In an era when cyberthreats are constantly evolving and all business leaders must be security experts, what role should each member of the C-suite play in protecting the business?
Chief executives are accountable for the whole company and its performance. They set the tone and pace for the full breadth of the corporate approach to its market and environment. The right cyber approach by C-level positions not only protects the business from threats, both financially and reputationally, but can also create value in the eyes of customers, stakeholders and peers.
Cybersecurity is only important to an organisation if the CEO and board make it so. CEOs must create a culture of security within the business and invest their personal time and resources to back up their words and promises. They must ensure they are kept up to date with critical cybersecurity concerns and are knowledgeable of the issues and associated opportunities.
“It is essential CEOs elevate the chief information security officer to a position of prominence with authority, and understand their cyber-risk aperture by baselining against industry best practices,” says Mark Testoni, CEO of SAP’s national security arm SAP NS2. “In addition, they should create and fund a plan to get the company where it needs to be in terms of cybersecurity.”
While chief financial officers don’t necessarily have to understand the full technical aspects of cybersecurity, they must be aware of the financial risks associated with the ever-increasing number of cyberthreats. The importance of this is emphasised by the harsh penalties which can potentially be given as a result of General Data Protection Regulation (GDPR) non-compliance: up to €20 million or 4 per cent of annual global turnover. This serves as a real threat to any C-level positions and puts it firmly on the CFO’s radar.
Given that any data breach could seriously impact the reputation of an organisation, it falls to the CFO to ensure organisations are not only compliant with regulations, but also well protected. These risks must be taken into account when the CFO is advising on growth and cost-saving initiatives. Therefore, they must work closely with cybersecurity professionals to understand the risks, ensure that any proposals take into account cybersecurity implications and lend all reasonable support to any initiatives aimed at protecting the business.
“In a modern organisation, there is an ever-evolving overlap between cybersecurity and financial risk,” says Mark Blakemore, CFO at Compleat Software. “As a result, I believe the relationship between CFO and chief information security officer is an increasingly symbiotic one. While a CISO can present the risks and work in a more technical fashion, a CFO can also help improve security by assisting in translating risks into a language better understood by senior leaders.”
Traditionally the second-in-command leader among C-level positions, chief operating officers are focused on operations and business efficiency. They play a central role at the heart of a business and therefore need to play a central role in ensuring it is protected from threats.
The COO needs to be asking the hard questions and recognising that unquantifiable cybersecurity risk is negligence. They need to reject fallible, sub-par solutions and instead look to incorporate new and innovative approaches, for example moving away from traditional, reactive responses to cybersecurity that often fail businesses and instead looking into more proactive moves that really embed security principles into processes.
The COO must work with different leaders across the company to ensure all parts of the business are working together to deliver the same goal, not only protecting the business from damaging threats, but also building positive differentiation from its competitors.
“With companies increasingly aware of the cyber-risk introduced by partners and suppliers, creating a digitally pure enterprise that can confidently boast risk-free sharing of business information is immensely valuable, and that’s where the COO can play a crucial role,” says Dan Turner, CEO at cybersecurity firm Deep Secure. “Any business that can establish a track record for guaranteeing its users, partners and customers access to clean, threat-free business content and services will differentiate themselves in today’s dangerous cyber landscape.”
Technology is a firmly established part of marketing and customer experience. The role of chief marketing officers is rapidly changing and technology is becoming more deeply embedded in their responsibilities as they drive digital transformation within the organisation. Therefore, it is essential they fully understand the ongoing dangers of cybersecurity and GDPR.
CMOs and their marketing teams manage confidential data so must understand the principles of cybersecurity as part of their responsibility to be compliant and responsible for where information is stored, how it is managed and whether it is being used in a secure way.
The rise of marketing technology, or martech, has seen emerging innovation, including social media, design, email marketing and automation apps, become the norm for marketing campaigns, which presents an opportunity to hackers. Of all C-level positions, CMOs must have the strongest security awareness of how technology is used in the business.
“Working collaboratively alongside their C-suite colleagues, CMOs should ensure the right cybersecurity technology is implemented to protect the organisation and its customer data, and help the business achieve its goals,” says Faye Eldridge, head of demand at Doherty Associates. “CMOs can also advocate better cybersecurity practice within the organisation by providing marketing communications on cybersecurity awareness to employees.”
The chief revenue officer is responsible for all sales generation across the company and this includes the processes business development teams adopt. It puts the CRO in a similar boat to the CMO, ensuring sales staff are aware of their responsibilities to be GDPR compliant when attempting to acquire leads and applying basic security practices to their outreach.
To protect companies from cyberthreats effectively, CROs must foster a culture of security and accountability among the sales team. Cybercriminals are always finding new ways to attack businesses, exploiting vulnerabilities in technology and the humans who use it. As a result, CROs need to be multidisciplinary. While this doesn’t mean deep expertise, it does require a deeper awareness of the nature of cyber-risks and how they can be addressed.
“In today’s threat landscape, businesses must go beyond establishing baseline protocols to create and maintain a secure environment,” says Adam Philpott, Europe, Middle East and Africa president at McAfee. “The key to achieving cyber-resilience within an organisation is collaboration and understanding across the board. C-level positions and cybersecurity experts need to find a common data-language to understand the risks and how to adapt to manage them.”