Cybersecurity–Five Actions for Critical C-level Leadership

While trying to hastily deal with some emails, something just went terribly wrong on your laptop. Your screen just went blank, followed by a message in large type: “Your computer has been encrypted.” As anxiety begins to swell, you think: “This can’t be happening to me – I’m the CEO!”

A story line for a bad movie? Here’s a hard fact: according to Forbes, a full 84% of C-level executives say that they were targeted by a high-level cyberattack last year. More than half of the attacks were from sophisticated official-looking phishing emails.

 Costs of a cyberattack

The era of required cybersecurity is here. Those who don’t believe it and act on it can pay dearly: upwards of half a trillion dollars was lost in the past 12 months from cybersecurity breaches and costs, according to an IBM report. Downtime from a cyberattack is incredibly expensive and profit-draining. Downtime per minute costs range anywhere from $400 to $9,000 a minute.  Security-minded mega corporations like Capital One and Equifax suffered multiple millions of dollars of loss in cyberattacks.

Businesses and organizations with less than 50 employees are particularly vulnerable. According to CNBC, average cyberattack cost for SMBs drains more than a quarter of a million dollars out of the business, resulting in a catastrophic extinction rate of more than 60% within a year of the cyber-attack.

Critical cybersecurity leadership

A critical point? Chief executive officers must lead their organizations cybersecurity initiatives. And they must be relentless in setting a high-profile example and insisting on compliance.

A cyberattack can cripple a business or organization from anywhere. Recent research from PwC shows that nearly 50% of CEOs today are “most concerned” about cyberattacks, and rightly so.

The solution? CEOs must lead the development and sustainment of a new corporate culture of cybersecurity, ranging from the C-suite down to the interns joining the sales team. No exceptions. Cybersecurity represents an all-hands on deck effort to be successful.

Why? The transformational news is not very good at the moment, leaving companies unacceptably vulnerable. As Gartner points out, “Traditional culture improvement efforts that focus exclusively on [cybersecurity] awareness are failing to facilitate secure behavior and have led to loss of control” (emphasis added).

Cyberattack – a dangerous business risk

As a result, corporate boards now regard cybersecurity as a business risk instead of merely a technical IT problem. A growing number of boards respond to this by either appointing a IT-cyber-savvy director, a special cybersecurity-specific board committee or both to combat the growing risk. There exists growing liability for the CEO who either neglects to aggressively institute a cybersecurity initiative, or actively bypasses the initiative to accelerate business development!

Gartner predicts that by 2025, more than 70% of CEOs will specifically mandate and lead the development of a culture of organization resilience to survive multiple threats, including potential cyberattack.

Create a positive culture of resilience

How does a leader achieve this?

Get serious about cybersecurity and act like it

Some 40% of IT professionals believe that their CEO is the weakest link in their organizational cybersecurity. Stunningly, a PNC security study showed that 76% of CEOs admitted to bypassing security policies and procedures to accelerate business initiatives and save time.

This is a potentially deadly flaw. Plus, if the CEO – who is the living brand of the company – doesn’t take cybersecurity seriously, then that neglect or ignoring of cyber safety will rapidly pass right down through the corporate food chain.

The point? Never sacrifice security for speed of operations. And keep cybersecurity policy administration and enforcement high with the direct overt backing of the C-suite, especially the CEO.

Know the risks you face, develop policy guidelines, and communicate them

Led by the CEO in a high-profile initiative, a corporate or organization team should exist – made up of the CEO, the CIO (chief information officer), corporate legal counsel, the chief corporate communications (or public relations) officer, a cyber-specific board member, and others. That group should hold responsibility for the development of specific – relentless – policy and ensure its effective communication across the company. Based on size, organizations should create and use a Security Operations Center (SOC) that actively protects the company and measures success.

(Note: merely posting the cybersecurity guidelines in an accessible space on your website is not effective communication – plus, by doing so, you can bet that cybercriminals will happily read that openly accessible policy as they prepare an attack on you.)

Maintain situational awareness

The C-level cybersecurity team needs to be kept current on both current types of cyber-attack and best practices on achieving a high level of protection.  A corporate SOC can take responsibility for this critical function.

Develop and test a crisis plan in advance to deal with cyberattacks and data breaches

Unfortunately, no cybersecurity plan is perfect, foolproof, or failsafe. Here’s a simple example: cyber penetration agents testing a company’s cybersecurity sometimes exploit human civility to gain physical entrance to a secure facility. Among their tactics is this: holding a deliberately unmanageable stack of papers, they walk up to a crowded access point requiring a key card to enter, purposefully fumble the stack, and then feign overt anxiety over missing an appointment. Seeing the distress, concerned employees often stop and actually help the penetration agent pick up papers, and then hold the secure door open to allow access! The agent then finds a empty room, plugs into a open ethernet port, and the breach is underway.

Apart from this simple example, most penetration efforts and attacks are highly sophisticated.  Every company should be prepared. What elements should be included in the cybersecurity plan?

As the living brand of the company, the CEO must be prepared to lead public disclosure

The CEO of course can and must be supported by the CIO and legal counsel, but both external and internal audiences and influencers must see and perceive that the CEO is actively leading and addressing the cyberattack issue. Clear and actionable information must be effectively delivered (internally as well as externally) that demonstrates that the CEO cares, is in charge, and is taking responsible action. Critical cybersecurity leadership is paramount.

Legal vs. PR and exposure

Legal counsel and corporate communications/public relations professionals often are at opposite ends of the spectrum when it comes to transparency of information. Lawyers often want to limit liability. PR professionals want to increase credibility, build trust, and protect the corporate brand. Defining roles and situations in advance is critical to avoid confusion and unnecessary mistakes when a crisis hits.

The ”Golden Hour” – speed is critical

Once a cyberattack or data breach is known (and remember, sometimes it can be weeks or months before a breach is discovered),  the CEO and his or her team must immediately pivot and disclose what is happening. A number of states require this disclosure, but more importantly, such rapid disclosure allows the CEO to appropriately take charge of the story and the narrative. Similar to situations of a stroke, there exists a limited “Golden Hour” of time when a CEO can step forward and achieve this.

In a vacuum of information, people will make it up

Nature abhors a vacuum and this remains true for a vacuum of information. Key point: if the CEO doesn’t  disclose important information in a credible and timely fashion (which does not mean that everything has to be disclosed), then the odds of losing control of the story rises dramatically. Loss of credibility and brand-bruising will ensue, perhaps fatally.

There is much more that transcends a post like this. Want more details, including a template for crisis communication planning (including trust restoration)? Contact Michael Snyder at MEK.

Michael Snyder is professionally certified in crisis communication and has led both crisis communication plan development (and execution) and change management initiatives to build corporate resiliency.