Yesterday the British North American Committee (BNAC) and the Atlantic Council of the United States (a U.S. sponsor of the Committee) announced the release of a new study, “Cyber Attack: A Risk Management Primer for CEOs and Directors.”
It is important for business leaders to understand information security and privacy risks better. It is important for information security and privacy professionals to put forth effort to raise CEO understanding of information security and privacy issues. Understanding and acting upon the risks are important for the health of the business, and CEOs must understand HOW information security and privacy relate to business.
This relatively short report is written to CEOs in language they understand. It is a great document for you to give to your CEOs to help them understand how information security and privacy risks impact business.
It provides some great examples of incidents, and it does a nice job of demonstrating that information security and privacy is a world-wide issue for businesses of all sizes.
I really like how the report details the common information security mistakes CEOs make. At a high level they are:
* Underestimate the scale of the problem.
* Fail to recognize the consequences for business.
* Assume that because their company is protected, their business is safe.
Yes, all these are common mistakes.
Speaking to that last point, too often business leaders believe that implementing information security measures makes them invulnerable to security incidents and privacy breaches. Anyone who understands the complexity of information security and privacy threats and vulnerabilities knows that this is far from true. It takes an ongoing effort to ensure your business leaders remain aware of risk issues.
The report also provides descriptions, again in a way CEOs can understand, of the common mistakes most businesses, as a whole, make.
I’m a big fan of using tables, flow charts and other illustrations to help business leaders understand issues in ways that words alone cannot convey. This report includes a nice table showing the common threats and corresponding effects and preventive responses CEOs and other business leaders should implement to minimize the risks of those threats. This provides a very nice talking-point illustration to use with your business leaders.
Overall this is a great report to give your CEO, and/or schedule a 30-minute meeting to discuss it with him or her. You could also put the key points into a PowerPoint presentation, along with the answers to the questions, to use at a board meeting or executive leadership meeting. And/or you could schedule several short meetings once a month to talk about one issue at a time throughout the year. Be prepared to answer the questions listed on pages 10 & 11 of the report.
You may ask, what is this BNAC?
“The British-North American Committee is a group of leaders from business, labor, and academia in the United Kingdom, the United States, and Canada committed to harmonious, constructive relations among the three countries and their citizens.”
Tags: ACUS, awareness and training, BNAC, Information Security, IT compliance, policies and procedures, privacy, risk management, security awareness, security training