Cybersecurity is the responsibility of everyone in an organization, but some positions have more responsibility than others. The C-suite has a unique role in establishing and maintaining the organization’s security culture. Employees align their behavior to signals from leadership, for instance, when determining if security protocols should be sidestepped to meet an important deadline. An executive team that prioritizes security training and communication can make the difference between a workforce that practices cyber hygiene and one that doesn’t. Beyond setting the tone for the rest of the organization, executives themselves are prime targets for cyberattacks.
In the Crosshairs
C-level executives usually have access to an organization’s most sensitive data and wield significant authority, putting them at high risk for targeted social engineering attacks, such as whaling and executive impersonation fraud. The Verizon 2019 Data Breach Investigations Report revealed that social incidents targeting the C-suite had increased 12-fold from previous years. Additionally, in a 2020 survey, 78% of IT decision makers reported that, among their organization’s workforce, C-level executives were the most frequent targets for phishing attacks; moreover, 71% believed that executives were the most likely to fall for these attacks. In the same survey, more than three quarters of executives admitted to bypassing a security protocol to get something done faster. Is the C-suite the weakest link in an organization’s cyber defense?
Closing the Gap Between the C-Suite and Security
There’s a perception among many security teams that executives believe they are above security protocols, but that may not be the real reason for executive non-compliance. Senior executives frequently do see cybersecurity as a priority and recognize their personal responsibility to contribute. However, too often they are poorly served by one-size fits-all security training and policies that don’t account for the unique risks and needs at the executive level. Most executives don’t have time to attend all-day training seminars that may not pertain to their role, and complying with organization-wide restrictions on mobile device usage may be unrealistic for a globe-trotting CEO who is constantly on the move.
Providing role-based cybersecurity training, tailored to the specific needs of a diverse workforce, can help bring security compliance into the C-suite. Role-based workforce development training has the added benefit of building security expertise among internal IT teams, an effective means of bridging the cybersecurity talent gap. Leadership that models security awareness and compliance, supported by internal security experts and well-defined policies, is critical to developing a cyber-aware culture that embraces security at all levels of the organization.