Information Security: 6 Reasons Why the C-Suite Has To Be Involved
It used to be that information security was strictly an IT department concern.
But with such far-reaching financial and other consequences, data breaches have been elevated to the board level by many industry experts. They maintain that all senior executives should understand – and clearly steer – information security in the workplace today.
There’s still a long way to go, according to the 2015 Global State of Information Security Survey by PWC. Fewer than half (42%) of respondents said their board “actively participates in the overall security strategy” while 36% say the board “is involved in security policies”.
Here’s why the C-Suite should be involved.
- Risk of a data breach
The 2015 Second Annual Data Breach Industry Forecast showed that the risk of a data breach is higher than ever in the workplace. Almost half of organizations suffered at least one security incident in the last 12 months. Also, a 2015 research survey of board members and C-level executives by North Carolina State University showed that ‘cyber threats disrupting core operations’ was number three on the list of top concerns.
- Stay on top of things
Information security awareness and engagement by the C-suite and board is critical to ensuring companies remain alert to the growing data breach threat. But a recent survey by KPMG showed that only 55% of board members said they understand the potential impact of losing their companies’ key information and data assets while 65% said they rarely or never reviewed the risk of management around valuable company information.
According to the Data Breach Industry Forecast, business leaders are being held directly accountable for big data security by stakeholders, regulators and consumers. The forecast concluded: “Decision-makers in the C-suite level should have an active role in preparing for a data breach and how to respond."
- Someone Has To Be In Charge
Appointing a Chief Information Security Officer (CISO) is recommended. Also, according to the 2014 2nd Annual Study on Data Breach Preparedness by Ponemon, more senior executives and board members should be involved in data breach response planning. Only 29% said their company’s board of directors, chairman and CEO are informed and involved.
- Crisis response
The Ponemon research showed that incident response planning is critical to a company’s data protection and security strategy. It can reduce overall costs and help keep the trust of customers and business partners. Ponemon recommended that the board of directors, CEO and chairman play an active leadership role in helping their companies prepare for and respond to a data breach.
- Not just about technology
While up-to-date IT tools provide critical protection, a combination of governance, culture and behavior is also important according to the KPMG survey. Managers are encouraged to lead by example – so that a culture of security occurs from the top down. There should be standard security policies such as a regular security audit, a Clean Desk Policy, and contracted document disposal for paper and digital information that is no longer needed. Partner with a recognized shredding company that provides locked consoles for the workplace, secure chain of custody processes and a certificate of destruction after every shred.
To protect confidential information, C-suite executives are encouraged to watch out for these risky workplace behaviors.