In recent years, there have been numerous CEOs that were FIRED due to CYBERSECURITY BREACHES within their organizations. Interestingly, household names like; Sony, Home Depot, Target, Yahoo, CIA, and Equifax (this is not an exhaustive list) were victims of security breaches. The underline question is twofold: (1) how did these multimillion/billion-dollar organizations allow this to happen and (2) what can be done to better inform the CEO of the criticality of a major cybersecurity breach?
Historically, CEOs viewed cybersecurity as a separate entity and not aligned with the organization’s business strategy. However, in recent years, and with the constant threat of cyber breaches, CEOs are now taking a more proactive posture to become more cognizant of how cyber breaches affect their organizations financially and reputationally.
In today’s globally and digitally hyperconnected society, fortunes and reputations can be lost almost instantaneously by a security breach. Notwithstanding, I would underscore that the culture of an organization is just as paramount as the leadership style of the CEO. There are a plethora of leadership styles that Executives can utilize to meet the objective or goal of the organizations. Interestingly and through my research studies, I’ve found that transformational and transactional leadership style are two of the most utilized leadership styles in the workplace. Moreover, an effective and an adaptive cybersecurity awareness and training platform should be an integral part of ALL organizations that provide a product or service to their clients. As noted by Nobles (2016), ensuring humans remain a top priority in cybersecurity requires the CIO and CISO articulate to C-Suite the relevance of developing cybersecurity strategies that address human-centric requirements.
The CULTURE in any organization is set by the CEO and permeates throughout the workforce. In the same vein, the Steering Committee, CIO, CISO, and CISM are charged with ensuring cybersecurity is aligned with the organization’s business objectives. Nevertheless, the CEO (with oversight from the Board of Directors) is ULTIMATELY responsible for ensuring the organization is meeting or exceeding both TACTICAL and STRATEGIC business objectives.
Research has shown (Survey, 2016) that only 51% of chief executive officers (CEOs) believe their organization’s cybersecurity strategy is “well established,” according to a recent IBM survey. The “Securing the C-Suite” survey also found that 77% of chief risk officers (CROs) and 76% of chief information officers or chief technology officers feel the same.
According to Hernandez (2017), companies with a good track record of keeping a tight lid on sensitive information explore a world beyond periodic penetration testing and routinely hack themselves. I would also illuminate that in conjunction with penetration testing and routine hacking, cybersecurity awareness training should be tailored to individual departments and not just one-size fits all approach. In closing, cybersecurity MUST be an organizational holistic approach and should begin and end with the CEO.
Recommendations for an enhanced cybersecurity organization
- Observe/research what type of leadership style the CEO is utilizing
- Know the culture of your organization and observe if the culture is cybersecurity-focused
- Make sure the Steering Committee is composed of members who are cybersecurity aware and understands that meeting business objectives from a cybersecurity viewpoint is paramount to the success of the organization
- The CEO of any organization makes decisions based in part on quantitative data; therefore, ensure cybersecurity metrics are provided to illuminate the status of cybersecurity as it pertains to the overall business objectives
Hernandez, P. (2017). CISOs Urged to Hack Their Own Networks to Find Security Weaknesses. Eweek, 4.
Nobles, C. (2016, December 20). Human factors in cybersecurity. https://www.linkedin.com/pulse/human-factors-cybersecurity-calvin-nobles-phd?trk=prof-post. Retrieved December 22, 2016, retrieved from https://jp.linkedin.com/in/calvinnobles
Survey: CEOs Feel Left Out of Cybersecurity Plans. (2016). Information Management Journal, 50(3), 13.
About the author: Dr. Hollis is an IT & Cybersecurity: Strategist ► Thought Leader ► C-Suite Consultant. Dr. Hollis is an Adjunct Professor in Cybersecurity at University of the Cumberlands and University Maryland University College (UMUC). He is also a retired 30 U.S. Navy Information Professional (IP) Officer and is the CEO/President of HollisGroup LLC . He has an MBA and Ph.D. in Organization and Management; with a Specialization: Information Technology Management. His Dissertation is a titled “Leadership Styles: A Phenomenological Study of Transformational, Transactional, and Situational Leadership Styles Employed by CIOs at Military Combatant Commands”. He can be contacted via email at Dr. Eric Hollis or his office (813) 333-6503.