by Judy Selby and Deena Coffman - BDO USA on June 24, 2016
Ownership of a company’s cybersecurity is akin to an issue like climate change or eco-preservation: It’s a concern that touches everyone. For cybersecurity, however, universal ownership may not be the best approach to ensure accountability.
Technology is an integral part of the corporate environment, but the responsibility of protecting that interconnectivity doesn’t always fit into neatly defined departments. It’s everyone’s—and no one’s—job until accountability is established. To do so, a company should select a leader with cybersecurity as her mission.
It’s a question that was raised in a recent webinar, “From Ashley Madison to the eBay Hack: Cybersecurity Best Practices”—when it comes to leading the charge on cybersecurity, who’s the right person for the job?
A Fearless Leader
The answer, not surprisingly, isn’t simple. It depends on the company’s size and structure. In a larger company, the role is often filled by a c-suite executive, such as chief privacy officer or chief information security officer (CISO), a board member, or general counsel.
It doesn’t necessarily matter which leader claims ownership—only that someone does, and that the individual responsible seeks appropriate expertise to understand the technical complexities and operational issues at a sufficient level to make sound decisions. What’s most important is that she has the characteristics required for success:
- True advocacy. The individual should be an effective advocate, publicly supported by corporate leadership. She must be passionate about her mission and eager to keep abreast of evolving threats and best practices.
- Adequate resources. A leader in cybersecurity must be empowered to effect policy changes that manage the risk of a data breach. Having the “power of the purse” is crucial for obtaining external resources if necessary, as third-party objectivity can play an important role in building a credible and effective security program.
- Appropriate authority. A cybersecurity leader must have the authority to mandate compliance; implement best practices and training programs; oversee information governance; manage vendor information security risk across the organization; assist in the procurement of cyberinsurance; and oversee incident response plans. It’s a tall order. Sufficient authority and budget are critical to success, as is access to and collaboration with department heads across the organization.
- Collaboration skills. Another must? Savvy relationship building. Cybersecurity work involves close collaboration with legal, human resources, marketing, accounting, information technology, and physical security departments, as well as the chief financial officer, chief information officer, office administration, and a company’s social media users.
Cybersecurity Starter Kit
Once a leader has been tapped, there are a few basic best practices she can initiate immediately to get a company’s cyber house in order.
- Commission a Third-Party Assessment: A neutral party can benchmark an organization against industry standards and practices and provide a prioritized list of recommended actions. The recommendations can then be evaluated against the company’s risk profile and budget to develop the action plan for the next 6 and 12 months. Not using an outside expert may expose a company to the risk of “not knowing what you don’t know.”
- Develop a Security Event Response Plan: A data breach can occur in any department across the company, and the early warning signs can be spotted by any employee. An incident response plan that is contained within IT misses the rest of the organization. But a plan that engages all departments and considers all exposure points, even those outside of the IT department, is far more effective in preventing, identifying, reporting, and containing a security event. A company that does not have an incident response plan that is practiced and current needs one immediately, and developing or updating this plan can be a mechanism for say, a new CISO, to collaborate with departments across the organization.
- Review Security and Privacy Training: New threats evolve, and standards for prevention and detection should mature accordingly. As this occurs, training materials should be refreshed so that employees can properly protect their data and use the most secure workflows. A cybersecurity leader will also want to review the training program to ensure it is not an online, “click-through-the-slides-once-a-year-and-check-the-box-that-you-met-the-requirement” type training. Today’s training is delivered point-in-time, periodically throughout the year and it is tailored to the job function of the employee receiving the information.
It Takes a Village
A leader is vital to tackle the cybersecurity issue. But truly, every employee has a role to play in cybersecurity, like staying up to date with training courses, remaining aware of new threats and reporting the first signs of a threat.
Judy Selby is a managing director at BDO USA, where she provides strategic advice to companies concerning cybersecurity, privacy, and insurance.
Deena Coffman is also a managing director at BDO, where she specializes in information security risk management.