Week after week, month after month, shareholder cyber lawsuits hit the news. Capital One settles for $190 million. A class-action lawsuit was filed against Ultimate Kronos Group for alleged negligence regarding a ransomware attack, identifying a poor cybersecurity system as the root problem.
These two news items in recent months underscore the risks companies face in their ongoing war against cyber threats. Companies that get breached continue to struggle with immediate and obvious impacts: downtime, loss of data, loss of revenue, hits to their reputations and regulatory fines. But now the stakes are increasing. More cyber incidents regularly trigger class action lawsuits from consumers, investors and other impacted parties arguing that companies – and boards themselves – should have acted more diligently to protect sensitive information.
Of course, virtually every company has taken some steps to improve cybersecurity practices in recent years. High-profile breaches at Target, Equifax, Marriott and other well-known companies heightened awareness and forced IT decision makers to shore up corporate networks and reinforce policies.
But the breaches keep coming – and so do the lawsuits. Problem is, many companies still haven’t raised cybersecurity to a true organization-wide priority. While this applies more to SMBs, it’s still an issue for some larger enterprises as well. Most still rely on back-room IT managers to set and carry out security strategies. Many haven’t involved business leaders enough in cybersecurity strategy or made cyber threats a standing item on the board’s agenda.
It’s time they do. Here are four basic steps companies can take to prioritize cybersecurity at the leadership level.
Strengthen the board’s cyber skills
The board has to take an active role in cybersecurity preparedness. But first directors have to ensure that they are up to the task.
This goes beyond having members conduct remedial discussions with IT and business leaders on staff. Board members need to educate themselves to meet the ongoing cybersecurity challenge.
Boards can start by assessing the cyber skill levels of their members and hire one or more members with expertise in cyber matters. These cyber specialists can lead subcommittees and engage more directly with business and IT leaders on cyber strategies.
Second, the whole board should get annual or biannual training to understand the constantly evolving cybersecurity landscape. A board that’s well versed in cyber issues can better address the risks, liabilities and technical issues that will inform strategy decisions they’ll have to make.
Create a free-flowing information exchange
Once the board is up to speed, it’s incumbent on management to develop a mechanism that promotes consistent communication about cyber risks and strategies. Managers should set aside time for intense interaction about plans, procedures and ongoing issues relating to cybersecurity risks. It’s important for the mechanism to include stakeholders from a wide variety of departments – everybody from business to IT to the legal staff to HR and marketing. While cybersecurity technologies will still be controlled by IT, strategy and implementation cuts across all departments – and extends all the way up to the board.
Interactions should become an ongoing part of the board’s continuing responsibilities, and managers should serve the role of educators and facilitators.
Designate an executive sponsor
While involvement in cybersecurity extends across departments, it’s important to put the creation of a response plan in the hands of one individual. That individual doesn’t have to develop the whole plan. But the person in charge should be a leader who has the authority to drive change and gain alignment across the organization. In theory, the CIO, CISO or CSO should be well positioned for this task.
It makes more sense for an organization to install a business leader in this role – someone whose job is connected to revenue-generating activities or operations rather than technology. The person should engage with technology leaders but approach the task with a focus on business strategy. Technology is critical, but the best response plans are framed around how operations can best be prepared for a breach and sustained in case one occurs.
Assign roles across the organization
While the CSO and CISO will continue to set corporations’ security agendas, other leaders need to take active roles. CFOs have to ensure that a level of security is being built into all of the firm’s financial processes. HR directors need to vet new hires more diligently and serve as conduits for employees’ comfort with security practices. Sales leaders need to promote security hygiene, especially with traveling agents whose virtual access makes them prime vectors for hackers.
Given today’s litigious society, companies can’t hope to fully stamp out cyber lawsuits. But they can take an active role in fending them off. Making cybersecurity a leadership issue – extending it across the organization, all the way up to the board – is a step in the right direction.
By Dave Russell, Vice President of Enterprise Strategy, Veeam and Rick Vanover, Senior Director, Product Strategy, Veeam