More than 90 percent of corporate executives say they can’t read a cybersecurity report and are not prepared to handle a major attack according to a report from Nasdaq and Tanium — an endpoint security and systems management vendor out of Emeryville, California. The report, which can be seen in a CNBC video, highlights a training opportunity for CEOs on cybersecurity.
In a recent Forbes article, Steve Morgan reiterates the fact that cybercrime is on the rise, but a lot of information about it is geared more toward those in the information security field. For example, the Verizon 2016 Data Breach Investigations Report (DBIR) states that no location, industry or organization is immune from attack. A DBIR executive summary — described as the C-level guide to what they need to know — is full of information that will sound convoluted to most CEOs. For instance, “the median traffic of a DoS attack is 1.89 million packets per second — that’s like over 113 million people trying to access your server every minute.”
Make no mistake, Verizon’s report is an invaluable resource and recommended reading for business leaders. A skim through is certain to heighten awareness around cyber risks — even if it leaves a CEO scratching her head trying to figure out what all the technical terms mean — including patching, change monitoring, SLAs for DoS mitigation, CMS plugins, two-factor authentication, tamper evident controls, and all the rest.
Amjed Saffarini, CEO of Cybervista (a cybersecurity training company), spoke at the Cyber Investing Summit and explained that C-suite executives and board members need to be educated on cybersecurity or the cyber damage will only get worse. While CEOs may be receptive to the notion of learning about cyber, their biggest challenges are setting aside the learning time and finding training programs geared specifically to their needs.
Saffarini said that he knew absolutely nothing about cybersecurity a year ago. Now he’s a subject matter expert on cyber workforce issues. Saffarini said there are two main ingredients for educating CEOs whether it’s a Cybervista program or something else. First, everything needs to be broken down into plain language and business terms that resonate with a CEO. Second, it needs to be delivered in bite-sized chunks — 15 or 20 minutes at a time — so it can realistically be worked into a CEO’s busy schedule.
As CEOs become more savvy on cybersecurity topics, it will help to drive home the point that cybersecurity is a key element in corporate risk management. Furthermore, sound cybersecurity will involve an investment of money in addition to time. As Brad Egeland explains in a CIO article, you need to fund security, not just put someone “on it.” If someone wants your data bad enough, they are likely to get it. Nonetheless, you need to do what you can to protect it for the sake of the business as well as the peace of mind of employees, executives and shareholders alike.
CEOs do not have to be cybersecurity experts. They need to be more cybersecurity enlightened. The first step is adjusting cybersecurity education to better fit the needs of CEOs.
(Photo: Cybersecurity, Flickr)