This business executive is focused on building his company. He spends his time focused on top-line growth and bottom-line profitability. He believes in hiring good people and giving them the authority they need to "make it happen". When it comes to technology he relies heavily on his Chief Information Officer to ensure the company is building strong technology capabilities and managing its technology risks.
He receives regular updates from his IT Security team about cybersecurity threats and risks. They always paint a gloomy picture and want more money to invest in even more technology tools and people.
Is this your story?
Chief Executive Officers and other senior company executives must realize that they are an integral part of the enterprise security program. They must be actively engaged in managing cybersecurity as a business risk.
Key questions for Executives:
The challenge for Executives is really understand and engage in the cybersecurity program. How do they know they have the right focus, strategy, people and investment in cybersecurity and IT risk management? How well prepared is the CEO and other executives when (not if) something goes wrong?
In December 2018 the US House of Representatives Committee on Oversight and Government Reform issued a report on The Equifax Data Breach.
The report concluded:
"Equifax should have addresssed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax's IT management structure...Second, Equifax's aggressive growth strategy and accumulation of data resulted in a complex IT environment...
On October 3, Richard Smith testified before Congress blaming human error and a failure to communicate the need to apply a patch as a underlying reasons for the breach.
Equifax failed to fully appreciate and mitigate its cybersceurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented"
On March 26, 2014 the US Senate Committee on Commerce, Science, and Transportation released a report "A “Kill Chain”Analysis of the 2013
Target Data Breach". In that report, the committee concluded:
"This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach. Key
points at which Target apparently failed to detect and stop the attack include, but are not limited to...
Cybersecurity Strategy Assessment
Provides Executives with an independent assessment of the company’s cybersecurity strategy and the investments made to protect the company from cybersecurity risks. Understand where improvements are needed in people, process and/or technology. A short time-boxed assessment designed to deliver high value insights to the management team.
Cybersecurity Executive Awareness Training
In-person or virtual cybersecurity awareness training for Executives focused on how to protect the company from cybersecurity risks. Includes guidance on key considerations for the Executive team, how to evaluate the organization’s security program, and how to prepare for a security incident.
Cybersecurity Breach Simulation
An interactive session with key management to rehearse and practice the real-time decision-making needed in a breach incident. Adapted to follow the company’s specific incident response plans. Executives will gain a better understanding of their roles and responsibilities in responding to a cybersecurity breach.
Ongoing support and mentoring to key Executives (CEO, CIO, CISO) to help them identify, understand and improve the company’s cybersecurity program. Helps Executives keep up-to-date with key cybersecurity issues and trends and be able to make appropriate management decisions.