Research, where he directs the Cybersecurity Leadership (CSL) Certificate programme.
The number of breaches is actually declining each year in many industries, according to Meyerrose, but the number of records compromised in each attack is growing, mainly because hackers are becoming more selective in their targets. The threat of significant damage to an organisation’s brand and its finances is forcing cybersecurity onto the C-suite agenda. Executives stepping up to lead on this issue should start by following these five steps:
1. Realise it’s not a technical problem
Most organisations approach information security from a technical perspective. But this is the wrong strategy, argues Meyerrose. The primary threat is human behavior – the vast majority of data breaches originate with employees, former employees or service providers giving access to hackers, wittingly or unwittingly. In the case of the Sony breach in 2014, for instance, employees allegedly let hackers into the building where they stole the system password. Target’s system was penetrated via a multi-step campaign that started with hackers gaining access to a Target vendor’s account by way of a deceptive email.
Companies need to conduct employee training regularly and meaningfully, addressing topics like social engineering and how behavior can leave the door open to infiltration.
2. Hire the right experts at the right level
Although the number of Chief Information Security Officers (CISO) is growing, many of them still report to the CIO or a chief security officer. They are usually technical experts who are hired for these skills, explains Meyerrose. But organisation leaders and boards are slowly realizing that the ideal CISO also needs to understand the business in order to assess risk factors and explain data in a compelling, understandable way to a non-tech audience. Moreover, they need to be positioned at the right level, ideally that of a senior business manager who has direct access to the C-suite and can affect enterprise-wide changes.
3. Pick an architecture and apply it well
Research shows that over 90 percent of businesses have an information security risk framework in place, but compliance with minimum criteria does not necessarily mean secure. There are numerous standards, many of which are industry-specific. Meyerrose stresses, however, that the type of architecture is not as important as picking one and applying it in a systematic way: “any framework gives you structure, runs you through processes and forces you to answer questions.” Security rests on the architecture being implemented completely and being built on logic and economic principles.
4. View cybersecurity as insurance
Since most companies still consider information security a technical risk to be managed as an IT function, they view it as a cost centre. Yet a good cybersecurity programme insures an organisation against the enormous losses that a hack attack can cause, says Meyerrose. As such, it deserves adequate investment and prioritisation. Cybersecurity insurance is a fast-growing area of the insurance market, and many organisations now purchase coverage. Still, building strong security safeguards remains the best policy, adds Meyerrose.
5. Prioritise threat assessment
Big data analytics are increasingly used to identify information security threats. Meyerrose believes the emphasis should be on profiling the company’s own activity since most breaches originate on the inside. This means each company needs to do data analysis on itself and its “eco-environment”, including partners, customers and vendors. When an organisation carefully profiles its activities and authorised users, it can more easily detect anomalies that red-flag intrusions. It’s also useful to do analyses on the industry and global trends to predict risks.
Meyerrose’s cybersecurity courses at Carnegie Mellon cover three areas: leadership of cyber-enabled organisations, understanding the fundamentals of cybersecurity (e.g., insider threats, cloud computing, big data analytics), and examining cybersecurity from a management standpoint versus a technical one. This kind of training might become standard for all leaders who want to guide their organisations well in the 21st century.