The Online Trust Alliance last week released a report analyzing recent data breaches and a guide for enterprise security best practices. While these tips may help organisations lessen the risk of a cyberattack, I think that there is one thing that companies may overlook: their leadership team.
Enterprises today have a lot to think about, and ensuring the privacy of customer and employee information has become a higher priority. Between GLBA and HIPAA regulation of security in financial services and healthcare, and growing evidence of massive industrial-scale hacking of credit card and health information, many companies have focused on protecting particular kinds of information.
However, it’s become clear that companies can't protect everything equally. As we look at Data Privacy Day, it’s important to consider the basic security hygiene for any company with an Internet connection.
> See also: Achieving trust in a digital world
More important, though, is the leadership and accountability for data privacy and security at the top of the organization. The roles, responsibilities and accountabilities of Chief Risk Officers, Chief Privacy Officers, Chief Security Officers, and Chief Information Security Officers is more important than turning on SSL on the company web servers.
The CEO and Board of Directors at most companies are only now coming to understand the critical function these leadership roles provide in a modern company. Boards need to understand how the company leadership discusses risk and makes risk and investment (control) decisions.
The CEO needs to ensure the roles are appropriately resourced. And, the leaders in these positions need to work to help boards and business executives understand the magnitude and nature of risks as well as the opportunities of various business endeavors.
All businesses grow by taking risks – for example, investing in marketing or introducing a new product in the marketplace. For too long the risks of unsecured systems, lack of enforcement of security policies, and the limits of funding basic security hygiene have gone under-reported.
We have seen too many examples of large, important companies brought low by data breaches that could have been prevented. It’s time for companies to stop thinking that it won’t happen to them and to start investing in smart leadership that takes the issue of security seriously.
Todd Inskeep is advisory board member for RSA Conference