www.pecb.org

Cybersecurity Actionsfor CEOs

Reaching the position of CEO inside a company is definitely one of the highest goals that a person can achieve, however the responsibilities that come together with this position are even higher.

Generally speaking, a CEO should have work experience and general knowledge. In addition, a CEO should be a good communicator, be eager to develop and present a vision and a strategy for the company, motivate others, garner respect and have knowledge about entire management processes inside the company.

However, no one can have a professional knowledge and be a master of everything; this is the reason why a CEO should be regularly informed over the company’s issues. The data of negotiated contracts, marketing plan decisions, new employees’ CVs, customers’ information, ideas, etc. All these information a CEO can receive on a daily bases. The value of these received data goes beyond the written words, especially nowadays when the breaches toward these data are constantly evolving together with its cost. The Ponemon Institute published the results of data breach for 2014. According to this institute, the average total cost of a data breach in 2014 was $3.5 million, 15 percent higher as compared to the previous year, and it is rising to $5.85 million for an organization in the United States. So, the risk that threats information is constantly growing and its impact in different organization has become dramatic. As an answer to this condition is the role that cybersecurity has started to have for an organization. The complexity of security threats has joined together not just the chief information officer (CIO) and the chief information security officer (CISO), but also the chief executive officer (CEO) and the entire C-suite. Together they are sharing responsibilities of the cybersecurity.

There are already some activities that are specified for a CEO which can help in cybersecurity.

Since CEOs receive updates and everyday information via emails, it is advisable to be cautious when checking these email accounts. One of the advices is to use a complex password combined with numbers, letters, and symbols. It is also advisable not to use a specific user name such as real name, or company name as a password. Therefore, these passwords should be changed regularly and should not be shared with anyone.

2

3

It is really practicable that nowadays everyone can access email accounts from any location and check downloaded emails from the server. However, for a CEO who has very important work-related information, this action is not preferable at all. Many network access points which are used today in a public Wi-Fi transmit unencrypted traffic. This situation can cause vulnerable activities toward messages during its transmission. Thus, the rule of using trusted connections only and not letting the smart phones to be connected in automatic mode should always be respected by CEOs.

In addition, it is very important not to open any email, contents, download images or open links which are sent by those whose identity isn’t verified. Also, a huge care should be taken when a CEO downloads different applications from internet. These kinds of applications usually ask for personal data such as GPS location, password, mobile data, contacts or messages, etc., which can be very useful for an attacker.

As a reaction toward all these, it is advisable for a CEO to use some of the security protection tools such as: anti-virus, firewalls, monitoring computing devices, etc.

However, despite these individual requirements, a CEO engagement in cybersecurity activities should be in a much wider range.

Within an organization, a CEO should be actively involved in managing cybersecurity risk. This means that a CEO should always ask for information, be informed and involved in defining risk strategic framework, risk assessment and its accepted levels, cost effective of cybersecurity budgets, business needs, regular evaluation of cybersecurity incidents, IT plans and outsourcing, cloud services, defined policies, etc.

To achieve all these, a CEO has to maintain regular communication with executives and all responsible parts for managing cybersecurity risk. Apart from that, a CEO should also be involved in employees’ awareness of possible risks affecting their organization and associated business impact. Training and testing employees with phishing exercises has become very important activity to see how well they actually respond to cyber threats.

Another important issue which should have the involvement of the CEO is the protection of critical assets. A CEO should take active part on processes such as identifying, classifying, protecting and prioritizing assets according to cyber risk. This will also help to have a clear view of risk impact in financial, competitive and reputational position of the company.

However, accidents happen and they are part of every organization no matter how well protected they are. The CEO’s role in incident situation is to have an idea of how to move on. A well-organized company has always a plan B, which should be prepared and planed in a coordination between CEO, Chief Information Officer/Chief Information Security Officer, business continuity planners, maintenance and operation sector and general counsel.

Moreover, the role of CEO here is to ask for documented report for everything that happened in the incident situations, all network events, which were monitored and the analyses. This report should be used to set new security policies, model governance, create business continuity and disaster recovery plans. A CEO should always take part in these situations.

Facing with all these obligations and challenges, is not an easy task for a CEO. All this requires leadership, cybersecurity knowledge, clear vision and courage, and still, this is not enough. To achieve cybersecurity objectives, a CEO should have tools that rely on identified best practices. The best practices of cybersecurity are found in integrated systems which are provided by industry standards. ISO is the standard organization which has answers on how to implement, develop and deploy solutions based on best international experience on a lot of issues connected with cybersecurity. This can be very helpful for a CEO.

Although, to achieve a high level of cybersecurity, an organization should ensure continuous cooperation of all kind of levels inside and outside of the organization. Therefore, cybersecurity activities should become part of the daily responsibilities, and certified personnel is more than needed for this kind of responsibility. And even more, why not having a certified CEO? S/He would know even better and appreciate more the importance of these standards which are more than useful for the employees and would be more involved in this enormous importance of cybersecurity.

Professional Evaluation and Certification Board (PECB) is a personnel certification body on a wide range of professional standards. It offers ISO 27001, ISO 27002, ISO 27005, ISO 20000 and 22301 training and certification services for professionals wanting to support organizations on the implementation of these management systems. ISO Standards and Professional Trainings offered by PECB:

• Certified Lead Implementer (5 days)• Certified Lead Auditor (5 days)• Certified Foundation (2 days)• ISO Introduction (1 day)

Lead Auditor, Lead Implementer and Master are certification schemes accredited by ANSI ISO/IEC 17024.

Rreze Halili is the Security, Continuity and Recovery (SCR) Product Manager at PECB. She is in charge of developing and maintaining training courses related to SCR. If you have any questions, please do not hesitate to contact: scr@pecb.org.

For further information, please visit www.pecb.org/en/training

4