The evolving role of leadership in cybersecurity

Are CEOs looking at cybersecurity the wrong way?

by Paul Gillin

As the volume and severity of computer crime has grown, one group has stayed somewhat quiet about the issue: CEOs.

Cybersecurity is a difficult topic for many business executives to discuss. They aren’t comfortable with the technology and they worry that speaking out will betray their naïveté.

Executives often fear being breached, but are reluctant to discuss their own vulnerability. They may even assign security a lower priority because it doesn’t have a clear ROI. Altogether, this creates the impression that they don’t care about an issue that may actually worry them a great deal.

Perhaps CEOs are looking at the problem the wrong way. As long as they see cyberattacks as a problem to be solved and breaches as embarrassing failures, they will continue to avoid the discussion. Changing language and attitudes about cybersecurity can help forge the acceptance that is essential to creating a coordinated response.

By acknowledging that no amount of money or technology can protect them absolutely, CEOs can turn the conversation from a success/failure proposition to managing a business process. That’s something most of them are comfortable with.

Risk management, not mitigation

Writing in the Harvard Business Review recently, Alex Blau suggests that changing our perspective on the cybersecurity challenge lowers anxiety by removing the specter of failure.

“Cybersecurity efforts have to focus on risk management, not risk mitigation,” Blau writes.

Risk management is a standard part of doing business. Organizations are already adept at tolerating and mitigating such problems as shrinkage, downtime, turnover and waste. These are treated not as threats to the business, but as costs to be managed and avoided. Why not take the same approach to cybersecurity?

CEO silence damages the security posture of any organization. When top executives talk, things happen, but as long as cybersecurity is delegated to a subgroup of the IT organization, people will believe that it’s someone else’s problem.

That’s a shame, because the vast majority of breaches can be prevented with a few basic practices, such as:   

  • Choose strong passwords   
  • Don’t click on unknown links   
  • Keep up-to-date with patches and antivirus definitions   
  • Protect devices with authentication

Most business professionals are aware of these facts, yet surprisingly few observe them. A Keeper Security analysis of 10 million passwords revealed by data breaches in 2016 found that nearly 17 percent of accounts were protected by the password “123456.”

Phishing, a threat that can be managed with common-sense precautions, has grown more than 5,700 percent over the past 12 years, according to the Anti-Phishing Working Group. The fact that people continue to make the same mistakes despite years of warnings means they aren’t taking threats seriously.

That cannot change until CEOs join the conversation. Once they say cybersecurity is important, and follow through with behavior that sets an example, others follow. The process starts by dropping the win/lose mindset and challenging everyone to collectively make the organization stronger.

AT&T Cybersecurity Insights report

Learn more about protecting your business in AT&T Cybersecurity Insights, Volume 6: "Mind the Gap: Cybersecurity’s Big Disconnect."

In this invaluable report, you'll read about the troubling disconnects that have emerged between today's cybersecurity threats and organizations' countermeasures, as well as what you can do to help strengthen your defenses and reduce risk.