Leaderships’ evolving role in cybersecurity
By Paul Gillin
As the volume and severity of computer crime has grown, one group has stayed somewhat quiet about the issue: CEOs. Cybersecurity is a difficult topic for many business executives to discuss. They aren’t comfortable with the technology and they worry that speaking out will betray their naïveté. They fear being breached but are reluctant to discuss their own vulnerability. They may even assign security a lower priority because it doesn’t have a clear ROI. Altogether, this creates the impression that they don’t care about an issue that may actually worry them a great deal.
Perhaps CEOs are looking at the problem the wrong way. As long as they see cyber-attacks as a problem to be solved and breaches as embarrassing failures, they will continue to avoid the discussion. Changing language and attitudes about cybersecurity can help forge the acceptance that is essential to creating a coordinated response.
By acknowledging that no amount of money or technology can protect them absolutely, CEOs can turn the conversation from a success/failure proposition to managing a business process. That’s something most of them are comfortable with.
Writing in the Harvard Business Review recently, Alex Blau suggests that changing our perspective on the cybersecurity challenge lowers anxiety by removing the specter of failure. “Cybersecurity efforts have to focus on risk management, not risk mitigation,” he writes.
Risk management is a standard part of doing business. Organizations are already adept at tolerating and mitigating such problems as shrinkage, downtime, turnover and waste. These are treated not as threats to the business, but as costs to be managed and avoided. Why not take the same approach to cybersecurity?
CEO silence damages the security posture of any organization. When top executives talk, things happen, but as long as cybersecurity is delegated to a subgroup of the IT organization, people will believe that it’s someone else’s problem.
That’s a shame, because the vast majority of breaches can be prevented with a few basic practices: Choose strong passwords, don’t click on unknown links, keep up-to-date with patches and antivirus definitions and protect devices with authentication.
Most business professionals are aware of these facts, yet surprisingly few observe them. One analysis of 10 million passwords revealed by data breaches in 2016 found that nearly 17 percent of accounts were protected by the password “123456.” Phishing, a threat that can be managed with common-sense precautions, has grown more than 5,700 percent over the past 12 years, according to the Anti-Phishing Working Group. The fact that people continue to make the same mistakes despite years of warnings means they aren’t taking threats seriously.
That cannot change until CEOs join the conversation. Once they say cybersecurity is important, and follow through with behavior that sets an example, others follow. The process starts by dropping the win/lose mindset and challenging everyone to collectively make the organization stronger.
Paul Gillin writes, speaks and trains marketers and corporate executives to think like publishers. Gillin specializes in social media for B2B companies. He is a veteran technology journalist with more than 25 years of editorial leadership experience. All opinions expressed are his own. AT&T has sponsored this blog post.
Stay tune for the new Cybersecurity Insights Report Vol 6, Mind the Gap: Cybersecurity’s Big Disconnect available on October 30, 2017. Meanwhile, catch up on past reports, vol. 1-5 to learn what you can do to help strengthen your defenses across your business.