Author: Chris Bowen
Chief Privacy and Security Officer and Founder, CISSP, CIPP/US, CIPT
I recently had the opportunity to speak with Fierce CEO for an article they published about the Equifax breach. Their take was that one good thing came from this travesty: it made painfully evident the importance of ongoing data security conversations between any organization’s CIO (or CISO/CTO/etc.) and CEO.
A decade ago it wasn’t necessary, but today there’s just no arguing the fact that CEOs need to be briefed regularly on their company’s risks, security gaps, and incident management response planning. As I point to in the article, this does not mean CEOs should be expected to now take on the role of cybersecurity expert in addition to their other responsibilities. They can’t be expected to know the details of log monitoring, remote diagnostics and other IT security tactics. However, they do need regular briefings from the CIO and IT leadership about what is being done to mitigate risk around identified physical, technical and administrative IT security vulnerabilities.
Having your CEO aware of the potential and current IP spoofs and phishing attempts or attempted denial of service and ransomware attacks helps that leader allocate proper resources and funds to protect your organization and your brand. I recommend informing that conversation by assigning risk scores to each threat and working off of a solid security risk assessment.
This CIO-CEO conversation also opens the door to important incident management response planning – something your team doesn’t want to wait to discuss until after a breach when you become exposed to millions of dollars in fines and a crippling loss to reputation and business revenue.