Your IT Systems Are Being Attacked. Are You Prepared?
Company leadership needs to ensure technology teams are managing continuous monitoring, automated testing, and alignment with business needs across their enterprise.
COMMENTARY
This summer, a cyberattack disrupted the normal operations of thousands of auto dealerships across the United States, affecting everything from records to scheduling, causing no end to annoyances and leaving hordes of exasperated salespeople and customers at their wits' end.
The most recent and dramatic example of hacker success illustrates that IT security must become the first priority at the highest levels of an organization. This modern-day plague shows no sign of subsiding. With each successful attack, hackers become even more emboldened.
It's an all-out assault, requiring the corporate equivalent of an all-points bulletin. In short, cybersecurity is not just an IT issue; it's a critical business risk that requires active involvement from the entire C-suite, in particular, the CEO. This is one area of the enterprise that may benefit from micromanagement in an effort to display the importance of the pursuit.
My colleagues and I regularly advise our clients that they should be asking three questions of their team: What are we doing? Is it enough? How do we know?
Effective cybersecurity requires the right balance of spending and technology value, continuous assessment, and the adoption of advanced technologies such as automation and artificial intelligence. Few regret wise investments in cybersecurity defenses.
The increasing frequency and sophistication of cyberattacks underscore the seriousness for executive-level engagement in cybersecurity. Recent incidents, such as the SEC's $10 million fine on the New York Stock Exchange's parent company and the notorious SolarWinds action, illustrate the severe impact on business operations and regulatory compliance. These events highlight the necessity for CEOs to recognize their critical role in cybersecurity.
Ascension Healthcare's ransomware attack, among other prime examples, serves as an object lesson in the urgency of the matter, especially in healthcare. Doctors and pharmacies struggled with order and prescription issues, leading to lost revenue as patients sought services elsewhere, and virtually bringing the massive hospital system to its figurative knees, causing tremendous frustration among staff and patients. This situation underscored the need for technologists to understand business operations and implement security measures that support the business.
CEOs must understand that cybersecurity is central to their management duties and not just "tech stuff" to be delegated. They need to receive business-outcome-focused reporting with the same level of rigor as financial and safety reporting. This reporting should answer the above three questions using system-generated metrics and integrate results into business decisions to stay ahead of the increasingly destructive capabilities of adversaries conspiring to do them harm.
CEOs set the organizational tone and ultimately are responsible for cybersecurity. Their endorsement of security measures can drive home their importance, ensure alignment with business goals across the senior leadership team, and communicate capabilities to their boards. The following steps are essential for CEOs to prioritize cybersecurity:
Engage in cybersecurity planning and response: CEOs and executive leaders must be actively involved in cybersecurity planning and response. Their endorsement and understanding of cybersecurity's importance can fuel organizational commitment and set the right tone. Deciding how to handle hypothetical ransom, extortion, and fraud events accelerates response when an event occurs.
Conduct business analysis for cyber spending: Utilize business analysis to determine the appropriate cybersecurity investments. Focus on preventive technologies that provide greater risk reduction and ensure that the spending aligns with business priorities.
Implement multifactor authentication: Ensure that multifactor authentication is in place and effective. Avoid inferior solutions that users can mindlessly click through, and prioritize strong authentication measures for password resets to enhance security.
Regularly review and assess cybersecurity measures: Frequently review assessment results and address important gaps. This includes adopting automation for continuous threat exposure management and ensuring cybersecurity is integrated into business operations.
Adopt advanced technologies and continuous testing: Embrace automation and advanced technologies for security testing and closing security gaps. Stay ahead of emerging threats by keeping up with advancements in AI and other technologies.
Seek independent advice and expertise: Business leaders will be called to answer for hiring well-qualified cybersecurity advisers and executives. Use the three questions to understand the current state of cybersecurity within the organization. Seek independent advice to keep up with current threats and defenses. Obtain board members' cybersecurity expertise combined with other essential business skills, or hire independent advisers to provide valuable insights.
What hasn't played out yet is the full impact of increased AI usage by both attackers and defenders. As AI technology advances, organizations must keep up to ensure their cybersecurity measures are effective. A recent survey of IT security officers revealed that increasing use of AI will lead to more security breaches, while, conversely, four in five intend to use AI to guard against those same breaches. The ongoing complexity and expanding surface area of systems likely will lead to an increase in cyberattacks through 2030. This necessitates continuous vigilance, adoption of automation for threat and vulnerability management, and regular reviews of cybersecurity measures. Companies will also have to understand and protect against new AI-enabled systems that they are developing.
Cyber-risk is inherently a business risk, and effective cybersecurity measures are essential for protecting valuable information and maintaining system availability.
One might argue that cybersecurity can be managed solely by IT departments. However, without executive-level involvement, organizations may face significant business disruptions and regulatory penalties. CEOs must understand their role in cybersecurity to ensure comprehensive protection.
The consistent pattern of cyber incidents causing business disruptions and regulatory fines supports the conclusion that CEO involvement is crucial to ensure that companies can answer the three questions: What are we doing? Is it enough? How do we know? Determining business value at risk and the right amount of protection requires business input. As company leadership, now is the time to ensure that technology teams are managing continuous monitoring, automated testing, and alignment with business needs across the enterprise.
About the Author
You May Also Like