When cybersecurity professionals talk about an organization’s “weakest link,” they’re usually referring to its frontline employees — sometimes a single worker who just can’t resist clicking that email link or providing those login credentials. More training, they say, is critical to ensuring that these workers can recognize a phishing attack when they see it.
Is it possible, though, that the organization’s weakest may be its CEO or board of directors?
That was the argument made April 24 to a packed — and receptive — room of security leaders at RSA Conference, one of the largest cybersecurity events of the year, which runs through April 27 this year in San Francisco. The experts making this point were Marcus Sachs, the deputy director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, and Andrzej Cetnarski, founder and CEO of Cyber Nation Central.
They argued that senior leaders frequently create risk for their organizations in several key ways. First, they fail to recognize the degree to which they are personally being targeted by sophisticated spear-phishing campaigns. Cetnarski said a CEO or board member can expect to be followed by as many as 18 different hacker groups, each targeting the executive for different reasons and in different ways.
Click the banner below to receive exclusive industry content when you register as an Insider.
As a result, they’re not prepared to protect themselves or their organizations. Indeed, they often exempt themselves from the anti-phishing training their workers do and from security protocols such as multifactor authentication that cover the rest of the organization.
“They say, ‘We do the employee training and send them the phishing emails every month to see who’s clicking on those, but me, as a senior leader, I’ll just skip that,’” Sachs said.
Cybercrime Is the World’s Third-Largest Economy
Cybercrime is expected to be a $7.9 trillion industry in 2023. If it were an economy, it would be the world’s third-largest, behind only the United States and China, according to data gathered by Cyber Nation Central, which advises boards and C-suite executives on cybersecurity readiness.
Cetnarski argued that the typical U.S. organization has a “probability-adjusted” risk of incurring a $1.8 million hit to its bottom line over the next year, explaining that the average breach cost in the United States will hit $9.85 million this year, according to IBM, and that an organization’s chance of being breached is 37.5 percent over the next two years.
EXPLORE: How historical trends can improve the cyber risk assessment processes.
Further, Cetnarski noted that the cybercrime economy’s growth rate of 15 percent annually is larger than the 9.7 percent growth rate of global cyberdefense spending, citing data in his presentation from Statista and Cybercrime Magazine. That does not mean, he stressed, that organizations should necessarily spend more money. “But what it does mean is that what we’re doing isn’t working well enough,” he said.
One problem Cetnarski says he sees often is a mindset among boards of directors and CEOs that cyber breaches are the CISO’s problem to solve. That implies that cybersecurity is principally a technology problem, when in reality it’s a problem of culture that breeds dangerous behaviors.
Sachs agreed. “We’re absolutely not saying that you shouldn’t invest in tech; there’s definitely a tech component to the problem, and you have to fight bad tech with good tech,” Sachs said. “But you have to do more. It’s not enough to have blinking lights.”
READ MORE: How penetration testing can help identify cybersecurity vulnerabilities.
How to Get the Board of Directors to Prioritize Cybersecurity
What can IT leaders do to get their boards of directors more interested in cybersecurity as a business priority? The speakers made several suggestions.
It begins with board access. If they’re not being invited to board meetings, or they’re invited but not welcome to contribute beyond short remarks on whether the business had recently suffered a breach, then they can’t expect to influence board members’ priorities.
Next, they should be willing to consider some unorthodox approaches to board communication, such as asking former criminal hackers to present. For example, when he worked in national security roles, Sachs said, his colleagues were quite stunned to find “a blue-haired guy with earrings and a black t-shirt” in their midst one day. “But he was the hacker. He was the guy we were all working against, and he was there to tell us how he thinks.”
IT leaders also should be realistic. A board of directors’ primary job is to ensure shareholder value, and that will always be its primary focus. But IT leaders can set a goal of “getting security into the top five” of board priorities by showing how a lax cybersecurity culture can hinder shareholder value, Sachs said.
It’s vital when faced with a seemingly disinterested board or senior leadership team to “show them the gap” between the things they’re currently doing on cybersecurity, the things they should be doing and the business consequences of remaining within that gap, Cetnarski said.
But explaining that gap requires IT leaders to learn how to speak in the language of business leadership, Sachs said: “If all you do is talk tech, they’re going to give you a few minutes and tell you to sit down.”
Keep this page bookmarked for articles and videos from the event, follow us on Twitter @BizTechMagazine and join the event conversation at #RSAC.