October is National Cybersecurity Awareness Month (NCSAM), a fact that I can safely bet is either unknown or off the radar of most CEOs and other executive leaders. That’s no surprise, given the month is typically squandered with perfunctory cyber awareness training for employees. This is a shame because NCSAM is an opportunity. With nearly every sector getting pummeled by cyber-attacks, CEOs must look for ways to enhance their companies’ overall security posture. Too often, NCSAM is wrought with mandatory awareness training that employees ignore, or tweeting tips to customers.
Ask yourself: Does this make my company any safer?
NCSAM is an opportunity to bring all of your key stakeholders and lines of business into a common understanding and chart a path forward. Here are the top three activities that CEOs should be driving this month to reclaim NCSAM and make it count for business operations and growth.
Gather Key Stakeholders & Line of Business Owners
You need all of your lieutenants to be on the same page. Security and risk are too often siloed. This is the result of legacy roles and responsibilities failing to keep up with today’s risk landscape. For example, Arceo.ai found that most cyber insurance policies are purchased by CIOs and CFOs. However, 77% of the CISOs say they can’t get the coverage they need, calling out data extortion the most, especially at companies with over $2B in revenue. The question for CEOs is: how well do the insurance buyers communicate with the teams measuring risk.
Inventory all technologies across all lines of business
To make your organization more secure, you need visibility across the entire enterprise. You cannot secure what you can’t see. Task all line of business owners with establishing a quarterly inventory of their tech stacks. This step is even more critical in the wake of COVID-19, with remote work forcing the rapid adoption of many tools. At the time business continuity was the priority. Now, these systems must be hardened. Once you have inventories, make risk responsibilities crystal clear. All too often cybersecurity is viewed as the sole responsibility of the CISO. It’s simple: who is the owner and who is responsible for risk? Consider these two very real scenarios:
- IT procures Microsoft Teams or Slack to help facilitate remote work. Does compliance, legal, or HR own the internal risk or aggressive behavior or misconduct? What about misuse of customer data or employee PII? If so, what tools will these teams need to monitor upwards of hundreds of thousands of chats per day?
- Sales teams needed to enable LinkedIn Sales Navigator or even WhatsApp, to help sellers connect with customers and prospects. Does this mean Sales will be responsible for protecting sellers’ accounts from hijacking, phishing, or malicious attachments? If not, does security need oversight on those accounts?
Cross-examine strategic goals against risk frameworks
Now that you have everyone talking, and everyone knows what technology is in place, you must examine the risks against your company’s strategic goals. Risk and revenue must be in balance, not in competition with one another. Let’s extend the previous examples:
- If remote work is part of the long-term picture, then collaboration software like MS Teams is probably a key part of your infrastructure. You’ve established that IT has procured it, and that information security is using a CASB to verify access to Teams. If compliance/legal says they need to monitor chats for conduct or IP data loss, then consider solutions that enhance the CASB, and whether both teams need to split budget on the solution.
- If sales needs WhatsApp or LinkedIn, make sure security has visibility to protect sellers and the larger organization from infiltration. If compliance has a role to play then they need a seat at the table, and will also likely need to contribute to the budget.
Ransomware attacks are growing more sophisticated and more frequent. Data extortion, too, is on the rise. Why would you spend National Cybersecurity Awareness Month just running anti-phishing exercises on your employees? That exercise is a year round effort. Take advantage of this month to elevate security across your entire organization. Cybersecurity is everyone’s responsibility. It’s time to take practical steps to make it a part of your business operations and growth plans. Get started today.
Have you read?
World’s Most Powerful People.
World’s Top 100 Most Successful Unicorns.
The World’s Richest Tech billionaires.
Richest Self-made Women In The United States.
Wealthiest People In Fashion World.