The cyberbreach at Equifax closed the door on Richard Smith’s tenure as CEO of the company, but opened the door to greater interplay between CEOs and CIOs in general.
CEOs need to be told by their CIOs the breach environment is only going to get more pervasive, said Avani Desai, principal of Schellman & Company, a security and privacy compliance assessment firm.
CEOs must be told how to help build privacy and security within applications, services and platforms—which means privacy and security is thought about very early in the development stage.
"Thinking about privacy and security after the fact is going to cause the breach notification and incident response process to be much more difficult,” Desai said. “This means there needs to be larger budgets, more resources, and more exposure on what could happen, not just what do we do when something happens."
Further, "CIOs need to emphasize IT as a factor to mitigate the loss of revenue, brand image issues, and regulatory repercussions—not just a cost center," Desai said. "This is a culture shift, but much needed in today’s cyberthreat environment."
What CEOs want to hear
Steve Immelt, CEO of law firm Hogan Lovells, wants to know from his CIO, “Have we covered the critical risks? I don’t want to know we didn’t do everything.”
The firm gets millions of probes a day to try and glean internal information, and Immelt is told by the CIO what kinds of risks there are. “She identifies the potential,” he said.
She also lets him know whether or not employees are following protocol and whether the costs are worth the risks.
CIOs should be letting CEOs know priorities have been assigned because things slip through the cracks, said Matt Comyns, managing partner of the cybersecurity practice of Caldwell Partners.
“If the CIO and CEO are not driving toward the same things, security will get breached,” Comyns said. “CIOs should be discussing innovation, operations and costs with CEOs.
Essentials of CEOs' IT security brief
CEOs should hardly be expected to take a course in cybersecurity to understand the minute details of log monitoring, remote diagnostics and other IT security tactics, said Chris Bowen, chief privacy and security officer at ClearData.
First and foremost, a regular briefing is needed that should be read by the CIO—and to that end, it should be short and to the point. It should clearly outline current issues and threats as they relate to physical, technical and administrative IT security vulnerabilities, Bowen said.
Technology safeguards will cover a broad span of potential and current threats, from denial of service attacks to IP spoofs to network sweeps to phishing attempts. It can be effective to include the rate at which such attacks are occurring. Evidence of sustained high rates may compel many CEOs to make room in the budget for additional IT security.
So how does the CEO evaluate if an issue needs his or her further attention? “It helps to assign a risk score to each issue or threat; the recommended mitigation action; and status that indicates if this action has been taken or not,” Bowen said.