What Executives Get Wrong About Cybersecurity & Risk Management

By Susanne Gurman

Posted on May 13, 2020

The idea of a data breach makes most executives nervous, and for good reason; the average data breach costs an average of $3.92 million, and can also cost a company its reputation, and its customers’ trust.

Unfortunately, while most executives are pros when it comes to financial risk management, they don’t always understand cyber risk. One of the most common misconceptions is that cybersecurity and risk management is a technology problem. But that isn’t the case — cybersecurity is as much a business problem as financial risk is.

The danger of over-focusing on technology

Non-technical executives often tend to think of cyber risk in terms of technological threats. This is a problem for several reasons. For one thing, when company leaders — who are often nontechnical — believe that cybersecurity is a technology problem, it makes cyber risk even more frightening than it already is because they don’t understand it.

Rather than attempting to manage cyber risk, those executives will outsource it, either relying on their IT or security organization to manage cybersecurity for the entire company or by trying to buy their way out of a breach, investing in solutions that will protect their data and networks. Harvard Business Review recently wrote about the pitfalls of cybersecurity efforts that focus only on technology. HBR paints a bleak picture of meetings filled with tech jargon that CEOs and boards accept but don't understand, and threats unaddressed in favor of long mitigation lists.

To be clear, neither using a security team nor purchasing a security solution is a bad move. While a security team and well-researched cybersecurity solutions are an important part of a security strategy, they won’t fend off a breach on their own. In other words, an engaged corporate leader is key when it comes to a solid cybersecurity strategy. That’s because cybersecurity isn’t really about technology— it’s about business and people, two areas in which executives excel.

Cybersecurity and your business

When it comes to cybersecurity, an executive’s job is to align security with the organization’s specific business goals. Rather than focusing on the technology itself, an executive should look at their company’s needs and objectives and make a list of security priorities.

They might ask themselves questions like the following:

  • Which assets need to be most protected?
  • How might a cyberattack disrupt production?
  • Which vendors don’t seem secure?

Once a list of priorities has been established, company leadership can work with IT and the security team to protect those assets.

Cybersecurity is a people problem

Cyber attacks might be carried out via technology, but they tend not to be overly technically sophisticated. Social engineering attacks, which rely on humans making bad choices or falling for a scam, are on the rise.

According to APWG’s Phishing Activity Trends Reports, phishing attacks spiked to levels that haven’t been seen since 2016 in 2019. The more targeted spear-phishing, which is often used to gather information, is one of the most popular forms of cyber attack, according to Symanetc’s Internet Security Threat Report 2019, and is often a simple email. The best way to repel such an attack is good cybersecurity training and common sense on the part of your employees.

Other cybersecurity threats and risks include simple human error, like configuration errors, weak passwords, and other mistakes that leave your organization exposed to bad actors.

The best way to guard against all of these risks is to maintain a strong security culture in your organization. That means that security isn’t just IT’s job — it’s everyone’s job. The entire organization should be well trained when it comes to spotting the con behind a social engineering attack, should know how to set a strong password, and not to open suspicious links.

Leadership is the first step to developing that security-first culture. Once your employees see that the CEO and board believe in cybersecurity, they’ll take it more seriously as well. Buy-in from leadership is also important when it comes to initiatives like awareness and training employees in cyber-hygiene.

How SecurityScorecard can help

You can’t be everywhere at once in your company, so SecurityScorecard makes it simple to continuously monitor risk across your company’s entire digital ecosystem, whether that means finding leaked credentials on the internet, hacker chatter, or unpatched software.

Security ratings provide you with the tools and intelligence you need to identify security shortcomings and improve cyberhealth across your organization. By delivering actionable security intelligence to you right when you need it, our enterprise security platform lets your security and risk management teams find and mitigate risks before attackers can exploit them.

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!