Cybersecurity Awareness Month: Trick or Treat? CxOs and Boards, Be Careful What You Ask For
A major goal of Cybersecurity Awareness Month is to raise awareness and educate as many people as possible on the importance of cybersecurity and the threats they face.
As Cybersecurity Awareness Month comes to a close on Halloween, I thought I would take a different approach and provide what you might see as a treat, especially for CxOs and Board members.
I’d like to raise awareness of the cybersecurity team in your organization and their tireless fight to combat cyber threat actors 24×7. These men and women play an important role in keeping companies operational and protecting your customers and your brand. It is important to continuously have awareness and appreciation for your cybersecurity team and its leadership as they are expected to mitigate every attack without fail. When they do stop an attack, it is rarely acknowledged or quantified to show the level of positive impact they provide; yet they are under significant scrutiny when there is a successful breach. It’s especially important for CEOs, CFOs and Board Members to stay aware of their own security team, the services they provide, and the challenges they face. Hopefully, this post helps raise awareness which will in turn enhance communications and cybersecurity effectiveness year-round.
Cybersecurity teams have never been under more pressure to perform and had so many requirements to support. However, some of the demands put on the security team and questions posed to them can limit their effectiveness. Here are some key considerations for CxOs and Board Members that I think will help provide some context the next time they meet or interact with their cybersecurity team:
- Being compliant doesn’t mean your organization is secure. Compliance requirements overweigh legacy approaches to cybersecurity and if you restrict your security program from investing in and deploying emerging cybersecurity tools your organization will undoubtedly be playing whack-a-mole. This reactive approach to cybersecurity ends up costing millions of dollars more than forecasted.
- Cybersecurity teams are made up of humans, not robots. Incidents (false positives) spin them up frequently and as a result, many have experienced long hours over months trying to restore trust in the organization’s IT systems. They have sacrificed many birthdays, holidays, weekends, little league games and other events. This takes a toll on the workforce.
- Cybersecurity teams often request training to stay sharp and maintain professional certifications. Training is an important investment to help mature your organization’s cybersecurity defense capabilities and critical to morale and higher retention rates.
- Giving the security team new capabilities to empower them and keep their skills sharp also has strong benefits for retention and improved team morale.
- Black box tools limit your cybersecurity team’s analytical thinking and creativity, putting them in the back seat as they try to face advanced cyber threat actors.
- Cybersecurity must be seen as a critical enabler of business success and not solely as a cost center. Giving the cybersecurity team freedom and allowing them to focus on securing the organization vs. achieving compliance has had positive results.
- Giving customers peace of mind and comfort that your organization is going above and beyond to protect their data is a strong selling point when many competitors are oftentimes not doing so and potentially cutting corners.
- IT decisions (especially those made to save costs) should always have the security team involved during the architecture and requirements phases. Security needs to be built into all processes and validated. Be careful that cost savings in IT don’t in turn add new or additional risks and costs in other areas. This is also very important in evaluating companies for acquisition and during post-merger management.
- Cybersecurity Awareness should be promoted 12 months a year and be a part of everyday life. CxOs constantly communicating the importance of cybersecurity and then backing that up with action breeds a culture that strives to achieve high levels of cybersecurity maturity within their organizations. We all know the saying; actions speak louder than words and there are plenty of well-known examples where this strongly applies to cybersecurity.
It has always been challenging to evaluate how well investments in an organization’s cybersecurity program are working. Some CEO/CFOs see cybersecurity as a cost center and are constantly pushing the cybersecurity team to justify their budget and measure the value of their investments. In some cases where no (known) major breach has occurred, some CEO/CFOs may conclude that the organization is overspending on their cybersecurity program. In the coming years, it is expected that there will be more accountability of the C-Suite and Board members for the performance of their cybersecurity programs now is the time to raise awareness.
That said, there are two major trends in the cybersecurity landscape to be mindful of. First, cyber adversaries are becoming more aggressive, more capable, and their numbers are growing. They are finding safe havens where they don’t have to play by any rules. Secondly, many organizations and companies have many rules to follow and sadly they often stop at checking the box on these rules (achieving compliance) when implementing cybersecurity. The constant focus on budget and justifying spend is making CISOs and their teams become more business focused and leaves them less time to stay technically savvy. The challenge here is that cybersecurity is a job that is never done and must be seen as core to the business’ success. The added stresses of meeting new compliance requirements, defending growing attack surfaces (when security isn’t involved in the process), managing cybersecurity workforce shortages, and spending more time justifying their budgets all distract them from their day jobs. For your cybersecurity teams to have the greatest impact and enable business success they will need more flexibility and enablement to implement a proactive approach to cybersecurity which allows them to adapt and keep pace with evolving cyber threats.
How confident are you that your cybersecurity program is properly equipped to protect your assets and stop advanced and menacing attacks? If your approach is overly focused on compliance and trimming costs, there is a growing chance that you could be a victim with a catastrophic impact on you and your organization.