Data Breach Preparedness: Why the C-Suite Must Call the Shots
Despite high profile breaches making the news so frequently these days, PwC’s State of Security 2016 survey found that only 45% of boards participate in overall security strategy.
A data breach or other security incident can have a devastating impact on a company of any size – and an informed and involved C-suite should be an integral part of data breach preparedness and other security solutions.
Key areas where the C-suite makes a difference in information security:
Leadership: “Companies rely on senior executives to guide and protect the company, securing its future against a variety of business risks,” posted Michael Bruemmer of international services provider Experian in a recent blog. Senior executives and board member roles should be involved in receiving and reacting to regular updates on data breach preparedness and cyber security, he said.
Culture of Security: According to the Securing the C-Suite survey by IBM, the most secure organizations have created a culture of security that is embedded in the workplace from the top down. Top-down prioritization of technologies, policies, and employee education throughout the organization is critical.
Decision-making: A 2015 survey by Websense showed that 70% of security professionals believe the CEO should hold the ultimate responsibility in the case of a data breach. But according to 21% of respondents in earlier research by Ponemon, the primary responsibility for data breach preparedness is either with the CISO – or no one.
Data breach response plan: The board of directors, CEO and chairman should be instrumental in helping a company prepare for a response to a data breach. In Ponemon research, only 29% of the C-suite was informed and involved in plans to deal with a possible data breach.
Budget Approvals: The 5th annual Shred-it Security Tracker information security survey showed that C-suite executives have started to invest more in security policies and procedures. For example, over 60% of C-suite executives had a protocol for storing and securely disposing of confidential data. (Small businesses were less likely to have a protocol.) Up-to-date IT tools, document management policies and procedures, and employee work habits and behavior are all aspects of a data security budget and a protected workplace.
Cost Savings: Board involvement reduces the per-record cost of a data breach by a significant $5.50 per record. Companies pay an average of $154 per lost or stolen record, according to the Ponemon 2015 Cost of a Data Breach report.
Job Security: Another recent Ponemon survey showed that 17% of senior executives are not aware of whether or not their organizations had suffered a data breach in the last year. But recent mega breaches have shown that C-suite members and other management that are not aware of and involved in data security may lose their jobs following a data breach incident. Experts advise that all senior executives have a good understanding of the data breach response plan, new technologies, and security protocols in the workplace.
All employees, from the C-suite to the mail room, must follow best practices in data security – to protect the organization and everyone who works there.