Security from the Top Down: Five Steps for C–Suites

2019 WSJPro Cybersecurity Executive Summit in London
David Pitlik

Half of today’s chief information officers admit their job responsibilities are growing faster than their ability to address them, according to a recent Accenture report. What does that say about the cyber-resilience of your business—and the businesses on which you depend—as the global threat landscape expands at breakneck speed? 

Security breaches are a matter of when, not if, and the C-suite needs to fortify the barriers at every level. 

We asked a team of experts at this year’s WSJPro Cybersecurity Executive Summit in London how cyber threats are—or should be—changing C-suite roles and responsibilities.

Understand the [increasing] risks.

“C-suites and boards today need to understand cybersecurity is one of the few things that has the potential to fundamentally damage or destroy an organization,” said Tom Ilube CBE, CEO at UK-based cybersecurity technology and consulting firm Crossword Cybersecurity. “You can launch a marketing initiative, and if it doesn’t go right, you simply launch another marketing initiative. But if you get things fundamentally wrong on the cybersecurity side, it could mean the difference between your company existing a year later or not existing at all.”

Fortunately, there was a general consensus among the experts that C-suites are becoming more educated about cybersecurity and associated risks. “I think C-suites are becoming far more tech-savvy than in the past, when they had one person on the team who would speak to the technology and translate for the others,” said Chris Wallis, founder of security company Intruder. “Today, it’s much harder to operate a business if you don’t fundamentally understand what the risks are and how a weakness in technology within your operations can massively affect your business.” 

Bring in the experts.

“A lot of C-suites are moving toward getting subject-matter expertise to consult and support decision making as it relates to cybersecurity,” added Helen Rabe, CISO for commercial real estate services and investment firm CBRE. “Cybersecurity is a complex beast, and this is generally not their area of expertise. So bringing in experts to support them at the board level is crucial for gaining much-needed awareness.” 

Build threat mitigation into every product plan.

According to Lorena Marciano, EMEAR data protection and privacy officer for Cisco Systems, the fact that more and more C-suites are engaging in discussions about cybersecurity is a positive sign. “We’ve come a long way since when security was something that only a limited number of people within a company could speak to,” she said. “Today, if you really want to transform your business, you need to think about data, and you need to protect it. So as you think about bringing your next product to market, it’s essential to also think about how you’re going secure the data associated with that product.”

Get rid of siloed thinking.

“It’s a tough time to be in a C-suite these days because of the effects of social media and how quickly bad news spreads,” offered Cultursys Chairman John Childress, whose company is focused on helping organizations reduce risk by using culture analytics, behavior analytics, and system modeling. “In your role as leaders, you have to look at more than just the balance sheet and what Wall Street thinks about your organization. You need to think in terms of the reputational and cultural risks you are facing. You need to create what I call a shared objective among the executive suite, rather than engaging in siloed thinking. Companies need to take a more holistic, enterprise-wide approach to cybersecurity. And it all starts with the CEO.” 

Respect (and protect) your technology infrastructure.

As innovation becomes the bedrock of nearly every industry, the importance of cybersecurity grows larger. “Technology underpins pretty much every business of every size,” concluded Nic Miller, founder of cybersecurity firm Aedile Consulting. “All too often, the importance of that technology layer is not sufficiently understood. When you look at how much companies budget for maintaining and supporting their infrastructure, you will see they are often basing their numbers on assumptions from 10 years ago.” It’s essential to get the people at the top to understand the importance of the technology to their business and treat it with the appropriate level of respect, he added. “To do otherwise puts the entire business at risk.”

The bottom line for C-suites? Protect your organization’s bottom line by ensuring security is a core competency across your company—from the top down.

David Pitlik is a long-time technology and business writer and frequent contributor to NETSCOUT’s blog.

Note: The information above is based on interviews conducted at the June 2019 WSJ Pro Cybersecurity Executive Forum by Wall Street Journal reporters on behalf of NETSCOUT

Watch interviews with WSJPro Cybersecurity Executive Summit attendees here.