Cybersecurity Is Every Leader’s Job

Every organization is led by people who are responsible for setting the overall direction, establishing priorities, maintaining influence over organizational functions and mitigating risks. Given the wide range of organizational types across industry sectors, the titles associated with these roles may vary greatly from CEO to Managing Director to Owner-Operator and beyond, but they share common traits. They are the most senior leaders, or they directly support strategic decision makers. They likely have fiduciary responsibility and budget authority. They may even be owners of the business themselves. Whatever the specifics, these are the leaders who are held accountable for the organization’s well-being and performance. And in today’s world, cybersecurity is among their chief concerns. As noted in the recently-published guidebook, Cybersecurity is Everyone’s Job (a publication of the Workforce Management subgroup of the National Initiative for Cybersecurity Education (NICE)), these leaders have a specific role to play in their respective organization’s cybersecurity posture, with responsibilities that include:

1. Managing and mitigating overall cyber-related business risks,
2. Establishing effective governance controls,
3. Prioritizing and resourcing cybersecurity programs,
4. Safeguarding the sensitive information they rely on for planning and decision making, and
5. Establishing a cyber-secure culture within the organization.

These are the primary ways that senior leaders influence the cybersecurity posture of their organization. But fulfilling these responsibilities is not easy, particularly since cybersecurity is just one of many concerns they must address each day. To simplify the task, the guidebook provides a list of practical steps each leader can take. To begin with, leaders must understand cybersecurity basics and best practices well enough to enable sound decision making. They do not need to become technical experts themselves—these roles are typically delegated or outsourced—but they do need to have a generalist’s understanding of the field, much as they must understand the basics of sales, marketing, finance, law and operations. To accomplish this, they should become familiar with best practice frameworks maintained by independent entities like the Center for Internet Security or government agencies like NIST. They can also learn from third-party consultants, assessors and auditors. Once they have achieved foundational understanding, they must include cyber risks in their overall enterprise risk management. Simply put, this means considering cybersecurity as they would any other risk to the business such as legal risks, supply chain disruptions, competitive pressures and so forth. They must avoid the temptation to view cyber risks as a separate technical matter for IT professionals to address in isolation. Mitigating cyber risks involves establishing organizational policies ranging from employee behavior to technical security controls. This is one of the biggest reasons why the aforementioned foundational understanding is critical—senior leaders must have a sense for what works and what doesn’t. At a minimum, the organization must achieve compliance with applicable regulations, such as HIPAA or GDPR, and industry standards, such as PCI DSS. But compliance does not always mean security in the sense that minimal compliance can be achieved while still leaving the organization open to significant risks. So beyond ensuring compliance, leaders must consider and manage risks that apply to them based on the nature of the business, the scope of operations and so forth. This also means adequately funding cybersecurity resources consistent with a plan that implements critical security controls (like the CIS Controls). Senior leaders play a central role in establishing organizational culture, which in turns drives human behavior. Since human behavior is an essential component of cybersecurity, how leaders set the tone—through emphasis and example—remains an important part of their influence on security posture. A cyber-secure culture means that individual employees are aware of cybersecurity risks, practice safe behaviors and actively support the organization’s collective sense-and-response process. It also means cross-functional, inter-departmental collaboration to ensure that cyber risks (again, like any enterprise risk) are addressed by the many parts of the organization that are affected. To overcome the conflicts that can arise from competing interests, senior leaders must actively drive this collaboration. In many cases, establishing a cross-functional team with representatives from each department who are empowered to make decisions can enable success. Finally, senior leaders have access to, and directly control, sensitive information including strategic plans, intellectual property, board and senior management proceedings, financial records, merger and acquisition information, personnel files and audit findings. They must ensure that as individuals they are exercising sound security practices to safeguard this information and protect access to the systems which host and process such data. Senior leaders continue to be prime targets for social engineering attacks, such as spear-phishing, and they must remain particularly vigilant. By taking these steps, and continuing to exercise good cyber practices as every employee should, senior leaders can fulfill their responsibilities to ensure a strong cybersecurity posture for their organization. They shouldn’t be afraid to ask questions—nobody expects them to understand cybersecurity as well as they might understand finance or operations, but everyone (from citizens, consumers and customers to shareholders and board directors) expects them to mitigate risks to the business. Ultimately, they will be held accountable, even if it is an unfamiliar subject, so they must be proactive. For leaders, the guidebook is a good place to start.