People care about their reputation. Most like to be known as honest, hard working, trustworthy, and having integrity. It’s no different for companies. When a company’s reputation takes a hit, so does its business. So that’s why 85% of respondents to a BAE survey on cybersecurity listed reputational damage as a top concern. A close second was fear of legal liability at 74%.
Bill Sweeney, BAE’s CTO, discussed the survey’s results in a Harvard Business Review article. I’ve picked out two points he made below and added my own observations:
- Consider having two different cybersecurity vendors run risk assessments annually but staggered by six months. This is a great idea for a number of reasons, not just the obvious reason that you’re getting an assessment twice a year instead of once. It’s like a second opinion – hopefully the findings are similar but each firm may discover different areas of concern. Each firm will have its own perspective and areas of expertise – if you’re using only one firm, you may not be getting the full picture. Also, a little competition never hurts. Biscom’s Cybersecurity offering takes a multi-faceted approach that includes interviews with employees from the executive level on down, surveys designed to suss out the current environment and level of knowledge, review of usage of increasingly popular cloud services, and helping clients understand and improve on practices around the kinds of data they store, utilize, and share. Biscom takes a very hands-on and personal approach since it’s not just the systems that need to be protected, it’s also the people operating within the technical environment that need to understand the hows and whys of cybersecurity.
- What’s more, executives should help promote the importance of security within the organization, starting with better education and training. Building a culture of security is important. Bill feels that this is something that may be lacking at the highest levels of management in the company. Educating the workplace is critically important. And he points out that retention of that training dissipates quickly, thus requiring more frequent sessions. The other aspect is that things change, attack vectors morph, and training from 6 or 12 months earlier may be outdated. Biscom’s cybersecurity training focuses on thematic issues and understanding how attacks happen. Creating a heuristics-based training approach can be more effective and more easily remembered than case-based. A combination of both is ideal.
The full article can be found here: Cybersecurity Is Every Executive’s Job.