For well over a decade, CEOs have been relegating the operational, legal, reputational and competitive risks associated with cybersecurity to those responsible for Information Technology.
For well over a decade, CEOs have been relegating the operational, legal, reputational and competitive risks associated with cybersecurity to those responsible for Information Technology. Yet, as the recent onslaught of intrusions against retailers confirms, cybersecurity is an enterprise risk management issue that extends beyond the combined efforts of the Chief Information Officer, the Chief Technology Officer, the Chief Security Officer and the Chief Information Security Officer. Cybersecurity is the unsung linchpin of every company that has grown increasingly dependent upon vulnerable technologies, whether to communicate, to store sensitive data, or to manufacture and deliver its products and services.
Unfortunately, the pervasive attitude that cybersecurity is an IT problem rather than a C-Suite whole-of-enterprise concern likely stems from the top. As the National Association of Corporate Directors recently observed, a lack of cyber expertise on corporate boards presents a real and urgent threat to oversight. Inexplicably though, the NACD also found that “a demand for IT experience generally has not surfaced in director recruitment.” That needs to change. Simply put, thinking of cybersecurity as an IT issue is similar to believing that a company’s entire workforce, from the CEO down, is just one big HR issue.