Should CEO’s take Cybersecurity seriously? There is only one answer to this question – YES, CEO’s and Executive Boards should take Cyber Security Seriously.

If you are a CEO or on the board, you must have cybersecurity high up on your priority list.  If you are senior leadership you must persuade your board / CEO to take it seriously.   If you don’t – and you suffer a breach you are at risk of being fired..

CEO’s that have been fired

  • Equifax CEO Richard Smith was forced to resign two weeks after a breach which affected more than 140 million people.  The company was fined £500,000 by the ICO for failing to protect data of some 15 million people in the UK.   The buck stopped with the CEO as the company had been warned about a critical vulnerability but did nothing to fix it.
  • The CEO of Boeing and Airbus supplier FACC, Walter Stephen, was sacked along with the CFO and the initial victim after a ‘whaling attack’ that persuaded the finance department to move a total of $61 million ($56 million in one go) into the criminal’s account.  The supervisory board felt they were are all guilty of a dereliction of duty.
  • Sony Pictures CEO Amy Pascal was fired after a huge data breach that included private and damaging emails.  The cost of the breach was approx. $15 million but the reputational damage was huge.
  • The OPM (US Office of Personnel Management) CEO Katherine Archuleta and CIO Donna Seymour resigned after a huge breach.  Despite being pro-active in the discovery phase and open in reporting the scale of the breach led to Congressional Hearings and the organisation was accused by its own assistant general for audits of having “a long history of systemic failures to properly manage its IT infrastructure”

Why were they fired?

All the breaches detailed were catastrophic to the CEO’s and the organisations.  Cybersecurity (or the lack of it) is an area of huge potential risk to the bottom line, brand, reputation, share price (if listed) and how it will be perceived by all of its’ stakeholders.

Knowing this – how can a CEO not take Cyber Security Seriously!

How can it be taken seriously?

  • Understand all risks and have a clear strategy in place for mitigating these risks.
  • Have an external organisation looking at this for you is good practice, as they will look at things afresh and see things that might be missed internally.
  • You need to ensure that the solutions you put in place are tested regularly as threats change, processes change and suppliers change.
  • Cyber Security needs to be an integral part of the entire organisation.  It isn’t good enough just to have it sit within the IT department.  If all processes – whether financial, legal, product development, business processes, supply chain etc – are structured with cyber security in mind the organisation will be ‘secure by design’.  It will also ensure security solutions are practical and usable.
  • Employees will be your biggest risk as people make mistakes. Your organisational culture should ensure people are happy to report mistakes / anything risky.  Everyone should see cyber security as a priority and openly hold each other accountable.

Contact us to see where your security posture sits compared to your sector competitors and to improve.   Cyber and Data Protection Limited can provide you with a Cyber Risk Assessment that benchmarks your position against CIS controls and gives you a funded roadmap on how to reach your desired security posture.

We are also able to deliver on the recommendations, whether that be a full digital transformation ‘secure by design’ project or specific additional security measures.  If your organisation’s board doesn’t understand cyber security well enough to assess risk or service being received then we can help with our Virtual CISO or Virtual CTO service.

Should CEO’s take Cybersecurity seriously?  Yes, they should.