Cyber security has become an enterprise concern that has extended to the C-suite. Certainly, high-profile attacks against familiar companies have brought information security to the surface for many corporate CEOs.
In fact, CEOs now cite cyber security as their organization’s top risk, ahead of regulatory risk, according to KPMG’s U.S. CEO Outlook 2016 report. In addition, of the 400 U.S. CEOs polled for the report, minimizing cyber security risk was listed as their third greatest strategic priority, just behind developing a stronger client focus and fostering innovation, talent development and management.
With so much at stake - including customer privacy, reputational risk, and shareholder value - the responsibility, tactical planning, and communication for a company’s information security strategy can’t fall on a single person. This is why the CIO and CISO need to work together in addressing any questions the CEO might have about the company’s cyber security posture. The complementary insights and perspectives they each have to offer can provide tremendous value to the CEO and other organizational leaders.
Across our research and the discussions that we have with enterprise CIOs and CISOs, here are some of the primary questions that CEOs have regarding cyber security and the organization’s cyber posture. We break down each question in terms of how CIOs and CISOs can partner together to address these issues for the CEO.
- What is our strategy for addressing cyber threats? The CEO needs to be assured that there is a plan in place for handling cyber attacks of all types. They want to ensure that it meshes with the company’s overall risk strategy and they need to be able to communicate the company’s level of preparedness to the Wall St. analyst community.
The CIO and CISO should also communicate to the CEO the steps that are being taken to create an organizational culture of shared cyber risk ownership. This includes meeting regularly with employees and managers to convey the criticality for protecting data and applications and the best practices for doing so.
- What are the types and volumes of cyber threats we face on a daily or weekly basis? CEOs don’t like to be caught off guard. They want to be apprised of what’s happening in the company and in the industry. This includes the changing nature of cyber threats and how they could impact the company.
This presents an opportunity for CIOs and CISOs to provide a unified voice on emerging cyber trends they’re seeing both from an industry perspective as well as the nature and types of attacks the company is facing.
- What is the operational impact of a breach? CEOs are worried about how a breach may affect the integrity of a company’s day-to-day operations, and rightly so. It doesn’t help that the most data-intensive functions for a company such as marketing, HR, and finance, are typically siloed from one another, with little collaboration between the leaders of each unit.
The CIO and CISO should work closely with functional and business unit leaders to determine the potential impact of a data breach on a particular area and the company as a whole and to identify and communicate the interdependencies that exist between functions.
- Will this breach affect our customers and, if so, how? Any security attack that affects confidential customer data can weaken the trust and loyalty that customers have in a company. But it’s also important to remember that customers no longer interact solely with customer-facing functions such as sales, marketing, and customer service. Customers regularly reach out to “back office” departments such as customer payment processing and technical support for help in resolving issues.
CIOs and CISOs should work across the enterprise to determine how different types of security incidents may impact customers. Of course, they also need to develop a well-conceived incident response plan in the event that a breach affecting external customers should arise. The plan should include the different parts of the company’s business that may touch a customer and how they may be affected. This way, if a data breach does occur, the information security team and company leaders won’t be scrambling to respond.
- What’s the anticipated reputational impact of a particular breach? While the reputational impact of a security incident is often the scope of public relations and marketing, the CIO and CISO can play a role in supporting these efforts. This includes ensuring that call center reps have been instructed on the messaging they should use to communicate the company’s response to customers who have questions about a breach.
CIOs and CISOs should also determine whether cyber insurance coverage should include the costs of using a third-party PR agency to help communicate the company’s response to a security incident.
- How will this breach affect our stock price/shareholder value? Although this responsibility largely falls upon the CFO, the CIO and CISO can serve as trusted advisors in assisting the CFO and CEO in making these determinations. For instance, the CIO and CISO can share the severity of a particular attack and the impact on identity theft which can potentially affect the credit ratings for external customers.
It’s also worth noting that a Harvard Business Review analysis found that significant breaches against high-profile companies such as Home Depot and Target ultimately had minimal impact on their stock prices.
- Is cybersecurity incorporated into our company’s risk management and governance processes? If so, how? The CIO and CISO must work with the CFO and Chief Risk Officer to align the company’s IT risks with its business risk posture. By understanding the company’s business objectives and business risks, the CIO and CISO are better positioned to develop more effective security strategies.
Information security isn’t just about technology. It’s about having the proper blend of people, processes, and technology. This is one of the ways that the CIO can bring value to the relationship with the CEO and CISO. Thanks to their unique perspective across all parts of the enterprise, CIOs can help spot security vulnerabilities in data, applications, and processes that can be communicated to the CEO and then used to address investment requirements.
To learn more about top cyber security trends and best practices, check out our upcoming San Francisco and New York CISO summits.
- CEOs now cite cyber security as their organization’s top risk, ahead of regulatory risk, according to KPMG’s U.S. CEO Outlook 2016 report.
- With so much at stake, including customer privacy, reputational risk, and shareholder value, the responsibility, tactical planning, and communication for a company’s information security strategy can’t fall on a single person. The CIO and CISO need to work together to address any questions the CEO might have about the company’s cyber security posture.
- Thanks to their unique perspective across all parts of the enterprise, the CIO can help spot security vulnerabilities in data, applications, and processes that can be communicated to the CEO and then used to address investment requirements.