The Role of the C-Suite in Your Enterprise Cybersecurity
When I talk to Chief Information Security Officers (CISO) in enterprises across industries, we often discuss the many and complex factors driving the cybersecurity market. We discuss attacks to critical infrastructure, regulatory constraints and the increased risk of third-party solutions. And then we discuss the number one issue of all: humans.
The truth is every human in an organization contributes to the strength (or weakness) of corporate cybersecurity – even those in top roles.
Let’s explore the impact of the major enterprise roles on cybersecurity.
The Board Level Responsibility for Cybersecurity
Board members play a significant role in ensuring cybersecurity:
- The Chief Executive Officer (CEO) is ultimately responsible for a company's cybersecurity posture and plays the most critical role in keeping cybersecurity a top priority. Cyberthreats are among the top three concerns for CEOs, only topped by the pandemic and global health risks. CEOs should ensure the company’s cybersecurity strategy incorporates all foreseeable growth and digital initiatives and is on the top of the list for the CISO. CEOs also must provide the guardrails for the corporation, so it has adequate human and financial resources to run and improve cybersecurity while applying levers to automate and streamline. If cybersecurity capabilities are scarce, the CEO should initiate and approve a cybersecurity sourcing strategy and challenge any budget or investment that lacks a strategic or quantifiable plan to reduce corporate cyber risk.
- The Chief Finance Officer (CFO) must first understand cybersecurity as more than an IT topic. Improving an organization’s cybersecurity posture is an investment in corporate resilience, and CFOs must be aware of the increasing risk of cyber-attacks and the impact on corporate financial performance, reputation and market trust. It is the job of the CISO and the Chief Risk Officer (CRO) to provide insights that address the total cost of risk and the total cost of mitigation in terms of money. Because CFOs oversee business-critical corporate data, they are in the best position to be the role models for improving and applying data protection measures from end to end.
- The Chief Operating Officer (COO) is responsible for the day-to-day operations of the company. They play a critical role in ensuring that the company's cybersecurity policies and procedures are being followed by all employees and that policies and procedures are communicated in language that is applicable at a work level. Administrators, developers, specialists and business owners all need to understand their duties. It is the COO’s job to challenge the CIO and CISO with ideas about streamlining and automating processes while encouraging business owners to better balance go-to-market and functional requirements with cybersecurity basics. The COO must challenge the CISO to improve secure business rather than inhibit new business approaches.
- The Chief Risk Officer (CRO) is responsible for identifying, assessing and mitigating all kinds of risks to the corporation. They work closely with the CISO to develop and implement risk management plans to protect the company from cyber-attacks. The CRO should demand quantifiable information on risk, mitigation measures and details of cyber insurance coverage. If no cyber insurance is in place, the CRO should encourage the company to get this on the agenda and continually improve the risk management procedures and make them applicable for all business and support functions. The CRO must work closely with the CIO and CISO to ensure that cyber-risks remain on the radar and work closely with the CEO and CFO to continually improve corporate resilience.
ISG works with enterprises to plan and implement cybersecurity strategies that include specific responsibilities and opportunities for each role. Contact us to begin the conversation.