When it comes to cybersecurity, the chains of communication that exist within an organization, if they exist at all, are often a mess. Multiple conversations about cyber risks are happening across a multitude of divisions in isolation. At the same time, members of the C-suite are measuring their potential impact using different metrics — financial, regulatory, technical, operational — leading to conflicting assessments. CEOs must address these disconnects by creating a culture that promotes open communication and transparency about vulnerabilities and collaboration to address the exposures.
Why the Entire C-Suite Needs to Use the Same Metrics for Cyber Risk
Members of the C-Suite often aren’t speaking the same language around cyber risk, and reporting lines are reinforcing silos. For instance, the general counsel thinks about the issue in terms of compliance with information security regulations such as the European Union’s General Data Protection Regulation. The chief information security officer (CISO) or chief information officer (CIO) reports the technical vulnerabilities that his or her team has successfully remediated. The chief risk officer (CRO) looks at the problem in terms of risk transfer and cyber insurance purchased. This lack of communication and coordination across functions makes it very difficult to assess the impact of cyber risk on the business as a whole or create any common metrics for doing so. There are several steps that CEOs should take to create a common language around cybersecurity in their organization. First, CEOs should bring together the different members of the C-suite so that all stakeholders are communicating. The second step is to create a culture that encourages employees to speak openly about cyber-risk exposure. And third, CEOs should prepare for cyber attacks to ensure everyone knows what to do.