out where the gaps are and how to plug them.
“This helps assess whether the team is equipped
to deal with a crisis. When the ‘boom’ comes, the
leadership team’s job is to protect the organisation
from harm by reducing the time it takes to respond
and therefore recover,” adds Hockings.
It’s also essential for CFOs to understand their
legal obligations. “The law doesn’t care that much
about what happens to you, it’s more about what
happens to other people’s data of which you
have custody,” says NDA Law senior associate
Lisa Christo.
She points out that the GDPR covers any
organisation or entity that is monitoring or collecting
information about an individual whose data passes
through the EU.
“The individual doesn’t have to be an EU resident
or citizen, their data simply has to be in the EU at the
point of collection. So you could have a Singaporean
resident transiting through Prague whose data was
collected when they filled in a form on your website
while they were on holiday. That is captured by the
GDPR. However, in the case of a Czech national
who’s in Singapore doing the same thing, it’s not,”
says Christo.
The rules contain an obligation to inform
individuals when there has been a cyber breach, and
of the information at risk, potential damage and steps
taken to address it.
“Just because you’ve had a breach doesn’t mean
you are necessarily liable for damages. If you can
demonstrate you have taken reasonable steps to
secure the data, the regulators – wherever they may
be – may not take strong action,” Christo adds.
It’s important staff are aware of their cyber
obligations, because breaches often happen as a
result of a mistake rather than a malicious attack.
So build cyber into the business’s wider safety culture
so people give IT safety the same importance they
do to physical safety.
That’s the best way to protect your business
from the threat of a cyber breach now and into
the future.theceomagazine.com | 95As a result, CEOs must instil a cyber-safe culture –
and it starts with them.
Sean Duca is the
Asia–Pacific Vice President
for IT security business
Palo Alto Networks. He says
that in the past cybersecurity
has been seen as a
box-ticking exercise
rather than an
opportunity to
properly protect data.
“But compliance doesn’t equal security. Over the
past 20 years, cyber challenges have grown and huge
amounts of information have been compromised. To
help prevent this, people and technology need to be
in sync,” says Duca.
“You have to get people involved in building
security as a culture. It has to start from the top. If it
doesn’t, there won’t be enough guidance about what
it really means to be secure and safe,” he says.
It might start at the pointy end, but security should
be owned by the entire business. Everyone has a role
to play including the person greeting people at the
front door, the mailroom and finance. Cyber safety
means different things depending on the role
someone plays in the business. So it’s important to
give it context within people’s actual jobs. Says Duca:
“You need people detecting it because they are the
last line of defence.”
ACTIVE ENGAGEMENT
A cyber-safe culture involves developing a program
that motivates all employees to actively participate
in safe online practices. Individuals should feel
compelled to ensure their online practices are
performed securely at all times and also help others
to do the same.
“This is especially important given cyber has
become a critical factor in ensuring an organisation’s
overall health in terms of surviving an attack, as well
as to protect the proverbial crown jewels. Cyber
safety is a muscle that needs to be consistently
strengthened to ensure it works properly and at its
full potential,” says Chris Hockings, Chief Technology
Officer, IBM Security.
“The CEO’s role is a governance one. It’s about
being satisfied the culture is cyber safe. Cybersecurity
may be a new topic to them, but for many, workplace
safety isn’t,” Hockings explains.
The CEO must understand the critical elements
the business could face that may be terminal for
the company, as well as the impact of any downtime,
as a result of an IT breach. It’s critical to run test
scenarios that put people under pressure to work
THEIR LEGAL OBLIGATIONS.
IT’S ALSO ESSENTIAL
FOR CFOS TO UNDERSTAND
Cyber-safe culture | INNOVATE