Why CEOs Need to Be Involved in Cyber Security Training
The biggest cyber security mistake a company can make is the assumption that cyber security is only the responsibility of the IT department. Why worry about it when ‘the IT guys’ deal with it? This thinking is more than just outdated, it’s a real danger to the safety of a company and its customers.
The truth is that everyone at a company is responsible for reducing cyber incidents. This is becoming even more important as cyber-attacks are becoming more sophisticated. Data breaches can happen at all levels of a company and therefore data breach management training is relevant at all levels. This is no different for a CEO. In fact, arguably, the CEO is the most important person to engage with proper training.
Why CEOs Must Take Cyber Threats Seriously
Firstly, a CEO having a personal data breach could not only have ramifications for them but also for the whole company and its wider stakeholder ecosystem. A CEO being extorted or having reputation damaging information released to the public off the back of an attack could make the share price of a listed company plummet. Phishing attacks targeting CEOs and other senior members of staff are commonplace and without proper training can be difficult to spot.
CEOs are also of course ultimately responsible for the long-term success of their company. They don’t just have their own data protection to worry about, they need to ensure that they are implementing a culture of proper security and compliance amongst their staff. Putting in place data protection offices alone is not enough; it needs to be a properly co-ordinated approach, all the way from the top and filtered down to all levels of the organisation.
Setting the Tone at the Top – Leading by Example
The CEO’s attitude towards cybersecurity trickles down throughout the whole organisation. If they prioritise it, the rest of the company will follow suit. The same applies from a training perspective. If the CEO engages proactively in the training process, then the rest of the company will also take it seriously. Their participation signals to employees that it’s not just the IT department’s job to manage security—it’s the responsibility of everyone within the organisation.
It’s Not Just a Cyber Risk but a Business Risk as Well
Major incidents, whether they involve a data breach, ransomware attack, or threat actors, can lead to immense costs, not least direct financial losses, but damage to people’s personal lives, customer losses, and long-term damage to brand reputation. In today’s business climate, cyber risks are just as pressing as traditional business risks like market fluctuations or regulatory changes and therefore should be treated with the same importance.
The CEO should be the tracking, managing and directly involved in macro potential business risks, which includes cyber threats. From a training perspective, whilst the CEO may not need to have the full level of knowledge that the CISO would for example, they do need the essential knowledge necessary to be a core part of security conversations.
Legal considerations – A CEO’s Obligation to Compliance
Proper cyber incident management protocols and training procedures have legal considerations, particularly for large publicly listed companies. Ensuring the company is upholding its legal responsibilities is something that should fall at the CEO’s desk.
If the CEO is not part of the training process, they cannot ensure that procedures are in line with legal guidance and therefore can’t say they are upholding their data protection compliance responsibilities. Data is a valuable commodity, and companies have a responsibility to be guardians of their customer’s and employee’s data. The CEO is the guardian of the company itself and needs to take into account the importance of data security in their operations. This can’t be done without proper guidance and training and both the CEO and the company risk compromising their legal obligation if this is not mandated.
The Fall out of the Cyber Incident
The CEO’s role is to mitigate risk and devise response strategies to deal with risks. This also applies to cyber risk. The fall out of network compromise isn’t just the effects of the breach itself but also how it could potentially play out in the media and among customers. A CEO should have eyes on crisis communications and escalation plans post incident. The training course materials should also reference this and not just the technical aspects of minimising risk.
The Buck Stops at the Top
It may be a cliche, but the buck really does stop with the CEO when it comes to cyber security. For them to take on this responsibility, they need the training to back it up and to then implement a culture within the business that takes this very real threat seriously.
-
I have worked with IP-Performance for over 20 years and have always found them to be knowledgeable, helpful, prepared to go above and beyond and always right on the edge of modern technology and trends. So, when they suggested we might want to let them do an internal security audit, we jumped at the chance and the results were nothing short of jaw dropping… I would recommend anyone take a look at their portfolio, even if you think you have all your security bases covered… Trust me, you haven’t. I would recommend the portfolio, and anything that IP-P do to anyone across the industry. The breadth of what they cover is astounding.
David Brazewell, Technical Director,
QubeGB Ltd.
