2018 Cyber Resolutions for the CEO

Posted on Posted in Governance, Risk Management and Compliance (GRC), Proactive Defense
The new year is upon us, which means that you’ve hopefully gotten your fill of family, good food, and nostalgic playlists. It also means that the inevitable resolutions are also here. Since many of you will be busy with other priorities, I’ve put a quick list together of cybersecurity resolutions for CEOs and Founders. Committing to these resolutions will ensure a successful 2018:

I will make my cyber budget independent of my IT budget (and budget appropriately)

Too many organizations integrate their cybersecurity budget within their IT budget. This is a flawed method that usually means cyber is under-funded. It also means the competing goals of the IT department could get in the way of an effective cyber strategy. IT’s job is to keep the digital infrastructure up and running. Security’s job is to ensure the company does not experience a disruptive incident. These two goals are sometimes at odds. Security needs independence to be able to operate effectively.

I will understand what my CISO is doing and ask hard questions to ensure the strategy is robust

Cybersecurity is still viewed as a sort of black magic. As a CEO, you need to have a basic understanding of cyber risk, much like the understanding you have around financial risk. Most of the high-profile hacks you have read about occurred because the CEO was not holding his CISO or security team accountable. You need to ask things like, “How does our cyber program compare to others in our industry and best-practices.” Another good question is, “How comprehensive is our Incident Response process and what were the results of our last test?”

I will ensure all business units have a proactive cyber plan

A typical organization has a small ratio of cybersecurity employees. This means everyone must have responsibility for the cybersecurity of the organization. Help your CISO or security team by requiring each business unit to have a proactive cyber plan.  This includes detailed incident response procedures.

I will display leadership to all employees on cybersecurity

No cyber strategy is effective if it is not driven from the top-down. Even the most “low-tech” businesses rely on digital technology to provide their most basic business functions.¬†Investing in cybersecurity is a differentiator which will help you win new business over your competitors. If you embody the message that cybersecurity is important, you reap the benefits of innovation and growth while reducing risk.