Why Executive Buy-in Is Critical for a Successful Data Security Program

Critical Data Security Program

But First, Why Data Security Needs To Be a Company Priority…

Cybersecurity threats and data breaches have haunted establishments the world over since vulnerabilities accessible via the internet were revealed. Earlier tinkering with yet-to-be-discovered computer capabilities led Bob Thomas to invent the Creeper (on the ARPANET), to which Ray Tomlinson (the man who invented email) responded by creating the first worm.

These academic experiments and research are, of course, a far cry from the highly sophisticated, insidious types of attacks that have been launched via the internet through the years. Today, there are worms, malware, viruses, logic bombs, droppers, DDoS attacks, and several more of these classified and sub-classified among the many types of cyber threats.

Various companies and industries have been subjected to some successful and unsuccessful remote attacks, which sometimes have global consequences. Chief among sectors of interest to cybercriminals are financial services, healthcare, energy, manufacturing, government agencies, education, and small businesses.

Why Cybersecurity Responsibility Starts at The Top

In view of the increasingly complex and costly outcomes of cyberattacks, it falls on organizations to ensure executive buy-in for cyber projects, especially those which address or impact data and cybersecurity.

Beyond getting the executive management support required, another challenge is keeping such projects running even after restructuring or when executive sponsors exit the organization. This aspect of getting executive buy-in is, however difficult to accomplish and maintain, a requirement in today’s business setting.

The expanding capabilities of cybercriminals and the threats they pose are undeniable. This is why, aside from the chief executive officer (CEO), chief financial officer (CFO), chief marketing officer (CMO), and chief information officer (CIO), some companies have adopted new executive roles such as chief data officer (CDO), chief security officer (CSO), chief digital officer, chief information security officer (CISO), and chief analytics officer (CAO).

Too often, however, when data breaches occur, board members and executives are unwilling to take ownership and find it difficult to understand security awareness briefings and reports. But since cybersecurity awareness programs can only work with the participation and support of senior management, the need to engage board members and core executives in cybersecurity projects is even more critical.

This is especially true in the case of a hacking incident and data loss or breach where the hacked establishment ultimately takes the blame and is, therefore, fully accountable. In such scenarios, C-suite executives cannot simply pass the blame to their IT department. Executive awareness and engagement come into play, and any reputational damage and economic losses will need to be borne and dealt with by upper management.

Thus, leaders are required to commit to the adoption of a culture where responsibility starts from the top and reaches the lowest rungs of the corporate ladder, not only in matters of cybersecurity but also in everything else that affects operations and the corporate bottom line.

Obtaining Executive/Management Support for Cyber Resilience

Culture change is critical to adopting and implementing cybersecurity measures that pervade throughout an organization. After all, one opened email in a phishing attack can already compromise the rest of the organization.

Therefore, security leaders such as CISOs and CSOs need to stop “putting out fires” and focus more on developing and implementing strategic security programs and long-term solutions and invest heavily in fortifying their cybersecurity teams. They also need to work on improving executive relationships and growing their influence in the organization.

Further proactive steps they need to take to engage other executives include formalizing risk and security projects, mapping out KRIs to KPIs, and connecting risk initiatives to corporate objectives.

They also need to keep communication positive and free of cyber lingo so as not to alienate non-IT versed leaders. Progress must constantly be measured and reported, funding needs to be secure and constant, and relationships among executives and among members of the organization need to be deeply and firmly rooted in a culture of security, mutual support, trust and accountability.

It is only when an organization reaches this level of leadership commitment and accountability that it can be ready to take on the challenges posed by various cyber threats.

Shawn Corrigan

Shawn Corrigan is the President and Founder of Interactive Security Holdings Inc. Interactive Security has grown into a global company offering IT Compliance Auditing services for small to large companies - focused on making it obtainable, simple and affordable. With over 20 years in the BPO and Financial industry working at the executive level, Corrigan has experienced the pitfalls, trials and tribulations of bringing an enterprise organization into IT compliance. Corrigan has designed a methodology geared at guiding clients of any size to successfully achieve compliance and ultimately obtain compliance certification. Corrigan is certified as a FISMA – NIST Implementor, PCI-DSS QSA, HiTRUST Certified Practitioner and HiTRUST Certified Quality Professional, ISO 27001 Lead Auditor and Implementor