By Ryan Burkovich

While executives have an ever-growing backlog of issues, threats, and trends to manage, one issue seems to be continuously growing in complexity and severity. It is an issue that is difficult for many to understand and exists somewhere between the physical world and an abstract world that cannot be seen or felt but nonetheless still exists.

That world is cyberspace, and it is susceptible to similar threats that the physical world faces. We seem to be bombarded with news stories about cybersecurity incidents ranging from startups to Fortune 500 companies to governments around the world. Yet, executive interest in information security seems to rise and fall with these headlines. When there is no prominent breach dominating news feeds, other priorities demand attention. However, as soon as a major breach is reported, business leaders, politicians, and the general public alike are once again faced with the sobering reality of this ever looming threat to their business, personal information, bank account, and livelihoods.

One common trend in this cycle is that many leaders don’t see it as a problem they can help fix. Rather, it is seen as a technical problem that can only be addressed by technical people. However, Basie Von Solms – the Associate Director of the Global Cybersecurity Capacity Centre at Oxford University – states that this is not true. In The 10 Deadly Sins of Information Security Management, Solms declares that top management has a direct responsibility to ensure all information assets of their company are secure, and that proper due diligence is taken to maintain proper security measures. This detachment by some leaders, can cause a few common themes to appear within their organizations. First, a lack of understanding of the return on investment (ROI) for information security initiatives begins to emerge. Next, this lack of perceived ROI turns into a belief that these measures are actually hindering revenue generation. Finally, information security initiatives, policies, and procedures are relaxed, bypassed, or simply ignored.

Leaders who take a back seat when it comes to information security often see it as a business cost that continuously siphons money from revenue-generating projects. The problem with information security is that, if it’s done well, there are no alerts or final finish line to acknowledge or bring to the attention of leadership. It is instead a continuous effort and not a one-time project, which can make the value difficult for leadership to discern.

Lacking this insight into the true impact information security measures have within an organization can also make security measures appear to hinder revenue generation. In the fast-paced, competitive arena of business, seconds matter, and decisions need to be made quickly, without red tape, adherence to regulations, or contemplation of consequences. In reality, we know these hurdles are in place for a reason, and help keep businesses, governments, and society ethical, prosperous, and safe. While these security hurdles may not always be conducive to our business interests, goals, or ambitions, compliance is highly suggested, if not legally required.

Qing Hu – a Dean at The Koppelman School of Business at Brooklyn College – explains that if executives are not engaged and supportive of information security initiatives and policies, employees are more likely to ignore them as well. It seems to boil down to the saying “lead from the front.” If leadership does not actively support the security of their company, neither will their employees. The question is, what can executive leadership actually do to take direct action in combating information security threats?

Hu explains that one of the major steps executive leadership can take to improve the security posture of their organization is to become actively involved in information security issues. This can occur in various ways. First and foremost, support information security initiatives and provide the information security team with a platform for open and honest communication with leadership. Next, thoroughly review information security policies and procedures to help familiarize oneself with the high level aspects of the organization’s information security program. The more familiar with the program a leader is, the better decisions they can make. Once a leader is familiar with policies and procedures and can make better decisions, it’s time to take an active role in various IT and information security committees. This will further develop a leader’s understanding of the issues security teams face and will make the ROI more apparent.

What can a leader do when there are no information security teams, committees, or even policies to support and follow? Cybersecurity may seem like a luxury, or something for “bigger” companies that have something to lose. This notion is far from reality, and it is where a trusted security partner can assist. Instead of hiring a full-time security engineer for an organization of 10, a trusted advisor can guide you in creating a strong security foundation. Creating a strong security foundation at the start of an organization is more beneficial than waiting until you are one of the “big companies” that needs a security program but doesn’t have one. You can compare it to constructing a building. Using reinforced concrete may add costs at the beginning, but it will add years of life to the building, and help avoid catastrophic issues in the future. An organization should institutionalize security in their foundation, ensure supportive leadership throughout, and seek security expertise to plan, prioritize, and invest in the most beneficial, cost effective security solutions.

These leadership actions can help create a culture of security awareness within an organization, which Hu says can make a measurable difference in general employee attitude about and participation in information security initiatives. As many know – and Hu reiterates – when it comes to the information security of an organization as a whole, the organization is only as strong as its weakest link. All that it takes is one employee to click a link that will break the chain.


Basie von Solms – The 10 Deadly Sins of Information Security Management