Over the years, the relationship between IT, cybersecurity and the executive C-Suite has changed, but as the perpetual slate of data breaches and hacking incidents shows, there is still a long way to go. Senior executives naturally have a lot on their plate, and IT has typically been one of many silos in an organization that supports specific areas of a company’s existence, namely everything to do with data. So, is it really necessary for the CEO of an organization to become hands-on with the concerns of IT?
Jim Chalmers, Channel Chief at ESET Canada, believes so. “It’s clear,” he states, “that cybersecurity now has a seat at the adult’s table, due to C-level executives having a better awareness and understanding of their company’s security posture.” He notes that in the past cybersecurity was seen by the executive as a technology issue, but thanks to legislation around mandatory disclosure of breaches and media exposure of cybersecurity in general, it now goes far beyond technology. Jim points out that IT issues now have extended PR and brand implications which are directly related to stock value, consumer confidence, and legal liability. This means that cybersecurity is really a corporate issue.
One key example of the closing of this gap can be seen in the extensive punitive reach of Europe’s General Data Protection Regulation (GDPR). GDPR was devised to give individuals greater say over their privacy. Although it is a Europe-based statute, GDPR has direct impact on any company that connects in some way with an individual or company that is physically within the European community, whether permanently or temporarily. Fines for non-compliance can extend to €20 million or up to 4% of the annual worldwide turnover of the offending company for the preceding financial year. Any company’s management must remain apprised of GDPR regardless of whether it operates in Europe or elsewhere.
Similarly, breaches continue to happen. Jim points out, “We’ve seen companies disclose a breach and never recover, so yes, executives now need to have more than a cursory understanding of their company’s security posture. They need to be involved and understand how it can affect their overall business.”
He points a spotlight on the Starwood/Marriott breach of 2017, which was reported to be one of the most widespread so far, with as many as 500 million accounts affected. Some experts trace the cause to unauthorized access to a database tied to the customer reservations system over a four-year period from 2014 to September, 2018. The problem was compounded by the fact that Starwood was being acquired by Marriott at that time, and Starwood’s voluntary disclosure of the breach got caught up in the transfer of assets. This points to a clash of worlds – executive strategy, cybersecurity, corporate mergers, governance, and compliance.
“This relates back to the question that cybersecurity is no longer just a technology issue,” Jim states, “it’s now an integral part of the overall business including mergers and acquisitions. It’s no longer good enough to look at cash flow, or stock value or how the two brands can complement one another. Executives now need to not only have a thorough understanding of their own cybersecurity technology but also do a deep dive into the cybersecurity technology and posture of any company they may be looking to merge with or acquire. Whether a company is healthy or in the midst of a known or unknown breach, it becomes a significant piece of the puzzle.”
Are Only Executives On the Hook? What About IT?
Jim points out that it would be unfair to place all the responsibility of proactive cybersecurity strategy on the shoulders of the executives, suggesting that cybersecurity specialists should be better able to understand how to influence and even “manage up” to senior management. This is not leveled as a criticism of those currently working in IT and cybersecurity, but instead, he points out that management strategy and learning to speak “executive language” should become a larger part of an IT professional’s ongoing education. It is no longer enough to know how a network works; it is vital too, that an IT professional understands how an executive works and thinks, in order to be better able to present cogent arguments and win leverage at the C-Suite table.
“Cybersecurity specialists must change the conversation and talk less about products, technology or even services and talk more about risk as it relates to cybersecurity,” Jim says. “Executives don’t want to have a technology conversation, but they do want to talk about how to mitigate the risk to their company as it refers back to cybersecurity. The cybersecurity conversation must cut across all areas of the business, literally from the reception area to the CEO’s office, which also means removing traditional organizational silos.”
The Ethical Legacy of Hacking Ashley Madison
Jim points to the Ashley Madison hack of 2015 as one of the most interesting breaches of the last decade. Putting aside the ethics around the company’s business, this was a privately held company that had more than 25 GB of data stolen and leaked to the internet. “Lost in the ethical conversation was the fact that this was a criminal act of cyber-terrorism that was, in some cases dismissed as a company (and customers) who got what they deserved.” He states, “this breach raised the question of hacktivists and whether there is such a thing as an ethical hack.”
As such it crosses boundaries, becoming not just a significant corporate data breach, but one in which corporate ethics play a role in public engagement. If the next significant data breach belongs to an organization with an equal level of polarized opinion, for example a BP-style oil company, or a political party or candidate, how will that impact corporate crisis management strategy and, what should IT and cybersecurity professionals be prepared to do to best handle it?
Ensuring Day-To-Day Procedures Support Cybersecurity
Finally, executives and IT professionals alike need to widen the cybersecurity conversation beyond technology. Many breaches and hacks are the result of human weakness, such as clicking on a phishing email link, not maintaining adequate password hygiene, or not removing apps or contractor access permissions from a database or network once they are no longer needed.
Most of these types of errors happen because of a time crunch. People are busy, overloaded with meetings and messages, and have consequently lost the ability or opportunity for critical thinking and diligent action. Mistakes are made in haste and the repercussions can literally cost a company its life.
This means that executives and IT professionals together must look at the overarching culture of their organization, to ensure that soft skills such as time management and relationship management are taught, reinforced, and rewarded. A culture that does not allow time for employees to prioritize will endure the repercussions of malware. A culture that does not allow time for data backups will fall prey to ransomware. A culture that keeps employees perpetually on a hamster wheel opens itself up to attack from more focused predators.
These are management issues, but they deserve attention from the C-Suite and the IT department when the two meet face-to-face, as regularly as possible, across the adult’s table.
ESET offers free online cybersecurity training to help organizations like yours build a comprehensive and proactive strategy. For more information check out: eset.com/ca/cybertraining
Steve Prentice specializes in the place where human and technology meet. With a background in organizational psychology and project management, he works with IT industry leaders like SAP, CA Technologies and Cisco, as well as with their customers. He consults, manages projects, delivers keynotes, and teaches at a Toronto-area university (UOIT).