By: Gregory A. Garrett
During the past few months we have spoken with hundreds of companies Chief Executive Officers (CEO’s) from numerous U.S. and global industries, including financial services, healthcare, government contracting, automotive, manufacturing, private equity, and law firms, about the importance of cyber-security. From these conversations, we’ve concluded that the three most frequently asked questions by CEO’s are:
- What should we know about cyber-security?
- What should we do about cyber-security?
- How do we assess the quality of our cyber-security program?
It is vital that CEO’s establish the appropriate cyber-security “tone at the top” for their respective organization, regarding the importance of information security and how cyber-security is everyone’s shared responsibility in a truly digital world. Establishing an organizational “culture of cyber-security” has proven to be one of the best defenses against cyber adversaries. It is the people, not the technology, which can either be an organization’s greatest defense, or its weakest link against a cyber-attack.
Further, it is incumbent upon CEO’s to learn more about cyber-security to ensure their company is taking appropriate actions to secure their most valuable information assets. This does not mean that every CEO needs to become a Certified Information System Security Professional (CISSP). Rather, CEO’s should increase their knowledge of core cyber-security concepts and leverage their own leadership skills to conceptualize and manage risk in strategic terms, understanding the business impact of risk.
Five Things CEO’s should Know about Cyber-security
- Cyber-attacks and security breaches will occur and will negatively impact your business. Today, the average cost of the impact of a cyber breach is $4.9 million.
- According to most cyber-security surveys, over 60% of all data breaches originate from unauthorized access from one of your current or former employees, or third-party suppliers.
- Achieving information security compliance with one or more government regulatory standards for information security (i.e. ISO 27001, NIST 800-171, HIPAA, NYDFS, etc.) is good, but not sufficient to ensure real cyber-security.
- Cyber liability insurance premiums are significantly increasing in cost and often do not cover all of the damages caused by a cyber breach.
- To achieve real information security and data resilience it is vital to combine managed Monitoring, Detection, and Response services with comprehensive disaster recovery and business continuity plans.
Ten Things CEO’s should Do about Cyber-security
- Ensure everyone in the organization from the top-down receives appropriate cyber-security education and awareness training.
- Hire an independent company to conduct a cyber risk assessment against government regulatory compliance requirements and industry standards to identify potential gaps in your company’s information security policies, processes, plans, and procedures.
- Verify that periodic penetration testing by certified Ethical Hackers is being conducted to identify potential cyber-security vulnerabilities in your organization’s information systems.
- Require a timely and effective software patch management program be implemented by your Information Technology team to mitigate known security vulnerabilities as quickly as possible.
- Ensure the organization has 24/7/365 monitoring, detection, and response capabilities for its information systems.
- Verify the organization has an appropriate cyber breach incident response plan, including the policy and procedures related to ransomware attacks.
- Hire an independent firm to conduct a cyber liability insurance coverage adequacy evaluation.
- Establish information security key performance indicators (i.e. number of cyber-attacks, number of data breaches, network up-time, network downtime, cost of cyber breaches, cost of cyber insurance, cost of information security as a percentage of total company IT cost, etc.).
- Ensure your company has well-documented and periodically tested disaster recovery and business continuity plans to quickly recover lost or stolen data to mitigate potential damages of cyber breaches.
- Mandate additional layers of information security via encryption, multi-factor authentication, and highly restricted access to your company’s most valuable information assets.
Seven Strategic Questions a CEO should Ask to begin the Process of Assessing the Quality of Their Cyber-security Program
- What is the threat profile of our organization based on our business model and the type of data our organization holds?
- Who may be after our data – Nation States, sophisticated international criminal organizations, or ideologically motivated hacktivists?
- Does our cyber-security strategy align with our threat profile?
- Is cyber-security risk viewed as an enterprise-wide risk issue and incorporated into the overall risk identification, management and mitigation process?
- What percentage of our IT budget is dedicated to cyber-security? Does it conform to industry standards? Is it adequate based on our threat profile?
- Is there someone in our organization dedicated full-time to our cyber-security mission and function, such as a Chief Information Security Officer?
- Is the cyber-security function properly aligned within our organization? Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit or legal functions – some with direct or “dotted line” reporting to the CEO.
It has become abundantly clear that some CEO’s simply do not know enough about cyber-security and that their Chief Information Officers and Chief Information Security Officers do not always provide them with an accurate portrait of the cyber risks which their company is facing every day. Other CEO’s appear to be suffering from a “knowing” versus “doing” gap. From our consulting experience and research, we understand that many CEO’s are well aware of the cyber risks, but for one or more reasons, often short-term financially motivated, they are choosing not to do what needs to be done in order to reduce the probability and/or impact of a cyber breach in their organizations. In the world of cyber-security the old adage is quite true “You can pay now, or you can pay much more later!”
This article originally appeared as a BDO USA, LLP’s Cyber-security Alert (February 2018). Copyright © 2018 BDO USA, LLP. All rights reserved. www.bdo.com