How CEOs can move cybersecurity into the heart of business
According to date from Statista, cyber attacks came at a cost of US$7 trillion to the global economy last year, with advanced threats like ransomware reaching record highs.
Modern-day threats are so severe that businesses are not only losing money, but often becoming completely immobilised by critical cyber events. An obvious example is the recent ransomware incident at Royal Mail, which successfully shut down the company’s international delivery operations.
As one would expect, business leaders have been busy ramping up their security investments. Global spending on cybersecurity solutions and services was up 16% in 2022 compared to 2020, reaching more than US$70 billion.
Why, then, do businesses still find themselves falling victim to relentless threats?
Jason Hart, CTO EMEA at cybersecurity giant Rapid7, believes the problem isn't necessarily a lack of initiative, but rather the way security measures are implemented.
"Even if an organisation has invested in top-tier technology, it won't yield substantial results without prioritising security effectiveness across the entire business," he says. "This entails properly integrating the security framework into the rest of the business, supported by the appropriate processes and targeted operating model.
"Effective cybersecurity is based on three domains: technology, people and process. So, merely focusing on one of those aspects is not enough."
The key, Hart adds, is to adopt a centralised approach to security, where cyber risk is collectively owned and understood by all stakeholders, executives and employees. Clearly, CEOs play a critical role in this as they can influence change and establish accountability across the entire business.
Removing the barriers to cybersecurity effectiveness
Although the importance of cybersecurity is undisputed across various industries, it is often found to be operating as an internal department that remains isolated from the rest of the business.
As a result, many companies are failing to assess the effectiveness of their security strategy and investments.
The reality is that cybersecurity is still widely considered as the 'new kid on the block' from a business operations standpoint, and only in recent years has the evolving cyber threat landscape necessitated a fresh approach which involves incorporating security measures that align with broader objectives.
"Business leaders must change their traditional thought process and acknowledge cybersecurity as a concern that spans the entire organisation," Hart continues. "In other words, cybersecurity shouldn't be treated as a specialised technical issue handled by an isolated department tucked away from the rest of the company."
Hart also points out that CEOs can be guilty of taking little to no accountability for their organisation's digital security, instead assuming they are secure and the CISO must know what they are doing when it comes to cybersecurity.
While CEOs may seem to take charge when a major, publicly-disclosed breach occurs, the CISO is usually held accountable for all other cyber responsibilities.
"Addressing this issue requires accountability from all corners of the organisation," says Hart. "Everyone in the business – from the boardroom and executive leadership, down to the most junior team member – has a role and responsibility in ensuring cybersecurity effectiveness.
"Non-technical executives and other stakeholders should be willing to take accountability for cybersecurity and comprehend the processes and plans in place; CEOs must understand how security fits into the broader enterprise and communicate this effectively throughout the entire organisation."
Ultimately, open communication and a shared understanding between all parties is crucial in order for cybersecurity to truly become a core business process. All components must work together to achieve optimal performance, and cybersecurity is no exception.
Broadening the role of the CISO
It must be emphasised that, for Chief Executives, communicating cybersecurity risks within a broader business landscape is far from simple.
In truth, most business leaders do not have a solid technical background and may fall short when it comes to planning, engaging and communicating cybersecurity practices across multiple departments.
To tackle this, more tasks should be delegated to the CISO, extending their role beyond technical responsibilities.
Hart says: "CISOs are often positioned in isolation from the other departments, as their responsibilities are limited to leading the security team. CEOs must change this legacy management process and extend the role of the CISO, which means involving them in regular business planning, decision-making, and stakeholder dialogues.
"By doing this, the CEO ensures the company’s security strategy aligns seamlessly with its overall business objectives, and that effective security practices are embedded within day-to-day operations and the overall environment."
As well as broadening their role, CEOs should be making efforts to engage in constructive dialogue with the CISO. This will enable the latter to become a vital link between the security team and the rest of the organisation, while also contributing valuable insights and perspectives that can drive increased business success.
At the same time, the CISO will be in a better position to understand wider objectives and priorities, helping them to align security initiatives accordingly.
Engaging the workforce in the cybersecurity journey
"CEOs must acknowledge that cybersecurity is a team game," argues Hart. "And, in today's advanced threat landscape, security teams alone cannot safeguard an entire business."
This school of thought is not without foundation. Isaca's State of Cybersecurity 2022 report revealed almost two-thirds of all cybersecurity teams are significantly understaffed, and this skills shortage is not likely to be addressed any time soon.
Bosses should, therefore, establish cybersecurity as an organisational responsibility.
"Cybersecurity requires the support and involvement of the entire organisation," concludes Hart. "Business leaders must abandon the 'assume' mentality regarding security and actively engage in the process alongside the security team.
"To achieve this, CEOs should adopt an operating model that clearly defines roles and responsibilities in securing the company. This will involve cultivating a top-down approach to instilling a strong security culture, with senior leadership teams taking responsibility for implementing proper security measures.
"By engaging the entire workforce in the cybersecurity journey and providing clear metrics to measure outcomes, organisations can effectively decentralise cybersecurity and elevate it to a core business process. This will not only improve security effectiveness but also maximise the return on investment for cybersecurity spending."
