Much has already been written about the importance of creating a culture of cybersecurity. About how your business’s executive team plays a huge role in whether or not your organization is security-conscious. About why security is everyone’s job – not just something for the IT department.
Now there’s actually some concrete data to back all those claims up. The United Kingdom’s Financial Conduct Authority recently released a review of several asset management and financial services firms. The results are rather telling.
“All the firms acknowledged the importance of strong cybersecurity,” it reads. “But there were different degrees of understanding of the many potential ways that weak cybersecurity could affect business activities and lead to harm to clients and the wider markets. This was particularly the case at the Board or Management Committee levels.”
“Awareness is lower in firms that do not have a cyber-specific strategy and proportionate cyber risk framework, where cyber is not part of their broader risk management framework, and where their incident response plans take little account of non-technical consequences such as the impact to their reputation, clients and markets more,” it continues. “Firms need to do more to ensure that Board and management committee cybersecurity decisions are based on careful consideration of the cyber risks.”
There you have it. In plain black and white language, if your organization’s C-Suite isn’t on-board with cybersecurity – if your executives don’t understand the threat landscape of your industry – your business cannot be secure. So…what can you do about it, exactly?
Simply put, by understanding the perspective of your executive board. You have a solid grasp of the technical side of your organization, but you also need to understand the business side of things. You need to understand spending and finances, to know the difference between a security risk and a business risk, and to be able to explain precisely how security aligns with your organization’s core business objectives.
“Ideally, every person in the organization is responsible for security,” reads a piece published by Armor Defense Inc, “This typically starts from the board of directors down. That’s because even if you have only one person who fails to take security seriously, that person can become a vulnerability that attackers exploit.”
In short, ensure your C-Suite understands cybersecurity. Coach them on the importance of understanding your risk profile and security posture, and explain to them why security is more than just an IT problem. Have them take an active role in promoting security across your organization from the top down.
Because if you don’t, then it doesn’t matter what else you do – you won’t be secure.