Why executive responsibility for cybersecurity matters more than ever
Author: Mel Griffiths When it comes to internet crime, no vulnerability is too small because, for the bad fellas, it’s just a gateway to an even bigger prize. The current state of cybercrime is beyond alarming and calls for more awareness and action. Unfortunately, hardly a day goes by without breaking news of another destructive cybersecurity breach or attack taking place. Hackers are targeting operational technology, with threats and resulting consequences rising exponentially. The business costs of cyberattacks on critical infrastructure, including utilities, health, transport, commerce, water and electricity, are extensive and disastrous. Yet, despite the catastrophic ramifications of cybersecurity breaches and exposures, many organisations are still not doing an adequate job protecting themselves from harm. Executives can no longer afford to look the other way. Beyond the considerable financial loss and reputational damage, now, there are even more consequences for not taking necessary measures against cybersecurity. Further regulation and governance have been put in place in countries around the world, placing the responsibility for cybersecurity squarely on the shoulders of the c-suite. However, if we’re going to tackle this growing and constantly evolving threat, we need to demonstrate cybersecurity leadership from the top-down. Prioritising cybersecurity in the C-suite Turning a blind eye and underfunding cybersecurity efforts is no longer an option. The ability to transfer risk by purchasing cybersecurity insurance isn’t sustainable, with ridiculously high premiums and removal of coverage for certain threats such as ransomware attacks. Governments are also moving to manage risk better, implement more robust preventative measures and build cyber resilience. For example, the Australian government recently tightened an organisation’s security obligations with the passing of the Critical Infrastructure Bill Amendment. Any breach to communications, education, research, energy, food, grocery, healthcare, space technology, transport and water is now declared a system of national significance. Organisations simply must be undertaking preparations, prevention and mitigation activities. Similarly, in the US, the Biden administration announced an executive order designed to strengthen government cybersecurity defences in response to several damaging hacks, including SolarWinds, Colonial Pipeline, and Microsoft Exchange Server. In the past, CTOs and cybersecurity leaders may have struggled to communicate with their peers on the urgency and importance of taking preventive measures. Yet today, awareness and education are beginning to take place at the highest level of management to close the gaps between allocated resources and providing the ongoing support needed to prevent an attack. Cybersecurity prevention is an ongoing process that needs to be on every leader’s radar. The c-suite must be working together with the board and business unit managers to understand the risks and assume responsibility for the organisation’s cybersecurity activities. Understanding the threats to take the right action. Establishing true cybersecurity leadership, awareness and readiness requires continuous risk-based assessment. Having a holistic view of operational technology systems, networks and platforms is crucial to determining the threat level. IT and OT environments work together and are connected to other parts of the business. Managing the security risk in the OT space means looking at the big picture rather than just patching over what’s worked well with your IT security. C-level discussion should revolve around an action plan covering worst-case scenarios to identify what steps need to be taken to mitigate the risks. Where is the highest degree of risk in your organisation? How can you increase cybersecurity preparedness to meet governance and obligations? Overseeing the performance of ongoing management and monitoring helps to remain agile to address the evolving threats. Cybersecurity efforts are not a one-off; it requires continuous monitoring, testing and reevaluating the security systems put in place, with the issue demanding a standing item on meeting agendas. Collaborating from the top-down to tackle the issue. Over 80% of respondents of a recent Sapien Cyber survey believe a cyberattack has the potential to cripple their organisation. And, with cybersecurity accountability on the rise and Gartner predicting that 75% of CEOs will be personally liable for cyber-physical security incidents by 2024, technology leaders and executives must work together to focus time and resources better to take action and prevent an attack. The best results occur when organisations collaborate using a top-down approach to establish awareness and encourage the right behaviors. Like any successful company-wide initiative, leaders have to live and breathe it first. Discussions and action on cybersecurity need to occur at the senior level with regular communication and follow-up with teams.