Strengthen management’s cyber skills
4 August 2022 –
The number of cyber lawsuits by corporate shareholders is increasing tremendously. For example, Capital One settled for $190 million, and a new lawsuit was recently filed against Ultimate Kronos Group for alleged negligence after a poor cybersecurity system was found to be the cause of a ransomware attack.
“These two recent cases highlight the risk businesses face in the ongoing war against cyber threats. Businesses that have been breached have struggled with the direct impact of a cyber attack – downtime, data loss, lost profits, reputational damage and fines – but now lawsuits are increasingly at stake, with consumers, investors and other injured parties claiming that companies (and their boards) should have done more to protect sensitive information,” explained Dave Russell, Vice President of Enterprise Strategy at Veeam.
Russel: “Of course, most companies have already taken steps to improve cyber security, but breaches are still the order of the day. And so is the risk of a lawsuit. The problem is that cyber security is still not an organization-wide priority for many companies. This is more common for small and medium-sized companies, but is still the case with some large companies, with the focus on IT managers to set up and execute a security strategy, business leaders are barely involved, and it makes sense that cyber security is not high on the agenda .”
It’s time for that to change. Here are four steps companies can take to prioritize cybersecurity at the executive level:
1. Strengthen leadership cyber skills
“Boards need to take a more active role in strengthening cyber security. But CEOs also need to ensure they are able to do this. It goes beyond having corrective conversations with IT and business leaders about employees. be trained to deal with ongoing cyber challenges,” said Russell.
“They can start by assessing the cyber skill levels of their members. They can do this themselves or hire an expert. These experts can lead subcommittees and communicate more directly with business and IT leaders about cyber strategies. Second, the entire board should review annually or semi-annually training to better understand the evolving cyber landscape. A board that is well-versed in cyber issues can better manage risks, liabilities and technical issues.”
2. Create free information exchange
Once the board is aware of that, it is the management’s job to develop a mechanism for consistent communication about cyber risks and strategies. Dave Russell agrees: “Managers must have time to interact about plans, procedures and ongoing issues related to cyber risk. It is important that this mechanism includes all stakeholders – from business leaders to IT and from legal staff to HR and marketing. While security strategies are still managed by IT, strategy and implementation cuts across all departments and extends to the board.”
Interaction must become an ongoing part of the board’s ongoing responsibility and managers must guide them in this.
3. Appoint an “executive sponsor”
Although all layers of the organization should be involved, it is important to leave the creation of a response plan to one person. This person does not have to develop the entire plan, but is responsible for its implementation. “This needs to be a leader who has the authority to drive change and adapt the organization. In theory, the CIO, CISO or CSO should be well positioned for the job,” says Russell.
It makes sense for an organization to install a business manager in this role – someone whose job is related to revenue-generating activities rather than technology. “This person needs to liaise with IT managers, but approach the task from a business strategic point of view. Technology is critical, but the best response plans are around how best to prepare for a breach and sustain if this happens,” explains Russell .
4. Assign roles
While the CSO and CISO will continue to set the security agenda for many companies, other leaders must also play an active role. Russel: “CFOs need to ensure that a level of security is built into all financial processes. HR directors need to screen new hires more carefully. And sales managers need to promote hygiene, especially with traveling employees who, thanks to their virtual access, are the main vector for hackers .”
Russel concludes, commenting, “With the increasing amount of litigation in our society, companies cannot hope to completely eradicate cyber cases. But they can take an active role in preventing them. It is a step in the right direction. good direction to do cyber security to a management issue