by Jason J. Hogg

When it comes to cybersecurity, the chains of communication that exist within an organization, if they exist at all, are often a mess. Multiple conversations about cyber risks are happening across a multitude of divisions in isolation. At the same time, members of the C-suite are measuring their potential impact using different metrics—financial, regulatory, technical, operational—leading to conflicting assessments. CEOs must address these disconnects by creating a culture that promotes open communication and transparency about vulnerabilities and collaboration to address the exposures.

Organizations of all sizes across all sectors are experiencing an exponential increase in their exposure to cyber risk. The number of endpoints that need protecting is exploding as consumers demand more digital interactions and smart devices. (In their 2019 Cybersecurity Almanac, Cisco and Cybersecurity Ventures predict the number of connected devices on the internet will exceed 50 billion by 2020.) Adversaries have evolved from individual bad actors to highly capable organized crime groups and nation-states. The regulatory landscape is increasingly shifting and, at times, conflicting at local, national, and international levels. High-profile cyberattacks—ranging from the one suffered by Sony Pictures in 2014 to the global ransomware attacks that occurred in 2016—highlight the huge financial and reputational stakes.

CEOs committed to staying on top of this ever-evolving threat must break down the silos that exist in the organization in order to assess the full dimensions of the risks across the enterprise and address these exposures holistically. The consequences of not doing so could cost them the trust of their shareholders and customers and even their jobs.

Members of the C-suite often aren’t speaking the same language around cyber risk, and reporting lines are reinforcing silos. For instance, the general counsel thinks about the issue in terms of compliance with information security regulations such as the European Union’s General Data Protection Regulation. The chief information security officer (CISO) or chief information officer (CIO) reports the technical vulnerabilities that his or her team has successfully remediated. The chief risk officer (CRO) looks at the problem in terms of risk transfer and cyber insurance purchased. And the chief financial officer is looking at the potential financial impact.

This lack of communication and coordination across functions makes it very difficult to assess the impact of cyber risk on the business as a whole or create any common metrics for doing so. It also makes it difficult to prioritize the risks that need to be dealt with most urgently while also making it more challenging to appropriately direct efforts and resources.

There are several steps that CEOs should take to create a common language around cybersecurity in their organizations.

First, CEOs should bring together the different members of the C-suite so that all stakeholders are communicating and working in partnership to create a realistic and integrated picture of the business’s exposure. This includes: identifying critical data and assets that could be at risk; assessing technical vulnerabilities; understanding the threat landscape; appreciating the potential regulatory and compliance consequences of cyberattacks; quantifying the financial implications of attacks (such as business-interruption costs, lawsuits, remediation costs, loss of enterprise value, and damage to brand and reputation); and gaining a more accurate picture of the impact on shareholder value.

The second step is to create a culture that encourages employees to speak openly about cyber-risk exposure without fear of negative repercussions. It’s rare that a CEO motivates key members of the C-suite—especially the CISO or CRO—to report the seriousness of a company’s exposures as they evolve. Because cyber risk is dynamic, CEOs must create an environment where there are continual conversations about the impact on security of new events—such as the introduction of new technologies and systems, new cyberthreats, and mergers and acquisitions that involve combining different organizations’ information systems and security cultures.

As part of this effort, CEOs should proactively get to know the people outside of the C-suite working in the security trenches. The more CEOs speak with system engineers and technical teams, the more comfortable they will be asking questions about the organization’s security. If the CRO and the CISO are reporting only on what’s going well, then alarm bells should be ringing.

Third, CEOs should prepare for cyberattacks to ensure everyone knows what to do and can communicate effectively with each other during an incident. There should be a customized incident-response plan that is routinely tested via simulated attacks, which can also test a company’s vulnerabilities. A plan can help minimize business disruption, reduce the time attackers have to steal critical data or money, and reduce the amount of damage.

An incident-response plan should include four phases: preparation; detection and analysis; containment, eradication, and recovery; and post-incident.

The preparation phase is the most important since creating a response plan during an incident will not work. Planning helps all stakeholders understand their role and responsibilities, from what constitutes a security incident to who initiates the plan. It also helps leadership communicate with confidence during a real incident both internally to senior executives and members of the board and externally to customers, outside counsel, insurance companies, regulators, and law enforcement.

In the detection-and-analysis phase, the security team determines the scope of the incident and collects the data necessary for analysis. The third phase is about containment: stopping the attack from spreading by removing any infection from the system and fixing any vulnerabilities uncovered. The post-incident phase is a review of what went well, what went wrong, and what can be done better next time.

Outside cybersecurity experts can help develop the plan. But even if an outside firm is not involved, CEOs should at least consider having one test the plan’s effectiveness and, crucially, ensure that an external firm is engaged on an incident-response retainer ahead of an incident. You don’t want to be struggling to negotiate the fine print of contract terms during an attack.

Finally, companies should create an internal function, led by a chief vulnerability officer, to conduct regular audits of the company’s preparedness. This unit, which should report directly to the CEO, should also stage simulated attacks on the business—in addition to those carried out by the CISO or CIO. It should leverage external cyber experts with up-to-date perspectives on the latest cybersecurity methods, threats, and trends to provide unbiased perspectives and help challenge management decisions.

A CEO should enlist all functions in the effort to establish common metrics to assess cyber risks so everyone is speaking the same language and should build a culture of security through open dialogue, planning, and testing. Then, when he or she asks questions—such as “What are our greatest risks?” “What are our critical assets?” “Who has access to them?” “What is our current information security policy?” “What is our incident response plan?” “When was it last tested?”—the answers will yield a more accurate picture.

Only when a CEO understands the true exposure of the business to cyber risks can he or she prioritize the allocation of resources to manage them.

TAKEAWAYS

CEOs need to lead the adoption of a common language around cybersecurity to make it easier to assess, prioritize, and address risks:

• Assemble all the members of the C-suite and partner to map a realistic and integrated picture of exposure risks.
• Create an open culture where employees can comfortably engage in continual conversations about topics such as cyber risk exposure, new technologies and systems, and the impact of a merger and acquisition on the affected organizations’ information systems and security cultures.
• Prepare all employees for cyberattacks by creating and communicating a response plan and routinely testing it with simulated attacks.
• Conduct regular audits of the company’s preparedness.

Adapted from content posted on hbr.org, November 17, 2017 (product #H040UR).