It’s difficult to imagine that most CEOs are unaware of cyber threats. You can’t go a day without seeing an article about the latest sensational cybersecurity incident. And none of these attacks are limited to a particular size or type of company. Attacks are impactful and pervasive.
You can’t go a day without seeing an article about the latest sensational cybersecurity incident. Risks due to cyber threats continue to be treated differently than all other types of organizational risks despite clear evidence that cyber losses can include millions of dollars, penalties, and fines; class-action lawsuits; reputational damage; and lost opportunities. Don’t forget employee attrition — who wants to work for the latest firm to become a media headliner for all the wrong reasons?
A Business Survival Imperative
Even within many large organizations, cybersecurity departments still report into IT, as if security were an IT function (spoiler alert: it’s not an IT problem; it’s a business survival imperative). Cybersecurity needs an equal place in the C-suite. Accept the reality that IT and security have very different focuses, agendas, and KPIs. Recognize the differences, celebrate them, and place security equal to the IT function.
CEOs don’t entirely own this problem. There are many boards of directors with no significant cybersecurity expertise. Where are the board members who were former CISOs and lived through a major security breach? They are the leaders who really know how painful and expensive it is to survive one, and they have the lessons learned under their belts.
In 2022 the Securities & Exchange Commission proposed new regulations that would greatly expand the cybersecurity expertise and reporting required of public company boards. If approved, there will be a scramble for talent with experience focusing on operating risks, strategic and practical elements of meeting existing and coming regulations, as well as future opportunities that a great cyber posture can provide. This is not to be feared — it will be a good opportunity for forward-acting organizations to get ahead.
Accept the reality that IT and security have very different focuses, agendas, and KPIs. Still wondering about the connection between IT systems and water? In 1908, Jersey City, N.J., became the first U.S. city to begin routine disinfection of community drinking water. Other municipalities quickly followed suit. Until then, citizens contracted water-borne illnesses regularly.
A strong cybersecurity capability is the disinfectant all organizations need now. Some day we will look back and shake our heads at the unbelievably slow progress of providing basic sanitation and protection to our IT capabilities, particularly given how dependent we are on them. Elevate your organization’s cybersecurity capability now, and we can all raise a cold glass of clean water to that future.
Frederick Johnson, Vice President, Cybersecurity & Digital Forensics, Marcum Technology
Frederick Johnson is vice president of cybersecurity and digital forensics at Marcum Technology, a division of accounting and advisory firm Marcum LLP. He leads strategic governance and cybersecurity technical services that drive validated cybersecurity risk posture improvements. Based in Orange County, California, Frederick offers expertise in cybersecurity, privacy, governance, risk and compliance, and information technology.