For years we’ve advocated that that the CEO must be the Commander-in-Chief of cyber warfare for their companies. This role should involve building resiliency not only into the business itself but also into IT – which is now key to the survival of the business.
But many CEOs still follow the same IT security road of shame that the leadership of Target and other corporations have taken. The lesson is simple: if you provide poor IT security to your customers, you will soon be looking for a new job.
Achieving Acceptable Losses During Cyber Attacks
Senior corporate leadership must be up-to-date on cyber warfare threats and how the organization can prepare to achieve minimal losses in the case of a cyber attack. This does not mean leadership must know the deep dive details of specific threats. But they must understand how infiltration and exfiltration of data, as well as destruction, occurs in the cyber field.
Corporate leadership must take action when presented with audit findings to terminate ongoing risks via both organizational changes and the implementation of technology. Leadership should test the mitigations regularly to confirm the problems found have been resolved. More importantly, they should recheck the controls to ensure there is no backsliding to old destructive behavior.
Listen to the Third Certainty podcast Why Securing Networks Requires a Mind Shift in the C-suite and Board Rooms with Philip Lieberman
Here at Lieberman Software we work with a lot of great companies that have embraced acceptable loss as a reasonable strategy. Yet even with this approach, there is still sometimes bad news from IT about cyber attacks. But there are few surprises – nor are there long periods of time where hackers nest in the environment and extract data at will.
But in most organizations, there is a clear lack of visibility to the CEO about the inability of IT to manage cyber risk and mitigate consequences. From a leadership point of view, many companies are a ticking time bomb with no ability to reduce the consequences of a breach.
With more corporate board members now taking a hard look at information security, I predict we’ll start seeing a revolving door of senior corporate leadership. Many executives will be forced to move on, simply because they don’t “get it” when it comes to IT security.
Board level members know that security breaches are inevitable and they may be held liable for their failure to guide the company toward an operational posture that responds appropriately to cyber attacks. In this oversight role, the Board will push the CEO for answers on how the company can achieve acceptable losses via a cyber defense strategy.
And while the concept of acceptable loss is not new for the CEO, when it comes to the spooky and complex world of IT, it appears there is a blind spot they’re ignoring at the peril of their careers.
If you want to learn more on this topic, listen to the podcast Why Securing Networks Requires a Mind Shift in the C-suite and Board Rooms. It was recorded by Third Certainty at Black Hat 2017, and features our company president Philip Lieberman.
If you like this topic, please subscribe to our Cyber Defense Newsletter.
You can also follow us on Twitter.