What should CISOs and CEOs do now?: CISOs, who have historically borne the brunt of breaches and malicious cyber incidents, should take heed of this emerging trend. “Be aware of the environment and expectations today, and where they’re headed,” Redgraves’ Tully says. “Try to get out in front of that. You need to work with your board and your executive team to get them to take these things very seriously.”And, as ransomware attacks and cyber incidents increasingly inflict damage on companies, outside investors are starting to demand more accountability from CEOs. “Companies that are providing venture capital or doing a lot of acquisitions, they’re now looking at due diligence on the cyber and privacy fronts almost at the same level as financial due diligence because of the growing importance,” Tully says.As for CEOs, they need to work more closely with their boards to plug them into the organization’s data breach and incident response playbooks. “The board needs to be drilled, practiced, and fully aware of the risk so that when it happens, they have the muscle memory and communication ability to deal with it,” OliverWyman’s Mee says. “Because without that, it’s going to go bad fast.”Boards, for their part, appear to be coming up the learning curve quickly. “Increasingly, boards take this seriously,” Mee says. “I interact with a lot of boards. Cybersecurity is consistently a top-three item. AI is probably top of the list right now for boards. But cybersecurity is too important a topic and has gained greater visibility in front of boards than ever before.”As CEOs and boards move forward, it should be clear that the data breach buck stops with CEOs and not CISOs and their security teams. “In the past, you’ve put an awful lot of burden of protection and de-risking on an individual who may have been cut from a different cloth and may also not have the power, influence, and governance ability to influence the change needed for security,” Mee says.Sullivan says, “No security team by itself can secure a company from attackers, as the company’s culture, risk tolerance, and investment in secure systems are defined collectively by the CEO.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4062724/qantas-cutting-ceo-pay-signals-new-era-of-cyber-accountability.html
