Leadership’s Role in Cybersecurity: A Blueprint for Success
A few weeks ago, we circulated a newsletter covering Good Cyber Risk Governance for Senior Management, which outlined some key considerations in the day-to-day management of organizational cybersecurity. Today, we’re building on that by outlining how a thoughtful top-down approach and attitude towards cybersecurity can shape your company as a whole.
These tips are summarized from the International Bar Association’s Global perspectives on cyber risks: best governance practices for senior executives and boards of directors. We’ve adapted them so they apply to leadership in companies of any size, not just those with boards.
Outsource (when it makes sense) but maintain oversight
Boards frequently delegate the responsibility for managing cybersecurity risk to a committee or a specific board member. However, they realize that the buck ultimately stops with them (since the SEC requires boards to oversee cybersecurity risks).
To meet these obligations while also delegating or outsourcing some aspects of cybersecurity risk management, boards must:
- Implement processes to ensure the board/company leaders are regularly updated about any changes that may affect the company’s risk profile.
- Stay abreast of the current threat landscape and legal changes.
- Ask hard questions about risk and actively engage to understand the risk landscape, not just listen to presentations from IT leaders.
For smaller companies and companies that do not have a board, this lesson applies equally strongly (more on that in this Sifted article about hackers watching your startup). Find members of your team who can serve as “security champions”, sharing knowledge with their colleagues, protecting best practices, and keeping their eyes and ears open for potential risks that demand your attention. Security works best when responsibilities are shared.
Develop a top-down culture of cybersecurity adherence
A top-down culture of cybersecurity adherence is the only way to effectively create and maintain a sustainable security culture. When employees see their leaders taking security seriously, they’re more likely to follow suit and less likely to find the whole thing to be irrelevant or a nuisance. Make sure your decisions, processes, systems, and actions are consistent with your company’s values and the expectations you set for your staff.
Here’s what a bottom-up approach looks like:
“We’d report security violations to them and our repeated reports were ignored. For example, one of our Central European website managers hired a company to run a contest, put it up on the TV network’s website and was collecting personally identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network (and our file server) in a cafe.” – a former Sony employee quoted in this 2014 Hollywood Reporter article.
Some of the key elements of a top-down approach to cybersecurity include:
- Management must continually communicate with the entire team about cybersecurity risk and the company’s objectives, including the company’s risk appetite and the rationale behind it.
- Your internal and external communications should accurately state and reflect your company’s approach to cybersecurity risk.
- Cybersecurity is treated as an organizational risk, not just an IT risk.
Move away from a zero-tolerance for cyber risk attitude
A zero-tolerance attitude towards cyber risk is not realistic in today’s digital economy. Instead, companies need to carefully communicate appropriate bounds for teams to work within – and leadership must be at the helm.
These are some of the global best practices for establishing and working within an acceptable cyber risk framework:
- Acknowledge that zero tolerance limits innovation. You should focus on developing a tolerance threshold in relation to cyber risks.
- There must be processes in place to ensure that management and leadership are alerted to cyber risks that exceed the risk appetite of the company.
Consider a separate cybersecurity budget
Many organizations fold the cybersecurity budget into the IT budget or, less commonly, the legal compliance budget. However, best practices in the US suggest creating and maintaining a separate budget for cybersecurity (as outlined in the NACD Cyber-Risk Oversight Key Principles and Practical Guidance for Corporate Boards).
Maintaining a separate budget for cybersecurity empowers your management team to more effectively plan for hiring, training, aligning the budget with the company’s strategic priorities, and otherwise establishing an enterprise-wide cybersecurity framework.
If you need assistance managing your company’s cybersecurity risk, reach out. Our attorneys would love to help.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.