IT Security: What Does the C-Suite Need to Know?

IT security is complicated, technical, multi-faceted, and always changing.  It’s also an inescapable concern for every company.  How are the non-techies, business folks, and C-Suite leaders supposed to keep up??  What do you really need to know?  Here are 6 key principles:

1. The scary stuff – I’ll start with the part you already know: poor security leads to incidents and breaches.  These are never good for your company’s bottom line or reputation.  And it might not just be your data that gets compromised – you might expose your customers’ data, or conversely, an un-vetted vendor of yours might accidentally expose your data along with theirs.
   
   So, I know you know this, but it’s worth reiterating that breaches are costly.  There are fines associated with violating privacy laws; there are ransom payments associated with falling victim to ransomware (if you decide to pay).  And aside from the financial hit, a breach will bring significant logistical, legal, and reputational headaches.
   
   
2. The boring stuff – To fortify against the above, IT needs to do a lot behind the scenes that you’ll never even know about 99% of the time.  They configure firewalls, access rules, detection and monitoring systems, antivirus, patching, encryption, and more.  There’s a lot that goes into the day-to-day business of keeping the bad guys at bay and following best practices.
   
   
3. But security is even more than this – I was once asked in an interview, “so tell me about security?”  I was like, hmm, where do I start…  It’s not just technical controls.  It should be a mindset, a philosophy, a culture, something to be factored into every project, every system, every process in your company.  It’s something all of your employees should be trained on.  Is this always the case, especially in small companies?  Nope.  Should it be, especially as you grow?  Yup.
   
   
4. There’s doing it, and there’s proving you did it – Yes, you need to keep your ducks in a row to prevent security incidents.  You also need to document what you do.  Documentation is almost as important as the security controls themselves.  It will ideally feed into a third-party audit report like a SOC 2.  That way, if you DO experience a breach, your documentation – and your awesome clean audit report – act as evidence that you had reasonable measures in place, which can greatly reduce your legal exposure and reputational damage.
   
   
5. Compliance = customers – These days, in almost every industry, privacy and security compliance is mere table stakes.  Your customers assume – and require – that you comply with privacy regulations and you conduct security audits (like SOC 2).
   
   NOTE: for new companies wondering where to even start building their security posture, compliance is a great grounding point.  Taking steps toward adhering to applicable laws and regulatory requirements for your industry – and any contractual obligations – is a good place to start.  Adherence to a specific framework (like NIST, ISO, or SOC 2) will also definitely point you in the right direction.
   
   
6. Security is never finished – We are never 100% secure, and the bad guys are never finished finding new ways to ruin our day.  And our dependence on technology will only keep increasing.  It’s a never-ending effort – a journey not a destination – and our risk is never zero.  Ultimately, “security” is a process of mitigating, reducing, and managing risk.

So how can (should) the C-Suite participate?  What’s their role?

1. Oversight – You (executive leadership) aren’t required to be security experts, but at the same time someone outside IT needs to have visibility into the process.  IT can own the technical controls but the company owns the risks. Security risks need to be assessed as business risks.  Policies and audits should be reviewed and approved (outside of IT) annually.  This stuff directly affects your business, and leadership needs to be involved, at least at a high level.
   
2. Helping promote a security-first culture – As I mentioned, security is a mindset.  Promote it; define who owns it; ensure that security initiatives are prioritized.  Audits should have full sponsorship from the CEO.  Security is not just an “IT thing”, it extends to every department and every employee.  And the culture starts at the top.
   
3. Incident Planning – Certain activities require C-level participation, like risk assessment, disaster scenario testing, and creation of an incident response team.  Prioritize and take these seriously.

What should the C-Suite expect from their IT team?

IT can generally be relied upon to own:

• Controls – designing and implementing the technical measures used to protect data and systems
• Policies – creating, updating, and (especially) explaining and briefing leadership on major updates and, really, on anything they need to know
• Audits – until such time that you have a compliance department, it’s fair for IT to own the security audit process
• Staff Training – your employees are your “human firewall”; security awareness training is critical
• Communication – proactive monitoring, tracking, notification, and documentation of risks and incidents

Of course there’s a bit more to all this! The above is meant to be an overview, but here is the part where I mention that I can help 🙂  I can start with an assessment of your current security stance, structure, skills, gaps, priorities, and help you develop a plan.  Contact me if you’d like to discuss.