As part of our “C-Suite Accountability” theme, we explore why holding senior executives accountable is a necessary motivator in the prioritization, development, and adoption of cybersecurity initiatives across the small to medium-sized organization. In this post, our CEO explains why responsibility and accountability reside solely with the CEO when it comes to securing the SMB, and defends security as a pillar alongside performance and availability of technology in your infrastructure.
I read about breaches in the news so that I can understand why they happened. Part of this is morbid curiosity. Another part is my desire to continually improve my company’s Managed Detection and Response service – I ask, would we have caught this? If they had ActZero MDR, would they be in the news right now? I think about the decisions I make in my capacity as CEO, and the personal ownership I take for everything that happens in my company.
On the other hand, I remember a high-profile Canadian breach reported in the news some years ago, where the cause was identified as a known vulnerability that had not been patched. This company said that an unnamed individual was responsible for patching and had not acted in keeping with their policy. They also acknowledged that their technology had failed to detect that the patch had not happened. And while the story was deemed questionable by some, internally, management must have known that this person was a scapegoat. That the responsibility to know about a risk to a mission-critical asset, was management’s –the CEO’s specifically.
Today I will share with you why that responsibility belongs only to the CEO. There is more to the cause of a breach than “one patch” or “one person not issuing a patch.” The KPIs management reviews, the governance put in place, the lifecycle management of the solutions you decide upon, and priorities you set for your company, all contribute to the risk. Fortunately for my fellow CEOs, each of these are easy to initiate and pursue – if you take ownership of the responsibility.
Prioritization is at the core of what you are doing. Nobody who works for you will care about security if you don’t; it must come from the top. Ask simple questions and insist on answers that are in keeping with best practices. Evaluating progress, and ensuring it is visible to the organization is essential. Once the priority is set, and visibility is apparent, you must demand checks and balances to operationalize your new security focus – governance.
If you don’t have a cybersecurity practice, you need visibility into the roadmap to having one. If you do have one, you need to understand the KPIs that are presented to you. Question your team – a member of mine has provided some good questions to ask. At ActZero, we always encourage our clients’ leaders to read our monthly reports, so that progress remains a focus for their organizations. If the CEO is not reviewing reports, not asking questions, not tabling cybersecurity at your management meetings, how will you know whether a critical system has been patched? This type of micro-management is not sustainable; but until you have a governance system in place, it must start this way.
At times, I ask members of my team “What would happen if you weren’t here tomorrow?” They are quick to highlight the things they are doing that would cease in their absence, the importance of the results they drive. That’s a good thing. Yet, when it comes to security, I want to hear an answer like “If I wasn’t here, you would still have visibility, and be able to hold employees accountable – because I created a governance system that ensures it.” For small businesses, for whom automation solutions may not be affordable, this starts with sound processes and policies. Your governance system will grow with you – but it must start now. Adhering to the process, and acting in keeping with the policy, should be central to your employees’ values, and your managers’ enforcement activities. The checks and balances must be official and systematic, so that leadership is aware when a critical system goes unpatched.
CEOs don’t shy away from difficult things. I am fond of the saying “The hard thing to do and the right thing to do, are often the same thing.” For many years I ran an IT organization at a large enterprise bank, and I remember the vast resources spent on driving Performance, and Availability, and the investment of understanding at the c-level – because these were established pillars, the difficulty was overcome, and the resources required to overcome it were made available. This is how they can reach 99.999% uptime; by dedicating a full-time employee just to look at the metrics for Performance and Availability. That’s not to say that you should hire cybersecurity talent and expect the problem to be solved – in fact, that is a tough path to go down right now. It is to say that cybersecurity is becoming such a pillar, but only because businesses are coming to this lesson the hard way. Having made cybersecurity a priority in your business, gained the necessary visibility to understand the problem and the progress, and implemented proper governance, resources must now be assigned. I have written about the financials of this decision elsewhere.
All of the items I have described are the responsibilities of the CEO. None of them require an advanced or technical understanding of cybersecurity. So, there is no excuse – ownership of this responsibility is yours and yours alone. If you cannot listen to your advisors within your company – to your board, your customers – at least listen to your peers in leadership, when we say you must act now, or face the consequences.