Data breaches and cyberattacks can affect the bottom line. Businesses concerned about protecting consumers' information may already have a chief privacy officer in place. But they need a "Cyber Commander," too, according to a white paper from Focus.com.
"How CEOs Can Prepare for and Respond to Cyberattacks," released on July 26 by the San Francisco-based online business media company, reports cybersecurity needs to become a business process instead of an emergency plan.
"CEOs need to take this class of threats as seriously as they would the defection of customers by way of departing sales agents/managers," the white paper quotes of Andrew Baker, service operations director at SWN Communications Inc. "Too many organizations look at cybersecurity in the same way that they look at contingency planning for earthquake or civil unrest in a Western country—i.e., as something that is not likely to occur, but for which it would be a good idea to have some preparation. However, cyberattacks are a virtual certainty at this time … no organization should expect to avoid getting hit."
1. In the positive sense, "Evangelize cybersecurity to senior executives," the white paper advises. In a more concrete sense, hold the C-suite accountable for breaches. "Unless the CEO makes it absolutely clear that security is a mission-critical quality of an application and that security issues directly affect people's careers at the company, the CEO should take full responsibility for any security issues," according to Brian McCallion, president of Bronze Drum Consulting, Inc.
Without this clear directive—that investing in cybersecurity must happen—many organizations seem to be falling down on the job, cites Barry Schrager, chief security architect at Vanguard Integrity Professionals. "Did you know that the vast majority of those sites—79 percent, according to the Verizon [2010 Data Breach Investigations] Report—that were breached and were subject to the PCI standard had not met that standard at the time of the breach?" According to Verizon's 2011 report, it's now 89 percent not meeting the PCI DSS standard—or the Payment Card Industry Data Security Standard, which protects cardholder information.