Most corporate directors and C-suite executives have gotten the message: Cybersecurity is no longer an IT issue; it is a strategic business issue. That means that boards, CEOs, COOs and CFOs all need to increase their ability to provide effective oversight and management of activities previously considered enabling or support functions owned by the CIO.
There are any number of programs, workshops and studies targeted at senior executives. The majority of them provide an overview of the threat, perhaps try to “scare” the executives into action by discussing the lawsuits and firings that followed the last major breach, and typically conclude with a list of questions to ask the CIO. The problem is that the participants are left wanting for concrete steps they can take to put their newfound knowledge to work.
It is time to transition from education and awareness to real training that allows senior leaders to take positive actions to prepare their companies to deal with the cyber threat.
The first challenge is convincing senior leaders that they need serious cybersecurity training. Anyone who has risen to the level of director, CEO, COO or CFO is rightfully confident in their ability to manage across a diverse set of functional areas. Regardless of their own area of functional expertise, they spent their entire careers working closely with operations, financial management, human resources, risk management and other key business functions. As a result, they have sufficient background to make informed decisions in areas that are not their native specialty. The mistake is assuming that the same is true of cybersecurity. The vast majority of senior executives do not have even a basic knowledge of the key issues faced by the CIO and CISO. As a result, they don’t ask the right questions and may unintentionally delegate decisions that should be vetted in detail at the senior leadership level.
To move from education and awareness to action, executives and managers at all levels should begin with a training program consisting of the following five modules.
Definition of the Problem
Executives first need to understand that they are dealing with a people problem, not a technical issue. Second, they must accept the fact that the problem will not be “solved,” and therefore, it is an enduring risk management issue.
The Role of Leadership and Organizational Culture
The CEO has to attack cyber-risk from a leadership and organizational culture perspective. Most companies still do not have a culture that ensures cybersecurity is a key part of any business decision. Culture change cannot be delegated. CEOs are the only ones who can change culture, and they do so by exhibiting specific leadership behaviors pertaining to cybersecurity.
Key Technical Aspects of Cyber Defense
Senior executives must be conversant in the key terms and concepts pertaining to cybersecurity. It takes some work, but CEOs need a working knowledge of cybersecurity if they are going to provide the same level of management and oversight for cybersecurity that they exercise over other critical business functions.
Best Methods to Train and Exercise the Workforce
The dynamic nature of cyberspace demands current, recurring training for everyone in the company. All employees need to understand the threats posed to the company and their personal responsibilities as network users. Security personnel need frequent technical training, and they should attend conferences where the latest trends are discussed. Those responsible for audit, governance and compliance must stay current on oversight and regulatory requirements. And training effectiveness must be verified through a robust exercise program that prepares the company to deal with a major breach.
Cyber-Risk as a Component of Enterprise Risk
Cyber-risk has to be “baked in” to enterprise risk; it cannot be “bolted on.” Executives and managers at all levels need to understand how cybersecurity plays a role in risk aggregation and risk integration in relation to the other risk areas captured under the enterprise risk management framework.
Other important areas include metrics, IT and cybersecurity strategy, threats to industrial control systems, the impact of the Internet of Things, compliance and regulation, public relations, and information sharing, just to name a few. A good program will be customized to the company and its business sector and will facilitate follow-up modules of instruction.
Training the senior leadership team is step one. From there, the training must propagate through all levels of management. The most senior executives are trained first, demonstrating that if it is worth their time, then it should be on everyone’s agenda. This is a key aspect to changing the company culture.
Finally, recurring training is essential. Technology changes every day. Those changes bring great opportunities, but they also bring increased risk. Keeping everyone current through short web-based updates, “brown bag” discussions or mini-workshops are all ways to make sure your company grows and prospers in the age of cyberspace.
Visit TrainingIndustry.com throughout the month of October for insight and tips on how you, as a training professional, can help protect your organization.