The Culture, Media and Sport Committee, appointed by the House of Commons, has produced a report on “Cyber Security: Protection of Personal Data Online”
Recommendation 3 states “To ensure this issue [cyber security] receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security”
I assume that exactly the same rules for security breaches within government departments will apply and the Ministers accept their personal compensation will be linked to their department’s effective cyber security!
— Culture Media Sport (@CommonsCMS) June 21, 2016
I also note that Recommendation 13 of the report says “a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data”. Unlucky for some.
Sanctions aside. What should a CEO be doing?
The CEO is the senior executive officer on the Board, and as such needs to ensure the Board is clear on the company’s stance with respect to the cyber security.
To do this there are four key elements the CEO needs to consider:
- Stakeholder engagement;
- Strategy development;
- Setting and implementing policy;
Let’s look at these elements from a security perspective, with a view to what it is reasonable to expect a CEO to do. Expectation is important here, we sometimes expect the CEO to understand the minutiae – but is it reasonable to expect the CEO to be a Cyber Security expert? Clearly not; but there is an expectation they engage experts at the right level to formulate and implement the appropriate company strategy and policies.
Stakeholder engagement. This is about understanding the key stakeholders, and what they expect from the business. It’s then about understanding the key business risks that may impact these expectations being met.
From a security perspective, a CEO ought to have an understanding of the differing security expectations of the various stakeholders; this would include understanding the key assets that create value and the impact a cyber-attack could have on stakeholders.
Strategy development. To enable these stakeholder expectations to be met, the CEO will be expected to work with the board to agree a set of business strategies. These strategies will need to consider how stakeholders’ security interests are to be met.
Setting and Implementing policy. As part of implementing the strategies, the board will agree policies to be implemented by the CEO. In the security context this will be things like risk appetite. A cynical view would say this is about deciding where you want to sit on the scale between doing everything possible to keeping customers secure, and taking a minimalistic approach, dealing with the fallout when something happens.
The risk appetite may manifest itself in specific policies such as compliance to a specific industry standard (27001, PCI-DSS, Cyber Essentials…)
Resources. To implement the policy, the CEO will need resources. The resources may not necessarily be technology, but drawn from the full spectrum of activities, including people, processes and education. To affect this, the CEO will need to draw up budgets, and get the board to approve them.
Let’s not forget a key element of the Board’s role: Monitoring management. Having set a strategy and policy, the expectation is the management team will “make it so”. This is driven by the CEO. The board’s role is to monitor the effectiveness of the CEO and their management team in doing this, and make changes if all is not working as expected – which links back to the Culture, Media and Sport Committee recommendation on compensation, or in the extreme, choose a new CEO.
How do we help?
As security professionals, it is important we don’t expect our CEOs or Boards to be cyber security experts. We need to understand their role (as summarised above), and determine how we support them in that mission:
- Do they need help in seeing the value of an asset to the business, and the stakeholder impact of a cyber-attack on that asset?
- Do they need help in setting the right policies to protect the assets?
- Do they need help to see the current management practices are not effective in addressing security risks?
The consequence of not supporting them in this is that perhaps the pay cut may come our way!
You can find out more about this topic at the East Midlands Cyber Conference, where I will be running a workshop on “Governance: The role of the board”.