IT professionals know that defending against cyberattacks is a complex task with no guarantees of 100 percent protection. But many CEOs don’t understand how to address the risks – especially with limited budgets.
Therefore, IT leaders should be able to translate technology into business terms, giving CEOs a familiar framework for making cybersecurity decisions, according to panelists at a recent University of Miami Herbert Business School conference.
“Security is not a technology problem,” said Juan Gomez-Sanchez, chief security officer for Lennar, a national homebuilder. “You have to explain the issues in concepts understood by business leaders.”
For example, CEOs are familiar with SWOT (strengths, weaknesses, opportunities and threats) analyses of business issues. That can provide a starting point for organizing a cybersecurity presentation to the senior leadership team. “When looking at threats, don’t forget about the opportunities, because security can be a competitive differentiator,” Gomez-Sanchez said.
It’s also important for high-level conversations to cover more than technology solutions. “Think about people, processes and technology,” said Scott Croskey, global chief security officer at Cipher. “For instance, you need to train employees not to click on a suspicious link or let someone without identification into a limited access building.”
Here are the panelists’ other tips for IT professionals:
- Focus on the risks. Kevin Gowen, chief security officer, Synovus, said CEOs will pay attention to conversations about business risks. “It’s easy for us to get lost in the alarms and flashing lights,” he said. “So, you should emphasize the risks to the organization, such as the financial impact of a data breach.”
- Conduct a comparative analysis. To understand the risks, Croskey suggested looking at international standards, evaluating your organization’s risk tolerance and setting up a security profile.
- Recognize the “crown jewels.” In defending against cyber attacks, you need to know the most valuable data. In financial services that might be personal account information. In manufacturing it could be IP patents and R&D methods, and in education it could be student and family data. Croskey said, “You need to track them, protect them and assess the risks in order to make good security decisions.”
- Communicate regularly with the C-suite. Don’t be a stranger to the C-suite. “Actively communicate your successes and challenges to the CEO and the board,” said Croskey.
- Protect devices, sensors and equipment connected to the Internet of Things (IoT. “Anything with an IP address, including video projectors, cars and robots can be hacked now,” said Kim Hammonds, former group chief operating officer, Deutsche Bank.
- Monitor your network closely. Ideally, you can identify a problem while it is still small so it can be addressed without major losses, said Gomez-Sanchez.
- Pay attention to your third-party relationships. Every organization has outside relationships, from office cleaning crews to IT developers who may be on the other side of the globe. “You should have a strong vetting procedure in place, and limit their access to company information,” said Croskey.
- Keep applications up to date. Don’t neglect basic software hygiene, said Gomez-Sanchez. Stay current with patches and new releases to reduce your vulnerabilities.
- Develop a response plan. Because there is no way to guarantee 100 percent protection against a cyber attack, organizations need to have an incident response plan in place. That should include the general counsel, as well as communications professionals. “Our companies will be judged on how we react to problems,” said Gomez-Sanchez.
Summing it up, Gowen said, “Attacks are getting more complex and you have a larger landscape to defend. There is no one thing that solves it all so build layers that offer best protection within your organization’s appetite for risk and its operational budget.”
