Cyber Threats: How C-Suite Leaders can Improve Risk Management
Though cybersecurity is a common topic of conversation in today’s hyper-connected, digital world, companies may still be lagging when it comes to making security a priority. In spite of the focus on protecting networks and the sensitive information they hold, a recent survey by KPMG showed that 40% of audit committees felt their organization's risk management programs and processes "require substantial work."
Cyber threats are among the biggest risks to businesses today. They have the potential to harm workers, customers and a company’s reputation. Revenue may sag as a result of a data breach if clients and collaborators no longer trust the organization. A network intrusion could cost a firm its competitive advantage if intellectual property is stolen. Without a solid cybersecurity program in place, it may be just a matter of time before a breach throws a company into chaos.
Respondents in KPMG’s study pointed to organizational awareness and culture as primary challenges in managing cyber risk. This puts the onus squarely on executives to use their role and influence to drive meaningful results in the cybersecurity space.
Tie cybersecurity to business strategy
Risk management efforts are woven into corporate initiatives across the spectrum, from opening new manufacturing facilities to acquiring a competitor. As the executive team crafts and directs the execution of the organization’s strategic initiatives, they must also consider where cybersecurity risks may exist in that larger mission.
- What cyber protection will the manufacturing plant’s systems require before it opens?
- Will the soon-to-be-acquired company’s network create new cyber risks?
C-suite leaders must take the lead to ensure that strategic decisions include cyber risk considerations.
Be a cybersecurity champion
Employees at every level in the hierarchy ultimately take their cues from the leadership team. If executives don’t make it clear—through their words as well as their actions—that they see cyber risk management as a serious endeavor, the rest of the organization won’t make it a priority, either.
For recurring meetings with department heads and other middle management staff, executives may look at including a brief cybersecurity discussion as part of their standard agenda. Confirm that employees are up to date on their data privacy training. Inquire if there are cybersecurity concerns within the organization that haven’t yet been addressed by IT or the company’s risk officer. Asking the right kinds of questions is one way leaders can keep cyber risk top-of-mind across the entire reporting structure.
The leadership group should also seek to raise the profile of those involved in cyber risk management activities. If the function isn’t represented at the C-level, consider if that might help to raise awareness. Other ways to increase visibility around cybersecurity efforts include regular blurbs in the company newsletter about the latest threats employees are likely to encounter, and an FAQ page on the firm’s intranet about privacy best practices do’s and don’ts.
Prioritize cybersecurity at budget review time
Funding is a recurring issue when it comes to deploying cyber security and other privacy risk measures, but executives should be mindful to take the long view as they work through the budget development and approval process.
While software, hardware and staffing may require significant financial investments, it’s important to remember that data breaches can also be extraordinarily expensive. Protecting victims whose information was exposed is an early outlay. The firm’s internal network might require immediate improvements to plug the exploited weaknesses. Lawsuits may be filed, requiring time and effort not just to fight them, but also potentially to pay them. In the longer term, revenue could drop if customers no longer want to do business with the company.
With deep insight into the organization’s direction and mission, and through their position and influence, C-suite leaders are positioned to move cyber risk efforts forward and ensure the entire company is committed to a strong security profile.