C-Level Responsibility for Cybersecurity in Organizations

C-Level Responsibility for Cybersecurity in Organizations

cybersecurity

This post is also available in: heעברית (Hebrew)

By Ilan Segelman, Power Communication

The multiple cyber attacks have led to an increasing awareness of the senior executives in organizations to the cyber attacks’ potential to harm normal business procedures. Undoubtedly, most of the C-level executives are aware that a quality cybersecurity infrastructure is imperative despite of the high cost. In fact, cybersecurity is no longer the exclusive responsibility of the cybersecurity managers. In fact, it is clear today that executives cannot hold the technical staff alone responsible without deeply understanding the significance and all the aspects and evaluate whether the investment in cybersecurity infrastructure is adequate.

Currently, C-level executives in each field should take care of a genuine activity in order to advance cybersecurity in the organization:

  • The CEO – responsible for any loss of the company reputation as a result of the leak of personal information on customers or business information. Therefore, the CEO must take a proactive approach and lead the cybersecurity sphere. He must be attentive to the professional evaluations of the cybersecurity team, understand current solutions and vulnerabilities and allocate the adequate resources. The types and extent of threats is constantly changing and cybersecurity solutions should conform to the developments. The CEO must, therefore, put cybersecurity on top of its priorities and lead change processes.
  • The CFO is aware more than any other executive to the direct and indirect financial damage due to breaches, information stealing or encryption. Part of the most sensitive information in the organization is, in fact, under the CFO’s responsibility: Financial turnover, acquisitions, investments, etc. His role is not limited to the allocation of budgets but rather he must learn the relevant cyber threats and evaluate the risk and financial cost of breaches, as well as evaluate the ROI derived from cybersecurity solutions. He has to see cybersecurity as part of the organization’s risk management. The CFO must be part of the organization’s response team, report about the breach to the Board of Directors and be able to explain the organization’s coping with the attack.
  • CHRO – A major part of the information breaches derive from the lack of awareness of employees to cybersecurity risks. Through phishing attack, hackers send fake emails or other messages that seem legitimate in order to convince employees to execute unsecure actions that might risk organizational information. In many cases, hackers turn to junior employees that have access to the information. The instruction of the employees regarding cybersecurity is, therefore, a major task. The CHRO who is in charge of instruction and knowledge sharing must receive updates from the cybersecurity team and build an instruction program, including training and simulation. There are also some automatic tools that can be used for training employees in this field.
  • The CIO has to reflect to the non-technological executive the significance of working in the digital age and the related cyber risks, as well as the available coping strategies. In other words, the CIO will serve as a mediator between the cybersecurity management and the senior executives and work in tandem with the CHRO in the employees training and instruction.

In sum, many organizations highly emphasize cybersecurity solutions, but this is not enough. Today, the responsibility for cybersecurity does not lie only on the information security managers and cannot rely exclusively on technological systems. C-level executives should be well aware of the various vulnerabilities of the organization, get involved, evaluate risks and lead the organization towards the most adequate solutions.