5 things your CEO should know about cybersecurity

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cio.com/article/2984380/project-manager/5-things-your-ceo-should-know-about-cybersecurity.html

I’m pretty sure by now that executives in organizations – especially
organizations with some sensitive data to secure – are paying at least some
cursory attention to cybersecurity and cybercrime. If not, then they need a
wake up call and then a swift call to action in order to ensure that they
don’t lose grounds and future lawsuits over a cyberattack that could have
possibly been avoided or at least mitigated.

Consider these five things that your CEO should know about cybercrime and
cybersecurity and make them happen sooner rather than later.

1.You can grow security from within. You don’t have to pay someone a
million dollars to oversee your cybersecurity. You likely don’t even need
to hire from outside first…you can probably build a knowledgeable and
workable group from individuals within your current tech groups.
Certification isn’t a must. Education and on the job work is important. It
involves networking, research and then incorporating some proactive (and
possibly reactive) measures to get started. But start somewhere. And for
most organizations, starting from within is good enough and definitely
better than nothing. The paralysis of analysis won’t serve you well.
Tomorrow may be too late…read on.

2. Don’t wait for tomorrow what you can do today. As I just said, tomorrow
may be too late. We should learn well from others’ mistakes and oversights.
In the past year or so there have been a plethora of learning
opportunities…just go back and search CNN on hacking and identity theft if
you’re memory isn’t too good or you happened to have not checked the news
in over a year. Your CEO would be smart to take action today. And if you
are the CEO reading this, know that you’ve been warned daily in the news.
If you doubt how vulnerable your organization is, just attend a security
conference like Black Hat or fork out a few thousand dollars to send a
couple of individuals to the next digital security conference. Everything
can be hacked…don’t let your organization be next.

3. It does take money, not just time. You have to fund security, not just
put someone “on it.” Joe in the cubical in the next room is a techie, but
he’s not your security man, despite what I said above about staffing from
within. Joe can help you get started with some research, but you’ll need to
spend some money – even if it’s just getting more “Joes.” You don’t have to
pay high end to protect your organization…because you’ll never be able to
fully protect your organization no matter how much you spend. If someone
wants your data bad enough, they can and will get it. But you need to do
what you can to protect it. If you’ve shown enough due diligence and still
get infiltrated, you’ll likely not lose the lawsuits to come.

4. It should be considered a key element in risk management in every
project initiative going forward. Your organization has projects. And
risks. Consider cyber theft and cybersecurity a risk and proactive measure
for all projects. Build it into your project management processes and
methodology and educate your PMO director and project managers on the
importance of risk management and cybersecurity. If you’re not paying much
attention to it, then assume they are paying even less to it.

5. Staff a CSO…now. The time is now for a Chief Security Officer…if your
organization is large enough to afford one. And you can contact me first.
But seriously, your CEO should be considering a high-level security officer
if you don’t already have one. Lots of big box companies were hit last year
with credit card number theft, millions of government worker identities
were infiltrated, and many marriages and other relationships…and lives…were
ruined by recent data breaches. Wake up call…pay attention to cybercrime
and cybersecurity now and spend money now to build your security
organization. It may mean the difference between survival and disposal.
Don’t be a fool – every thing can be hacked. And I believe we are only
seeing the tip of a very big iceberg right now.

Summary / call for input

Security and cybercrime are big…right now. Today is the time to act –
before your organization has a breach. So many times we fail to act…we are
so used to just reacting. Reacting is often too late and you’ve already
lost thousands or millions of dollars and possibly future customers and
sales and profitability. Lesser organizations go down for the count from
cyberattacks and never recover…costing hundreds or thousands of jobs in the
process.

What our CEOs need to know is that this is an issue right now. That’s why
there are conferences like Black Hat USA, Black Hat Europe, DefCon, and
others. There seems to be almost daily feeds on Facebook and CNN about the
latest data breaches by attack groups, foreign entities infiltrating USA
databases and ransom ware acquiring access to very sensitive identity and
financial data. The time is now to do something about it and it starts with
the education of our CEOs.

What are your thoughts? Are you involved in data security? Are you
frustrated by your organization’s lack of interest in cyber crime and
cybersecurity? What measures have you taken to make the need more visible?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!