infoTECH Feature

October 27, 2015

Cybersecurity: Why CXOs Need to Play the Infinite Game

By Special Guest
Harri Koponen, CEO of SSH Communications Security

There’s an infinite game taking place against your network. Threats are becoming more sophisticated as businesses continue to move even more applications and data as well as employ software and services online. This game will keep developing, changing and adapting, so organizations need to be prepared and committed throughout – and their response needs to be organized and systematic. While cybersecurity has traditionally been seen as an add-on to basic business functions, it is now rapidly becoming an integral part of everyday business practices. As a result, even if cybersecurity isn’t an everyday action item on the executive’s calendar, it has become a significant priority that requires his or her attention.

However, figuring out how familiar a CXO needs to be with his or her enterprise’s technology is becoming a real challenge. How much do I really need to understand first hand? And how much can I delegate to someone else and trust that those decisions are sound? Many executives are beginning to realize that they need to understand how cybersecurity affects their bottom line, and understanding how the flow of business is affected by the company’s security posture.

While it might be easy for executives with non-technical backgrounds to simply assign responsibility for cybersecurity to the CSO, CISO or IT team, this would be a mistake. CXOs might see the iceberg ahead, but do they really understand the size of the problem below the surface?

Getting the CXO Involved

Encouraging greater CXO involvement will be the result of small changes in attitude and habit over time. It’s similar to the development of traffic rules. As more drivers took to the roads, rules needed to be put in place to ensure everyone’s safety. As technology improved and speeds increased, new rules were needed: speed limits, seat belts, airbags and so on. These rules became commonplace and were adopted as default standards – in other words, they became part of the culture. Now, people recognize that transportation comes with certain risks, but risks that can be lowered by the right procedures and responsible behavior.

As executives learn more about cybersecurity landscape and what steps are needed to protect the enterprise, we can create policies and procedures that lead to organization-wide change – and these new policies need to start from the top down to ensure not only security, but also compliance with regulations and industry standards.

When top-level executives get involved in cybersecurity, then the whole organization starts to operate in a different way. Executive involvement sets the tone that cybersecurity is a priority. If the top executives are not involved directly, it can give the impression that cybersecurity is not a number one priority; you can do it tomorrow or whenever you have time. When the board or CEO starts asking the management team about what measures the company has in place to avoid becoming a headline, then there’s a much bigger chance of real change taking place.

Best Practices

Where to start? To begin the process of immersing yourself more in the company’s cybersecurity efforts, the following best practices are a good place to start:

  • Get educated: Sit down with the team currently in charge of cybersecurity. Ask questions and assess: What are they working on? What is their security posture and what solutions are currently in place? What is the critical infrastructure that MUST be secured, and what does that require? Where are the weak spots? How can the team see, control and maintain a more secure environment?  Attend conferences and seminars to learn about what steps your peers are making to protect their own companies. Make sure that you have knowledge of your current systems and the opportunities to improve, and improve them as quickly as you can. Don’t wait for the next quarter or next year’s budget, because it might be too late.

  • Make cybersecurity part of the corporate culture: Build safety, compliance and security hygiene into compensation and reward packages (if they aren’t already). Get everyone in your organization to be aware of the risks and how they can keep the company safe. The goal is for everyone to understand the importance of cybersecurity to the company and your customers, and to underscore the importance of cybersecurity as a personal responsibility above and beyond simply a company policy.

  • Focus on cybersecurity as a business enabler, not a cost center: It’s easy to view data security efforts as expensive outlays that slow down business and frustrate employees, users and customers alike. CXOs need to be aware of how their organizations’ security measures are affecting the flow of business even before a breach: are employees circumventing bulky and obstructive security measures in order to access business applications more easily? When used properly, cybersecurity can be an enabler of new business, protecting data in the cloud and allowing the company to take advantage of the cloud’s cost-saving agility and flexibility, for example. Finding ways to minimize the risk of human error, such as finding ways to automate as many security processes as possible, can also help increase business efficiency. Cybersecurity is not intended to be the thing that stops the flow of business. It’s like brakes in a car; there when you need them, but not slowing you down when you don’t.

  • Explore what’s coming next: The world we live in demands that we stay abreast of the trends and gauge what we can do to further protect our businesses on an ongoing basis. This requires a totally new way of thinking. Companies need to adopt practices that don’t affect their work flow and don’t disrupt the actual business in any way. Look to what universities, incubators and startups are producing, as they are the best sources for cybersecurity solutions and talent, and hire the expertise you need from these experts. It is a forgone conclusion everything that hasn’t yet moved online will, and the threats are continuing to evolve. Make sure your team is evolving with them.

Measurable Business Benefits

Harri Koponen, CEO, SSH Communications (News - Alert) Security

These aren’t just “nice to have” suggestions. There are measurable business benefits for greater CXO involvement in cybersecurity. If your network gets infected and your servers go down, that downtime will have a measurable effect on your company’s bottom line, not to mention the sustained operational costs and damage to brand value and reputation with customers and partners. The best cybersecurity infrastructure is unobtrusive, working quietly in the background without getting in the way of business. Instead of a cost center, as many view it today, cybersecurity works best when it is viewed as a growth enabler or differentiator, by permitting the type of innovative investments that allow the company to scale into new markets. Many companies have security concerns about storing data off-premises, but the right security strategy can permit the enterprise to take advantage of the agility and cost savings the cloud provides. Such a strategy also saves organizations from the damage that a successful attack can have on the company’s brand, revenue and stock value.

Ultimately, partners and customers must be able to trust your company’s solutions, products and services. By leading from the top down, the CXO can help ensure that the organization is protected appropriately while maintaining performance and ensuring that security measures do not disrupt operations in any way. Once the CXO has established a security game plan for the organization and is confident that his or her team is performing on the right level, you can trust in your critical information flow and sleep better at night.

Looking Ahead

While everybody understands the importance of cybersecurity, often it’s only in abstract terms. Once you have a breach, however, then you will really have to understand what’s going on. If your building catches on fire, there is infrastructure built into the ceilings and walls at the ready to prevent and extinguish the flames. Cybersecurity should be no different. It’s clear that CXOs have a lot on their plates, and cybersecurity may not be their number one priority every day. With the breaches of 2014 and 2015 still fresh in shareholders’ memories, however, CXOs are taking steps to ensure that cybersecurity is always on their radar. CXOs need to make cybersecurity a top priority in their organizations and take an active role in ensuring that they have processes and procedures in place that are being updated and adhered to. Cybersecurity is a team effort, but change needs to start from the top down.




Edited by Kyle Piscioniere
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers