When talking with business leaders about cybersecurity, we often hear responses like, “My IT guy takes care of that.”
While that may be true for things like the company firewall and other technical devices, the “IT guy” is not ultimately responsible for the company’s cybersecurity.
Information security and privacy is an ever-increasing concern for business leaders. Boards, CEOs, CFOs, and other executives have fiduciary responsibility to manage business risk, which includes cybersecurity risk.
But when we tell executives it’s their job, not the job of the IT guy, we often hear the questions: “How am I, without a lot of technical skill, supposed to manage security?”
Unfortunately, there is no easy answer to this question. While executives don’t need to go out and get computer science degrees, they do need to educate themselves about a few key issues.
First, business leaders need to establish company risk tolerance.
Executives must understand the cyber threat environment and determine what level of risk the company can tolerate. For a simple example, only upper management can determine if the company can survive having all computer systems down for a…
