You make a lot of decisions every day. You delegate a lot of decisions. And some decisions are just made by default by people around you or under you. But let me ask you. If you are and executive are you involved in the decisions that determine compensation for your people? Most likely yes. Are you involved in the decisions to hire a new position or to terminate a position? I am sure you are. Are you involved in the decisions to determine the budget for your departments and how it will be spent? Even policies on how much a person can charge with an expense report for a lunch or dinner. Yes, you are. Why because these are the important areas of your business. Because you are responsible if something went wrong in one of these areas.
But when it comes to the area of greatest risk who is making these decisions? Is it you? Maybe. Is it a department head? Sometimes. Is it a low level IT guy who just happened to be there? Sometimes it is. Don’t think this is an area of greatest risk? Take a look at Home Depot and what it cost for their data breach? They said the expense so far in 2015 was $232 Million, and their liability insurance policy is only $100 million. But estimates are that it will be much higher than this before it is done SC magazine said maybe even into the billions. In fact, some of the subordinates at Home Depot actually quit the company long after the breach had gone public because nothing was getting done to fix the weaknesses in their system. Now there is nothing about this breach that was unavoidable. The same for most breaches. But that is for another time.
You need to be the one making these decisions. They are not difficult. They are not technically challenging with the right technical help to guide the process. But they need to be done at a high level. Why is this? Because it is one of the top three highest potential risks you can encounter. Because the money involved is astronomical. Because at the end of the day you are the one responsible for whatever happens. And most importantly you are the one that has the authority to make it happen. And you can have all the security plans and practices you like in a company but if it is just another memo or email to the troops, then it has no real teeth. It needs your authority and vision to see it through.