Is your leadership talking about cybersecurity?
Securing and protecting your organization from the potential impact of a cyber attack needs to be a discussion that starts at the executive level. Whenever I ask a CEO or business leader about how they are protecting their business from a data breach or ransomware attack, I almost always get the response: “I don’t know, but I’m sure IT has it figured out.” The consequences of suffering a cyberattack are costly and so harmful that many businesses do not recover. Is this a responsibility that you want to leave solely with your IT team or 3rd party Managed Service Provider (MSP)?
3 things you need to know
There are three things every business executive needs to figure out before IT is engaged in building a cybersecurity program:
- What is our company’s risk tolerance? How much risk are you willing to take on to achieve your business goals?
- What is most important to our success? What data and services do you need for your business to be successful? What creates your competitive advantage?
- What impact would it have if you lost critical data or services? If you lost critical data or services for an extended period, how would that impact your business?
Dependence on technology creates risk
Companies have become heavily dependent on technology to operate their businesses, and with that comes risk. A cybersecurity program identifies these risks, ensures documentation in a risk register, and applies that appropriate treatment to Avoid, Reduce, Accept or Transfer the risk.
Not all risk is bad, and in many cases, it’s needed for the business to succeed. For example, a start-up will take on more risk to accelerate the growth of new business. In comparison, a medical clinic or hospital will be more risk-averse because any loss of data or system downtime can put lives in jeopardy.
Understanding your business risk tolerance and comparing it to the severity of identified risks will provide you with a starting point for your cybersecurity risk management program.
Developing a risk register
Your risk register should be as complete and comprehensive a list as possible. Using a framework like CIS Controls or NIST will help guide what to look for and which controls you need to cover. Your business may be subject to regulatory requirements that need to be considered, such as PCI, HIPPA or PIPEDA. Your list of risks will be longer than anyone can address. You will need to identify what is critical to the success of your business and set priorities. Some of the common concerns that keep CEOs up at night are:
- Business disruption
- Data breach
- Time to recovery (downtime)
- Loss of value-chain confidence
- Damage to brand /reputation
- Fraud prevention
- Access management
- Work from home (security/productivity)
- Regulatory compliance
Lowering your risk
You should only start discussing potential ways of mitigating risk once you have:
- Profiled your business risk
- Documented a list of risks
- Established a prioritized list of critical business services
At this point an IT, MSP or an outside security consultant can identify technology that will address your risks. Your IT resources will play an invaluable role in helping to control your cyber-related risks and protecting your business-critical data and services.
The most common mistake CEOs and business executives make when it comes to cybersecurity is handing off responsibility to their IT team or MSP without setting clear expectations and deliverables. A breach or ransomware attack can be one of the most impactful events your business will ever encounter. Cybersecurity needs to be handled by experts who understand your business, the regulatory environment in which you operate and who will deal with the consequences when it happens.
Lighthouse Systems guides leadership teams step-by-step so that businesses are prepared, data is secure and there’s a continuity plan in place. Our beacon gives back control over cybercrime. Call or email us today to request a consultation.
- Forbes – Is your boardroom your weakest cybersecurity link
- Herjavec Group – Cybersecurity CEO: When Your Company Gets Hacked, Will You Be Prepared?
- Chief Executive – The CEO’s Role In Preventing A Cyber Crisis
- Secude – Cyber Security Transformation requires a Cyber Committed CEO
- Harvard Business Review – Does your board really understand your cyber risks