How the C‑suite can fight cybercrime

1. CEO

Chief exec­u­tives are account­able for the whole com­pa­ny and its per­for­mance. They set the tone and pace for the full breadth of the cor­po­rate approach to its mar­ket and envi­ron­ment. The right cyber approach by C‑level posi­tions not only pro­tects the busi­ness from threats, both finan­cial­ly and rep­u­ta­tion­al­ly, but can also cre­ate val­ue in the eyes of cus­tomers, stake­hold­ers and peers.

Cyber­se­cu­ri­ty is only impor­tant to an organ­i­sa­tion if the CEO and board make it so. CEOs must cre­ate a cul­ture of secu­ri­ty with­in the busi­ness and invest their per­son­al time and resources to back up their words and promis­es. They must ensure they are kept up to date with crit­i­cal cyber­se­cu­ri­ty con­cerns and are knowl­edge­able of the issues and asso­ci­at­ed oppor­tu­ni­ties.

“It is essen­tial CEOs ele­vate the chief infor­ma­tion secu­ri­ty offi­cer to a posi­tion of promi­nence with author­i­ty, and under­stand their cyber-risk aper­ture by baselin­ing against indus­try best prac­tices,” says Mark Testoni, CEO of SAP’s nation­al secu­ri­ty arm SAP NS2. “In addi­tion, they should cre­ate and fund a plan to get the com­pa­ny where it needs to be in terms of cyber­se­cu­ri­ty.”

2. CFO

While chief finan­cial offi­cers don’t nec­es­sar­i­ly have to under­stand the full tech­ni­cal aspects of cyber­se­cu­ri­ty, they must be aware of the finan­cial risks asso­ci­at­ed with the ever-increas­ing num­ber of cyberthreats. The impor­tance of this is empha­sised by the harsh penal­ties which can poten­tial­ly be giv­en as a result of Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) non-com­pli­ance: up to €20 mil­lion or 4 per cent of annu­al glob­al turnover. This serves as a real threat to any C‑level posi­tions and puts it firm­ly on the CFO’s radar.

Giv­en that any data breach could seri­ous­ly impact the rep­u­ta­tion of an organ­i­sa­tion, it falls to the CFO to ensure organ­i­sa­tions are not only com­pli­ant with reg­u­la­tions, but also well pro­tect­ed. These risks must be tak­en into account when the CFO is advis­ing on growth and cost-sav­ing ini­tia­tives. There­fore, they must work close­ly with cyber­se­cu­ri­ty pro­fes­sion­als to under­stand the risks, ensure that any pro­pos­als take into account cyber­se­cu­ri­ty impli­ca­tions and lend all rea­son­able sup­port to any ini­tia­tives aimed at pro­tect­ing the busi­ness.

“In a mod­ern organ­i­sa­tion, there is an ever-evolv­ing over­lap between cyber­se­cu­ri­ty and finan­cial risk,” says Mark Blake­more, CFO at Com­pleat Soft­ware. “As a result, I believe the rela­tion­ship between CFO and chief infor­ma­tion secu­ri­ty offi­cer is an increas­ing­ly sym­bi­ot­ic one. While a CISO can present the risks and work in a more tech­ni­cal fash­ion, a CFO can also help improve secu­ri­ty by assist­ing in trans­lat­ing risks into a lan­guage bet­ter under­stood by senior lead­ers.”

3. COO

Tra­di­tion­al­ly the sec­ond-in-com­mand leader among C‑level posi­tions, chief oper­at­ing offi­cers are focused on oper­a­tions and busi­ness effi­cien­cy. They play a cen­tral role at the heart of a busi­ness and there­fore need to play a cen­tral role in ensur­ing it is pro­tect­ed from threats.

The COO needs to be ask­ing the hard ques­tions and recog­nis­ing that unquan­tifi­able cyber­se­cu­ri­ty risk is neg­li­gence. They need to reject fal­li­ble, sub-par solu­tions and instead look to incor­po­rate new and inno­v­a­tive approach­es, for exam­ple mov­ing away from tra­di­tion­al, reac­tive respons­es to cyber­se­cu­ri­ty that often fail busi­ness­es and instead look­ing into more proac­tive moves that real­ly embed secu­ri­ty prin­ci­ples into process­es.

The COO must work with dif­fer­ent lead­ers across the com­pa­ny to ensure all parts of the busi­ness are work­ing togeth­er to deliv­er the same goal, not only pro­tect­ing the busi­ness from dam­ag­ing threats, but also build­ing pos­i­tive dif­fer­en­ti­a­tion from its com­peti­tors.

“With com­pa­nies increas­ing­ly aware of the cyber-risk intro­duced by part­ners and sup­pli­ers, cre­at­ing a dig­i­tal­ly pure enter­prise that can con­fi­dent­ly boast risk-free shar­ing of busi­ness infor­ma­tion is immense­ly valu­able, and that’s where the COO can play a cru­cial role,” says Dan Turn­er, CEO at cyber­se­cu­ri­ty firm Deep Secure. “Any busi­ness that can estab­lish a track record for guar­an­tee­ing its users, part­ners and cus­tomers access to clean, threat-free busi­ness con­tent and ser­vices will dif­fer­en­ti­ate them­selves in today’s dan­ger­ous cyber land­scape.”

4. CMO

Tech­nol­o­gy is a firm­ly estab­lished part of mar­ket­ing and cus­tomer expe­ri­ence. The role of chief mar­ket­ing offi­cers is rapid­ly chang­ing and tech­nol­o­gy is becom­ing more deeply embed­ded in their respon­si­bil­i­ties as they dri­ve dig­i­tal trans­for­ma­tion with­in the organ­i­sa­tion. There­fore, it is essen­tial they ful­ly under­stand the ongo­ing dan­gers of cyber­se­cu­ri­ty and GDPR.

CMOs and their mar­ket­ing teams man­age con­fi­den­tial data so must under­stand the prin­ci­ples of cyber­se­cu­ri­ty as part of their respon­si­bil­i­ty to be com­pli­ant and respon­si­ble for where infor­ma­tion is stored, how it is man­aged and whether it is being used in a secure way.

The rise of mar­ket­ing tech­nol­o­gy, or martech, has seen emerg­ing inno­va­tion, includ­ing social media, design, email mar­ket­ing and automa­tion apps, become the norm for mar­ket­ing cam­paigns, which presents an oppor­tu­ni­ty to hack­ers. Of all C‑level posi­tions, CMOs must have the strongest secu­ri­ty aware­ness of how tech­nol­o­gy is used in the busi­ness.

“Work­ing col­lab­o­ra­tive­ly along­side their C‑suite col­leagues, CMOs should ensure the right cyber­se­cu­ri­ty tech­nol­o­gy is imple­ment­ed to pro­tect the organ­i­sa­tion and its cus­tomer data, and help the busi­ness achieve its goals,” says Faye Eldridge, head of demand at Doher­ty Asso­ciates. “CMOs can also advo­cate bet­ter cyber­se­cu­ri­ty prac­tice with­in the organ­i­sa­tion by pro­vid­ing mar­ket­ing com­mu­ni­ca­tions on cyber­se­cu­ri­ty aware­ness to employ­ees.”

5. CRO

The chief rev­enue offi­cer is respon­si­ble for all sales gen­er­a­tion across the com­pa­ny and this includes the process­es busi­ness devel­op­ment teams adopt. It puts the CRO in a sim­i­lar boat to the CMO, ensur­ing sales staff are aware of their respon­si­bil­i­ties to be GDPR com­pli­ant when attempt­ing to acquire leads and apply­ing basic secu­ri­ty prac­tices to their out­reach.

To pro­tect com­pa­nies from cyberthreats effec­tive­ly, CROs must fos­ter a cul­ture of secu­ri­ty and account­abil­i­ty among the sales team. Cyber­crim­i­nals are always find­ing new ways to attack busi­ness­es, exploit­ing vul­ner­a­bil­i­ties in tech­nol­o­gy and the humans who use it. As a result, CROs need to be mul­ti­dis­ci­pli­nary. While this doesn’t mean deep exper­tise, it does require a deep­er aware­ness of the nature of cyber-risks and how they can be addressed.

“In today’s threat land­scape, busi­ness­es must go beyond estab­lish­ing base­line pro­to­cols to cre­ate and main­tain a secure envi­ron­ment,” says Adam Philpott, Europe, Mid­dle East and Africa pres­i­dent at McAfee. “The key to achiev­ing cyber-resilience with­in an organ­i­sa­tion is col­lab­o­ra­tion and under­stand­ing across the board. C‑level posi­tions and cyber­se­cu­ri­ty experts need to find a com­mon data-lan­guage to under­stand the risks and how to adapt to man­age them.”

1. CEO

2. CFO

3. COO