If you are running a company and there is an initiative that involves all of the employees. Let’s say it is increase sales closure rate per contact with the customer. The CEO and his staff talk about it, the managers, of course, come up with objectives to meet. There may even be some type of additional bonus at the end of the year reflecting greater sales closure.
Now think about that at the same time the CIO of the company goes out to the employee population and they talk about the seriousness of cybersecurity. How they just had an event recently and did not want it to happen again. He spreads the word via his contacts and communications throughout the company. Which one of these scenarios is going to get traction?
Executive involvement is key and is always the crux of any important corporate initiative. Unfortunately, the scenario above plays out on a regular basis throughout the business world. Of course, the CEO thinks that cybersecurity is important. And he certainly does not want to go through a major breach. But he is still not personally doing anything about it.
Why is that? Cybersecurity, as I have said, is the most widespread, most important, and most fixable problem in business today. But many times, it gets no attention. I believe it is because no one is coaching the executives on how to deal with cybersecurity. Now imagine if there was a way to take your current cybersecurity posture and by doing just one thing, decrease your cybersecurity incidents by 39%. And it will cost virtually nothing. That is executive involvement.
How to get involved.
A study done by Economist magazine found that just this simple little change will reduce your company’s incidence of cybersecurity events. And the cost is almost nothing. This is fantastic news. But you say I don’t know anything about cybersecurity. You don’t need to know much. That is why you have trusted advisers and help. Build a cybersecurity posture, watch it, get reports on it on a regular basis. And watch your cybersecurity change.
Remember what gets measured gets done. Put up some metrics for your staff to reach up to. Give your CISO some quality time on your calendar once per quarter to show you what he is doing for you. Hire outside firms to do regular cybersecurity audits. If you don’t have a CISO you should. Report your measurements to your board of directors twice a year. Do an outside penetration test on your company without knowledge to anyone in your company but you the CEO and the board of directors. Use those findings to assist your staff (not punish them) in improving their cybersecurity policies and process. There is a huge opportunity waiting to be exploited. But you must get involved.