Every sustainable business transformation is underpinned by strong executive support, and cyber security is no different. Long-term shifts in staff mindsets and behaviors require senior business executives to role model expected attitudes, beliefs, and practices – a concept commonly referred to in risk-management circles as ‘tone at the top’. The underlying premise is that whatever attitudes senior executives exhibit (or set) will trickle-down to the lower ranks of staff. If executives demonstrate eagerness and deep commitment to protecting high-value digital assets and upholding customer digital trust, making the cyber-risk appetite an entrenched part of the enterprise’s life, middle and lower ranking employees will also naturally be inclined to uphold the same virtues.
On the contrary, if leaders pay lip service to cyber security by unnecessarily approving dozens of policy exemptions, plugging unmanaged personal devices into the corporate network, bypassing payment delegations of authority, travelling to high-risk countries with unencrypted devices, or exporting sensitive data to unsanctioned cloud environments, their behaviour will also cascade down through the enterprise, exposing it to significant risk. For example, if a CEO routinely approves payments outside of established processes, they make their enterprise fertile ground for BEC scammers. Therefore to succeed, the executive leadership team, led by the CEO, must categorically signal that cyber security is of prime importance to the mission of the enterprise, and is everyone’s responsibility. As Jeanie Daniel Duck remarked in Harvard Business Review, ‘Change is intensely personal. For change to occur in any organization, each individual must think, feel, or do something different.’ Simply put, without demonstrable executive involvement, cyber security programs are doomed before they even start.
There are five key actions that enterprises can take to set the tone at the top:
- The CEO should, as part of their routine communications, emphasise the significance of cyber security to the enterprise mission, as well as solicit commitment from front-line staff by underscoring the critical role everyone plays in securing the enterprise. It’s been long proven that individuals and teams will go an extra mile for causes they care deeply about. Imparting the desired mind-sets and behaviours also requires the CEO to openly acknowledge cyber security heroes – those employee positive behaviours, motivating others to follow suit.
- The CEO should express senior leadership’s unwavering commitment to maintaining a cyber-resilient enterprise by upholding the precepts of the cyber-risk appetite statement and consistently showing up at important events, such as cyber-risk governance forums or drills. Executives that consistently delegate important cyber security responsibilities to middle managers send the wrong message to employees and inevitably fail to win their hearts and minds. This, however, requires a careful balancing act between providing the required support and oversight and allowing middle management enough room to manoeuvre. The cyber security-awareness of senior executives should be regularly assessed as part of organisation phishing campaigns or social engineering tests. This, again, requires caution, as overzealous attempts to hack into the CEO’s mailbox or tailgating them could possibly backfire for cyber security staff.
- Business unit leaders should cascade the CEO’s core messages to their wider teams, contextualising them to specific threats targeting their teams and the different roles they play in securing the enterprise. For example, call centre staff are common victims of social engineering tactics designed to steal customer passwords, credit card numbers or other sensitive information, while an oversight of simple vulnerabilities by developers can open significant doors to web-based attacks. Personalised and relatable messages stick for much longer than generalised ones.
- Senior leaders should actively participate in major cyber security drills. Doing so will keep them informed of their cyber security preparedness, as well as send a powerful message to staff that they are putting their money where their mouth is.
- Senior executives should also send a strong message to others by rejecting requests that violate policy, such as disabling security controls on servers, pushing back vital security patches or engaging with third parties that exhibit deplorable cyber security practices. Arbitrary approval of security exemptions by senior business executives deeply undermines cyber security, and demotivates cyber security teams. s who go the extra mile to defend the enterprise against cyber threats. Openly acknowledging cyber security heroes buttresses
If there was a time in history when executive leadership was required to manage this potent threat was needed, it is now. To inspire sustained transformation, senior business officers must practice what they preach, they need to fully commit to cyber security programs.