Cybersecurity leadership can’t be delegated

Cybercrime is on the rise and bad actors are always looking for new targets. Your organization needs leadership who appreciates this new business risk and who understands that you are ultimately responsible for your cybersecurity.

Since senior leadership – a board of directors, for example – has the fiduciary responsibility and oversight for managing risk, establishing the organization’s commitment to cybersecurity to address this new breed of risk starts at the top. Senior leaders need not become cyber experts, but should be actively engaged in prioritizing security and should have visibility into the security posture of the organization.

Regardless of who is responsible for performing actual cybersecurity tasks – be it in-house staff, third-party providers, or a blend of both – the ultimate responsibility for cybersecurity risk is non-delegable and rests with your organization’s senior leadership.

Today, we all have close digital ties to our partners, customers, and providers. These ties, the “business supply chain,” enhance the real-world relationships that make us all stronger, but they also provide opportunities for bad actors to navigate from one target to the next. This means that if one of us experiences a security failure, then all of us in the chain are put at risk.

To address this supply chain risk, private companies, governments, and industry groups are requiring better cybersecurity practices of their partners. Your leadership needs to have an accurate view of your cyber hygiene and the threats you face, along with your compliance obligations to your partners and any relevant regulatory regimes.

One way your leadership can begin to understand the basic aspects of cybersecurity and how to meet your cybersecurity and resilience goals is to evaluate your cybersecurity practices against a commonly accepted framework, such as the NIST Cybersecurity Framework. The NIST framework is published by the U.S. National Institute of Standards and Technology (NIST) and is composed of 5 areas: Identify, Protect, Detect, Respond, and Recover.

An organization that is committed to cybersecurity should consider adopting the recommendations in each of these areas.

To summarize, the ultimate responsibility for your organization’s cybersecurity lies with your senior leadership. While security functions can be delegated, risk cannot. It’s up to your leadership to understand your cybersecurity needs and to recognize your security role in your business ecosystem. Leaders need to take the necessary steps to adopt policies, procedures, and practices that meet your needs and obligations; and to communicate these security expectations and requirements to your workforce, partners, customers, and providers.

Editor’s note: John Burgess is the chief security officer and president of Mainstream Technologies, Inc. The opinions expressed are those of the author.