As CEO, make sure you 'feel good' about your cybersecurity

Cyber attacks can cause major damage to all kinds of business processes, but they can also seriously damage confidence in organisations. As CEO, you want to feel that your organisation is well prepared. For example with the recent Log4j threat. So that you can confidently show supervisors, customers and other stakeholders that your organisation is as well protected as possible against damage.

In this context, being well-prepared means that there is a good chance that those responsible within your organisation will discover a hack quickly and they will act appropriately to plug leaks and prevent further damage. To ensure this, the following five steps are important:

• Define an unambiguous strategy
  Policy starts with a clear dot on the horizon: the ambition when it comes to cybersecurity. Where do we want to stand as an organisation in relation to our peers and to what norms and standards do we want to conform? This is a topic that obviously does not stand alone, but must be seen as part of the organisation's overall digital strategy. 
• Organise governance with ‘checks and balances’ and different ‘lines of defense’
  In this context, good governance does not mean entrusting the subject to one person or department. Compare it to financial management: this is not only done by controllers who report to the CFO. There are also 'extra eyes' involved, such as risk management and the internal audit department, which have their own reporting lines. Such checks and balances and different lines of defense are also needed in the governance of cybersecurity. External assessments of the processes and systems are also part of this: a fresh look often discovers further possibilities for improvement.
• Encourage a culture where people hold each other accountable
  People are the biggest security risk. They make mistakes and errors. No one wants to click on a link in a suspicious email, but it sometimes happens anyway. You can secure everything in the office, but if someone leaves a laptop in the car that is then stolen, it immediately creates a security risk. It is extremely important that people are open about this. That the culture is so safe that they immediately report these mistakes or other risky situations. And that they hold each other accountable for it.
• Integrate cybersecurity into all processes
  I often see organisations working in silos. As a result, cybersecurity is on the agenda of the IT department, but not, for example, on the agenda of the people involved in product development or the internal business processes. Collaboration between different departments ensures that digital resilience is on everyone's agenda and contributes to processes and products that are 'secure by design'. With this, organisations can really distinguish themselves.
  
  Breaking through silos in this area also prevents IT departments from coming up with technological security solutions that are so user-unfriendly that no one wants or will use them.
• Test your cybersecurity regularly
  Make sure that cybersecurity is tested regularly, that simulations are done on your systems. Hackers are constantly innovating. Moreover, an IT infrastructure changes after, for example, the introduction of a new system or an acquisition, when existing systems are connected to each other. Also consider the connections to other, new parties such as suppliers. So simulate a crisis and see if you are able to respond adequately. Not just from a technical point of view: ultimately this is teamwork and by training well, your organisation will be much better prepared.

The five points above have one common denominator: cybersecurity is not the problem of one department, but of the entire organisation. And when the whole organisation cooperates on digital security, the CEO gets more context and more grip as well as more comfort in being able to answer the question: are we doing the right things and are we doing them well enough? It also ultimately leads to better decisions on all digital investments where security is integrated from the very beginning.