The Role of Executive Training in Building Cybersecurity Culture

Can extending security awareness training to corporate executives help to build a culture of cybersecurity and increase cyber resilience? A recent Wall Street Journal survey suggests that may be the case. The survey found that providing cybersecurity training to executives was correlated with other measures of the company’s preparedness against cyber risks.[1] For example, companies that conducted tailored executive-level training were more likely to have identified and protected critical data (84% over the 72% average), and to have an incident-response plan (84% over 70%).2

Because the company’s leaders set the tone for the entire organization, training top executives may not only help them gain a better understanding of cybersecurity but also help to seed a “security-first” mindset throughout the organization.[2] “Building a culture of cybersecurity involves transforming the way everyone works, the way leaders lead, the way processes execute, and the way issues are managed,” according to a research paper by MIT Sloan. “At the heart of a culture of cybersecurity is getting every employee to execute their day-to-day activities in ways that keep the organization as secure as possible.”[3]

Cybersecurity as a Business Imperative

Despite the fact that the risks posed by cyber-threats have become much more widely recognized, cybersecurity is still often viewed as a technology problem that’s the sole responsibility of the organization’s technology team, says Keri Pearlson, executive director of the cybersecurity program at MIT Sloan. In fact, it’s a business problem—and a busines imperative, she said. “You have to see it as a risk management, finance, strategic, prioritization, and resource management problem. That’s an executive discussion.”

“Some people believe the technology keeps them secure: ‘someone will tell us what we’re allowed to download’. That’s not good enough,” Pearlson says. “Security is everyone’s responsibility. But how do you make it everyone’s responsibility? That’s the question.”

As cybersecurity experts Thomas Parenty and Jack Domet note, CEOs have a personal stake in cybersecurity too, because they’re often blamed if there’s a major data breach or ransomware incident.[4] The authors argue that even though executives don’t need to become security experts, they should develop a working knowledge of the biggest threats to the business, the company’s defenses, and how to respond to attacks.

Enhancing executives’ understanding of cybersecurity can also help them understand where they need to allocate funding. “The CEO doesn’t need to know how the firewalls work, or that blockchain makes them safer. The CEO has to know ‘how secure are we, how do we make sure we are secure, what is our risk right now, and how do we mitigate that risk,’” says MIT Sloan’s Pearlson.

Practical Exercises for Executives

Michael Coden, head of the technology practice at consulting firm BCG Platinion, believes executives should learn which behaviors lead to breaches—including the fact that most successful cyberattacks are caused by human errors such as clicking on a link in a phishing email.

He also suggests that executives should ask questions about which data is most critical to the company, and who has access to it.

“Executives ought to carefully manage the privileges of their employees,” Coden says. “Do they really need access to that data? Which data do they need access to?”

Coden says table-top exercises in which executives work in teams on solutions to real-world cyber threats are very helpful. Executive training on the company’s key applications and technologies can also help make leaders more aware of what employees need in order to do their jobs safely. For example, if executives realize that the company’s approved file transfer methods are cumbersome, they may also understand why employees avoid using those methods—and that the company needs a better solution. 

Increasing Security Awareness Across the Entire Organization

Of course, creating a strong cybersecurity culture also involves training the entire workforce to increase their security awareness and change their behavior. “Employees need to know when they see something funny, investigate it. A breach could be something as innocuous as a phone call or a text asking you to send gift cards,” Pearlson says.

She suggests that organizations launch communications and social media campaigns to get the message across to employees. “You need to demonstrate why cybersecurity is important to make someone value it,” she adds. “You want everyone in your company to be a security ambassador… if you see something, say something and do something.”

Best Practices for the Cyber-Savvy CEO

Experts suggest a range of best practices for cybersecurity-aware executives:[5] [6]

• Being prepared for cyberattacks takes focus and consistency. Conduct scenario planning, mock drills, table-top exercises, and create protocols for handling crises.
• Ensure technical responses and properly trained teams are in place to respond to an attack. Establish a cross-functional incident response team comprised of senior executives, IT staff, cybersecurity specialists, communications team members, and even law enforcement.
• When a breach occurs, get a rapid understanding of how the scheme worked. Have an understanding of how prior attacks worked and the company’s responses at the time. Track what worked and what didn’t and why.
• Identify the various kinds of attacks and prior damage. Determine patterns, common themes, and scenarios for cyberattacks.
• Develop a stress-tested business continuity plan in the event of a crippling cyberattack that damages key systems.
• Measure the financial and reputational hits of cyberattacks to the company. Track the legal implications and the company’s regulatory obligations.

The Bottom Line

Creating a strong cybersecurity culture, through techniques such as awareness training, is critical to building cyber resilience. Educating executives about cybersecurity issues may help to instill that culture throughout the organization.  

[1] “Which Industries Aren’t Ready for a Cyberattack?,” WSJ Pro Research

[2] “The Cyber Resilient Enterprise: Four questions every CEO must ask to build a cyber resilient business,” Accenture

[3] “Cybersecurity at MIT Sloan: Framework for Building a Culture of Cybersecurity,” MIT Sloan

[4] “The CEO’s Role In Preventing A Cyber Crisis,” Chief Executive

[5] “A CEO’s 5 Golden Rules in Managing a Cybersecurity Crisis,” Security Roundtable

[6] “The CEO’s Role In Preventing A Cyber Crisis,” Chief Executive