CEOs are likely aware that cybersecurity threats exists. However, their level of understanding often doesn’t reach the depth needed to mitigate the accompanying risks to their organizations.
“CEOs don’t need to be cybersecurity experts,” says Dr. Charles Dull, associate dean, IT Center of Excellence, Cuyahoga Community College. “But they should be aware of the issues so that they can speak intelligently with specialists and understand the problem enough to authorize an effective counter.”
Smart Business spoke with Dull about the value of being a CEO who is knowledgeable about cybersecurity issues.
What, generally, do C-suite executives understand the cyber threat environment?
Most CEOs would know whether their organization has a cybersecurity plan in place. But go one level deeper and ask what it contains, and most aren’t able to explain much. However, a better understanding of details such as what specific protections are being used, or what their incident response process is, should be seen as vital. That’s because CEOs need to be able to convey that information to their board, or to customers that might require their vendors to have certain cybersecurity measures in place. An inability to intelligently convey that information could lead to costly misunderstandings.
What sort of issues does that create for an organization?
CEOs control the funding needed to protect against cybersecurity threats. If IT staff tells the CEO that the organization has been defending itself against phishing expeditions or DDoS attacks and needs funding to bolster its defense, it’s important that CEOs understand what that means. It’s dangerous for CEOs to ignore reported threats, underfund or underequip a response, or even overfund a response.
CEOs are always concerned with dollars and often want to know what return they’ll get from an investment. When an expensive upgrade is required to improve an organization’s defense system, CEOs should have a reasonable sense of the requirements to make the right choice for the business. And, should the business face an attack, it’s better to have a CEO who knows enough to enable the IT staff to quickly address the issue rather than squabble over costs to a critical system or software. When emails are disabled or systems are locked by a cyber attack across an organization, significant losses can be incurred the longer it takes to fix the problem.
What harm could that do?
CEOs can certainly understand that the business is shut down. But it’s not always the case that they can understand fully the longer-term consequences of a successful attack.
Sometimes the harm done through the loss of personal information from a breach creates the basis for lawsuits. When the number of people affected is high, even settlements from such cases can be expensive. Those are costs, often ongoing, that occur after an initial breach that CEOs unfamiliar with cybersecurity issues don’t necessarily consider.
And there is more than just business risk when an information breach occurs. Employees’ personal information, as well as their families’ information, is also at risk. A breach could mean the banking and financial information, even health information, of their workforce could be leaked.
How can CEOs become more knowledgeable about cybersecurity issues?
CEOs should make time to learn more about the cyber threats facing their organizations so they can both understand and communicate with IT specialists to fully comprehend the issues and launch an appropriate response.
Those in the C-suite should also consider programs to help familiarize lower-level managers with the threat environment and how to recognize an attack so that those on or closer to the front lines can sound the alarm when a problem arises.
Understanding the language of cybersecurity is an important first step. That way, when specialists highlight an organizational exposure, those in charge of the purse strings can quickly allocate the funds to protect against it.
Insights Education is brought to you by Cuyahoga Community College