The modern CEO’s role is typically twofold, depending on the type and size of the company. Your first role is internal – you’re setting the strategy of the company and the overall priorities needed to implement the strategy.
Externally, you’re basically “head cheerleader” with a responsibility to take the company’s story far and wide, not the products or services of the company, but the company itself. You’re telling it to investors, shareholders, strategic partners, and customers.
Unless your business is cybersecurity, neither the strategy nor public image should have any reference to or conversation about cybersecurity. It’s not a thing you sell or an aspect of your business that creates market excitement. Much like many internal initiatives, it should not be on your mind or in your typical conversations.
The exception to this is if you’re a public company. The SEC’s new rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure went into effect in December 2023. The SEC updated the rules to encourage the way CEOs think about cybersecurity. The reason?
Too many CEOs have recently had to talk about cybersecurity far more than they prefer….for the wrong reasons.
A Very Real Risk
As cybercriminals have become more sophisticated and attack major corporations, the risk becomes a serious material impact on the health of the company and thus to shareholders. Breaches result in fines, heightened operational costs on both remediation and disclosure, as well as higher future insurance and operating costs.
In some cases, breaches even result in criminal risk, though presently this has been limited to the individual level and not the corporation. In addition to the hard costs a breach produces, it also will result in a loss of goodwill and the marketability of the business. For many major brands, this impact has been minimal. People still shop at Target and Home Depot. Equifax is still one of three major credit bureaus. If anything, a breach at the big brands makes us feel safer about doing new business – after all, now we know they’re taking security more seriously than they may have before.
For smaller companies, a large data breach can mean the end of the company. If customer confidence in the product is eroded, they are willing and able to take their business elsewhere. If you’re in the B2B space, and your breach impacts your larger clients, it quickly seals your fate. None of these are things a CEO wants to explain to their shareholders.
But it will fall to your plate, as CEO, to explain how it happened and why your company should continue to be trusted.
Your Strategy Must Include Information Security
You are developing the strategy of the company. Your strategy depends upon a strong foundation. Just as you expect your CFO to help ensure your financial foundation is secure and risk is managed, so too is your CISO protecting the information assets upon which your company relies.
Embezzlement and fraud are long-standing risks to businesses. Now that information is as or more valuable than your cash accounts, it too is an easy target for thieves. We store our money in vaults and bank accounts with numerous layers of protection. Your CISO helps make sure the same is true of your information.
Your CISO isn’t your IT person, but instead one of your risk managers. Your CISO is translating the risk of information loss into the dollars and cents it represents. And they’re proposing the appropriate solutions to mitigate the risk.
A good CISO reports their progress to you and the other leadership in much the same way as a CFO. Cybersecurity expenses should be presented to you as an investment. Not one which will result in gains, but one which instead prevents future larger losses. It’s a form of self-insurance, with the added benefit of lowering your external insurance costs.
The conversation you should be having with your CISO should be based on risk analysis. Here are the risks identified, what we’ve done to offset them, and the key risk indicators showing whether or not those measures are working.
This approach helps create a strong foundation protecting your information assets but also ensures the cost is justified against the risk. When you (and your CISO) present to your board or your shareholders, you can show the good stewardship of their investment. You’re not throwing money away on unfounded speculation, but also not leaving the investment unprotected against very real threats.
By taking this approach, your CISO makes your job much easier and hopefully allows you to never talk about cybersecurity for the wrong reasons.