The CEO’s guide to driving better security by asking the right questions

The following is part of a series of instalments providing concise summaries of selected chapters from the New York Stock Exchange’s definitive cybersecurity guide, Navigating the Digital Age.

This blog summarizes Chapter 13: The CEO’s guide to driving better security by asking the right questions, by Davis Hake, Director of Cybersecurity Strategy at Palo Alto Networks Inc. Please refer to the original article for any direct quotations.


Who’s responsible?

Side view of two blurred businessmen talking in conference room

A NYSE and Veracode survey found that 80% of participants discuss the issue of cybersecurity in most or every boardroom meeting. The authors of the survey noted that “responsibility for attacks is being seen as a broader business issue, signalling a shift AWAY from the chief information security officer (CISO) and the IT security team […] When a breach does occur, boards are increasingly looking to the CEO and other members of the executive team to step up and take responsibility.”

Despite this shift in perceived responsibility to the executive level, there does not appear to be the same drive to connect technical teams to the board-level focus on concerns about cybersecurity risk.

A 2015 Raytheon and Ponemon Institute study of those with the day-to-day technical responsibility for cybersecurity – CIOs, CISOs, and senior IT leaders – found that 66% of respondents believe senior leaders don’t perceive cybersecurity as a priority.

As the CEO, it is your job to balance risk and reward within your company and it is critical for you to lead incorporation of your cyber risks into existing risk management efforts.

How to manage cybersecurity risk

  1. First things first: Don’t begin your journey alone! Bring your leadership team, especially your CIO, chief security officer (CSO), and CISO, into the conversation from the start and determine how your IT priorities match to your business goals.
  2. Lean on your leadership team to evaluate problems in relation to the impact to your other business risks. Then let your team address them based on your existing business goals.
  3. It is then your job to help frame the problem for your team and provide oversight and guidance, and definitely not to micromanage a crisis. It is fairly natural for CEOs to have a knee-jerk reaction to cyber incidents, but it is important that you apply a holistic, risk-based approach that promotes company-wide cybersecurity.
  4. Finally, as with any risk management effort, you must plan for the best but prepare for the worst.

No solution is ever 100%. Developing an incident response plan that is coordinated across your enterprise and regularly tested is vital for even the best-defended organizations.

While risk management is a strong approach to tackling the challenges of cybersecurity, the bottom line is that it will often require some investment in new people, processes, or technology.

You must always balance the risks and rewards of your decisions and investments into a coherent strategy.

Effective cybersecurity should be business as usual

Unfortunately, today’s reality is such that cyber threats will remain an issue of fear for boardrooms in the foreseeable future, leading to default knee-jerk reactions as new threats evolve. Ultimately, we must get to a place where cybersecurity is a normal part of any business’s operational plan. With cool-headed, rational leadership, you have the unique ability to help transform this issue in your company from a crisis to an opportunity for real innovation.


Guidance for the CEO

For CEOs looking for guidance implementing a company-wide cybersecurity programme, we recommend reading the official requirements for an ISO 27001 information security management system (ISMS).

The requirements list everything that needs to be in place for a holistic approach to information security recognised worldwide.

As well as helping you achieve effective cybersecurity, compliance with ISO 27001 provides a solid framework for supporting adherence to multiple legislative and regulatory requirements across the US, including FISMA, HIPAA, and Sarbanes-Oxley.

Purchase your copy of the official standard here >>