22f30c0Recent data breaches have highlighted yet again that upper management needs a better understanding of cybersecurity

as well as the role of cybersecurity risks in their overall strategic, financial, regulatory and operating risks.

Regardless of industry vertical, size or complexity, all companies require the right security program – one that is based on the company’s unique profile.

Aren’t companies already aware of their security risks?

Early in 2014, I approached a board member at Home Depot about validating their security program. He did not have time to meet with me. We all know what happened a few months later.

After the Sony hack last year, Chairman and CEO of Sony Pictures Entertainment Michael Lynton’s actions revealed a basic lack of understanding of cybersecurity essentials…even though they have had several data breaches!

Each breach should have been a wakeup call and an opportunity to create the right security program.

In the event of a data breach, there is the equivalent of a ticking stop watch with companies losing productivity, revenue, and/or intellectual property or all of the above and more with every tick. Post-breach is not the time to create a security strategy and certainly not the time to understand the role of cybersecurity for the company.

What do CEOs need to understand about cybersecurity?

Only 2 Things.

  1. Perform a company-wide risk assessment to identify vulnerable data and business processes, both internally and externally.
  2. An effective security program is holistic. Don’t become a victim of the “blind men approach to describing an elephant”. An effective security program does not protect data, vendor-related vulnerabilities, or processes in silos. It requires a holistic strategy based on a company-wide assessment of risks – a 360-degree view of the information risks for a business, looking at customers, employees, business partners, vendors, third parties, business processes and technology


Top picture credit: ITU pictures, flickr