In a recent study conducted by MSI-ACI Europe, 61 percent of IT professionals said senior executives expect more lenient security policies for themselves than everyone else. For 65 percent of study participants, that leniency resulted in more data breaches.
The obvious question is, shouldn’t it be the other way around? Given the increasingly perilous threat climate, which isn’t exactly a secret, shouldn’t senior executives be clamoring for tighter security across the board? Because hackers like to target high-value credentials and gain unrestricted access to systems across the network, shouldn’t security for senior executive accounts be even stronger than other user accounts?
Whether intentionally or unintentionally, cybersecurity tends to be a blind spot for senior executives. Although it isn’t necessary for a senior executive to understand the minutiae of security software configurations, they should know how the network is being protected. In fact, they should be directly involved with setting that strategy, especially when you consider the impact of a data breach on a company’s reputation.
Next time you read a news report about a major data breach, swap out the company name in the headline for your organization and think about the cost of downtime, lost revenue and negative press.
To avoid such a scenario, organizations need to build a culture in which security is a high priority. Of course, culture starts at the top. Senior executives must not only show leadership in this critical area, but they also need to give IT a seat at the table when creating budgets. In many cases, they simply give IT a number and tell them to make it work.
Beyond budgets, there should be ongoing communication between the C-suite and IT. What types of threats are most challenging? What tools and resources are needed to plug any gaps in security? Who and what are threats targeting? How is network access controlled and activity monitored? Are incident response, backup, and disaster recovery processes being tested, assuming those plans are in place? What are the results of those tests? Are minimum compliance standards being met? Should an outside security vendor be brought in to perform a vulnerability assessment?
When senior executives have a clear picture of the security posture, they can determine whether it’s aligned with the organization’s risk tolerance. It’s impossible to secure the environment against all threats, so IT needs to understand what to prioritize. Business executives are in the best position to know what kinds of cybersecurity events would have the most severe impact on the organization.
Executives also need to understand that every change to the IT environment has the potential for creating new threats. When tools and services are added to support new initiatives or provide new capabilities, security is often ignored during the planning process. IT is then expected to figure out security after the fact, but that approach automatically creates dangerous vulnerabilities until the proper tools are deployed. Security and any necessary user training need to be in place from day one.
Don’t let lack of security awareness and knowledge in the C-suite put your organization at risk. Let us help you close the gaps between the security you have, the security you need, and senior executives’ understanding of both so you can build a culture that prioritizes cybersecurity.