Within many organizations, discussions related to cybersecurity focus on what IT is doing to keep the network secure. Leadership wants to know what tools are being used and how security managers are implementing technology to “block the bad guys.”
However, cybersecurity isn’t merely about implementing the latest technology. While network security tools and protocols are a major piece of the security puzzle, ultimately the success of any security plan comes down to people, and how well they use those tools. The human element of security cannot be overlooked, nor can the importance of their role be understated. And although conversations about individual roles in cybersecurity tend to focus on employees, the key to any effective cybersecurity plan is organizational leadership. Your leaders are the first defense when it comes to protecting your network, as they set the tone for security efforts and create the organizational security culture.
Why Your CEO is a Liability
There’s no denying that the humans in your company create risk. After all, one survey revealed that more than 90 percent of data breaches stemmed from an individual clicking on a phishing email. However, the leaders of your company, especially top executives, are even more vulnerable to creating security risks than the average rank and file employee, for several reasons.
- Social engineering. When your leaders are visible, it’s easy for hackers to find information about them to use in a phishing attack. It’s much easier to learn facts about a CEO than a junior associate, and hackers will use this to create targeted, effective attacks. While many phishing attacks are crimes of opportunity, attacks on leaders are carefully crafted for maximum effectiveness.
- Urgency and inattention. Executives are busy. They generally aren’t carefully scrutinizing every message in their inbox, but rather scanning for the messages that need immediate attention. When they spot something that triggers an emotion – a subject line indicating bad news for the company, for instance – they may immediately click, not stopping to consider the consequences.
- False Sense of Security. Many CEOs develop a false sense of security, thinking that IT has everything covered, and that the rules don’t necessarily apply to them. They are busy, and focused on getting things done, and simply assume that everything’s covered.
- Lack of training. Executives are busy, and don’t always have the time to complete security training. Again, they think everything is covered, and trust their IT leaders to protect the network, but miss important warnings and information that reduce risk.
It’s not just executive behaviors that create cybersecurity risks, though. One of the most important tasks of any leader is to create a culture of security, in which maintaining security permeates employee attitudes and daily activities. However, many leaders don’t foster such a culture, instead assuming that employees will automatically care about keeping the company resources and will just do what needs to be done. In some companies, cybersecurity is little more than a single annual training, with the expectation that employees will adhere to the directives presented.
However, security risks are always changing, and unless security is embedded into everyday activities, employees will not engage. Therefore, leaders must not only be cognizant of their own behaviors, but also focus on building and supporting a healthy security culture to keep everyone involved.
Improving Leadership
One of the first tasks for improving security leadership is to provide adequate training for executives that not only teaches them how to identify and respond to risks but understand the full risk to the company. In many cases, leaders simply don’t understand that their actions put data at risk and need to be taught. One method that can work for busy executives is to work with them to develop training programs for other employees, which both gives them the necessary information and helps them support a security culture.
Leaders also need to focus on teaching employees that security is important and extending it beyond just the IT department. They need to lead by example, communicating about security directly and providing motivation to employees to consider everything they do within the context of security. By keeping security at the forefront of everyone’s mind, making it relevant, and rewarding those who demonstrate good security behaviors, leaders can support a healthy culture and reduce the risk of a devastating security incident.