So Easy, Even A CEO Can Understand It: A Call For Greater Clarity In Cybersecurity
Who should be in charge of cybersecurity? In times gone by, the CIO – or IT department manager – worried about systems security, and took all the heat when things got hacked, breached or lost. Lately, however, this job has simply grown too big for IT managers. And technical jargon obfuscates the realities that every business and IT leader – even in the C-suites and boardrooms – needs to clearly understand.
For starters, “the focus on software, networks and hardware ignores many of the non-technical factors of successful cybersecurity strategies,” write Thomas Parenty, an international cybersecurity expert, and Jack Domet, a management specialist, in their upcoming book, A Leader’s Guide to Cybersecurity. (To be released in December by Harvard Business Review Press.) “The technical nature of cybersecurity dialogue also alienates important parties and stymies cooperation. Jargon limits the material engagement that boards and senior executives need when discussing and making decisions about the cyber risks facing their companies. In spite of continued inability to protect themselves, many companies pin their hopes on more sophisticated, and more expensive, technological products and services to keep hackers at bay.”
As a result, cybersecurity remains a dark art, while business leaders – who now face liabilities and lost business due to security disruptions – keep their fingers crossed that their IT departments know what they’re doing. “The absence of a working cybersecurity approach allows fear to replace logic,” Parenty and Domet point out.
It’s time for business leaders at all levels to become more engaged – and take a leadership role when it comes to cybersecurity. Of course, this involves more than commissioning the purchase of more expensive technology solutions. The organization needs to be on board with cybersecurity training, awareness, and active support. “It is not sufficient for corporate leaders to direct cybersecurity or IT management to make the company secure. Corporate leaders need to hold business managers accountable for providing enough information about their operations to cybersecurity.”
Parenty and Domet outline four key principles that should support every enterprise cybersecurity initiative:
Aim for maximum clarity at a non-technical level. When it comes to cybersecurity, a good rule of thumb to follow is: “if you don’t understand it, they didn’t explain it,” the authors state. Corporate leaders “are often frustrated that the briefings and materials they receive from cybersecurity teams are not relevant or useful.” Security team leaders, on the other hand, “grow frustrated with board members’ apparent lack of interest in understanding what to them are elementary but important concepts.” Parenty and Domet recommend that executives “insist that cybersecurity professionals express their findings and recommendations in an understandable way.”
Understand it is the business – not just systems – at risk. “All discussions and actions relating to cybersecurity and cyber risks start and end with the business and the business risks to its operations and strategic direction, not with computers and their vulnerabilities,” the authors state. Executives need to ask two questions:
- “For each information asset and automated business process your company has, what security technologies protect it?”
- “For each security technology, which information assets and automated business processes does this protect?”
Make cybersecurity mainstream. “In both corporate organizations and activities, take cybersecurity from siloed functions and incorporate it into mainstream functions,” Parenty and Domet urge. This may include placing the cybersecurity group “within a line function, particularly one with significant cyber risks, as opposed to staff function, such as IT.”
Engage motivation. “Understand and align the interests and motivations of staff and departments to incentivize behavior that leads to accomplishing cybersecurity goals.” Understanding employees’ day-to-day motivations is the key.”
In this digital era, there’s a temptation to outsource many cybersecurity obligations to cloud providers. However, executives need to understand that security needs to be a core responsibility that starts and ends with their organizations. Likewise, cybersecurity is something that should no longer be delegated to IT departments – it’s now part of every top-level decision process.