The cybersecurity landscape is evolving rapidly, presenting significant challenges for businesses of all sizes. Small to midsize businesses (SMBs) are particularly vulnerable to cyber threats, making it imperative for CEOs to prioritize cybersecurity as a fundamental aspect of their business strategy. In this article we'll explore the CEO's role in cybersecurity and how to integrate security with the entire operation plan.
Listen to our latest episode of Stimulus Tech Talk to hear Stimulus Technologies CEO, Nathan Whittacre explore the CEO's Role in Cybersecurity
Understanding the CEO's Role in Cybersecurity
The Current Cybersecurity Landscape
The digital realm is fraught with risks, from external threats like data breaches and ransomware attacks to internal vulnerabilities such as employee negligence or insider threats. These threats constantly evolve, posing a constant challenge for businesses to stay ahead of the curve.
Prioritizing Cybersecurity in Business Strategy
CEOs juggle multiple priorities, from growing the business to ensuring customer satisfaction and compliance with regulations. Amidst these competing demands, cybersecurity often takes a backseat. However, neglecting cybersecurity can have devastating consequences, far outweighing other business concerns.
Incorporating Cybersecurity into Business Decision-Making
Setting the Vision for a Secure Culture
As the leaders of their organizations, CEOs play a pivotal role in setting the vision and direction for cybersecurity. They must foster a culture of security awareness and resilience, where every employee understands their role in safeguarding sensitive information.
Collaboration with Technology Professionals
While CEOs may not be cybersecurity experts themselves, they must collaborate closely with their technology teams or external providers to implement robust security measures. This includes regular discussions on security strategies, updates on emerging threats, and proactive measures to mitigate risks.
Addressing Budgetary Concerns for Cybersecurity
Allocating Resources for Security Measures
Budgeting for cybersecurity is essential but often overlooked. CEOs must allocate adequate resources to invest in security technologies, employee training, and ongoing assessments. This may include allocating a portion of the budget specifically for cybersecurity initiatives.
Balancing Security Needs with Business Priorities
Finding the right balance between security needs and other business priorities is crucial. CEOs must assess the potential impact of security investments on business operations and weigh them against the potential risks of a security breach.
Keeping Up with Evolving Threats and Technologies
Staying Informed and Educated
CEOs must stay informed about the latest cybersecurity threats and technologies to make informed decisions. This may involve attending industry conferences, participating in webinars, or engaging with cybersecurity experts to stay abreast of emerging trends.
Leveraging Expertise for Strategic Decision-Making
CEOs can leverage the expertise of their technology teams or external providers to guide strategic decision-making. By tapping into their knowledge and insights, CEOs can make informed choices that align with their business objectives while mitigating cybersecurity risks.
In conclusion, cybersecurity is not just an IT issue; it's a business imperative that requires the active involvement of CEOs. By understanding their role in cybersecurity, prioritizing security in business strategy, and collaborating with technology professionals, CEOs can effectively safeguard their businesses against cyber threats in today's increasingly digital world.
Book a discovery call with us today so we can start building your technology action plan for your business.
Stimulus Tech Talk: Navigating The CEO's Role in Cybersecurity transcript
Intro 00:00
You're listening to Stimulus Tech Talk. A conversation based podcast created by Stimulus Technologies covers a range of topics related to business and technology.
Sherry Lipp 00:15
Hello, and welcome to Stimulus Tech Talk. I'm Sherry Lipp, marketing manager at Stimulus Technologies. And I'm here with Nathan Whittacre, the CEO of Stimulus Technologies. Today, we are going to be talking about the CEOs role in cybersecurity. Welcome, Nathan.
Nathan Whittacre 00:32
Hi Sherry. Welcome everybody to the podcast today.
Sherry Lipp 00:35
So, Nathan can give us a unique perspective and being both a CEO and a provider of cybersecurity as a service. So to get started, can we talk a little bit about the current cybersecurity landscape and the role of the CEO in that,
Nathan Whittacre 00:55
Sure. So, you know, you've probably read in the news periodically, you've heard on this podcast a number of times, you know, especially if you're a small to midsize business owner, there is significant threats to your organization for cyber attacks, and this comes from both external and internal on the organization, you know, attacks such as bank fraud, you know, an employee accidentally wiring money to a hacker, it can come from ransomware, where all your files are encrypted, and you have to pay a ransom to get it back. It comes from, you know, email, is email compromised, which leads to these other packs. It could come from, you know, a number of different things. I mean, there's so many ways, so many threats to organizations today that are constantly changing and constantly evolving. And the problem is, as a small businesses, we are more worried for on a day to day standpoint about, you know, producing our product or service that we offer, ensuring that our customers are taken care of dealing with competition, or government regulations, or tax filings. You know, there's just so many competing things that are in our minds as business owners, that, you know, one more thing is just sometimes too much. And unless it's like yelling at us that day, we often put it in the backburner. The problem is, is if we put this issue in the backburner for too long and go do something about it, there's the repercussions of not taking action are much worse than even some of these other things, you know, a cyber attack or a wire fraud or something like that can be far more devastating than a new competitor moving into your market. So I get it as a CEO. I mean, I'm inundated all day long. Everybody, you know, wants something from me, or, you know, it's important for me to be involved in growing the business and all aspects of the business. But even as a technology CEO, this is something that I have to focus on inside my company, and then also focus on it for my clients. So, you know, I do have this unique perspective, you know, operating a business and trying to protect our clients at the same time, and it is a daunting task. And it's something that I know, it keeps me and our team up at night often thinking about, you know, all these different ways that these cyber criminals are trying to, you know, take down our business or, you know, make profit off of our business in ways that we don't want to involve them.
Sherry Lipp 03:44
And, you know, with as with juggling all these things, how does a CEO prioritize, you know, make cybersecurity a priority?
Nathan Whittacre 03:53
I don't think it's something that you have to deal with every day. But it's something that should be a periodic discussion with your technology professionals, you as the CEO are most likely not going to implement these security measures inside your company, you do need to be part of the design and the business processes of what that means to your company. But it's not going to be you that's implementing them. I mean, in all seriousness, unless, you know, you're a couple of man shop and that's, you know, that's what you got to do. But I highly recommend relying on experts to assist you in this. I mean, this is something that Stimulus Technologies does for our clients, if you have your own vendor on the technology landscape, you know, talk to them see if they offer managed security services, but it isn't generally your IT person you know, it and cybersecurity are different different skill levels, skill packages for the providers. So Same thing you know, you wouldn't, ask the person that's changing out the engine in your car to paint the car, you know, it's a different skill level, even though you're working on similar technology. So. So you know, work with your provider, I would say, having a quarterly discussion with who's ever handling inside your organization, that technology or when dealing with an expert, I also recommend having a discussion with your insurance providers, because they're a key part of this, you know, at least annually, as you're doing your insurance review to make sure that you have the coverages available, but you know, a quarterly discussion with your technology team, and that should include your IT provider, your security provider, should be in that discussion, see where you're at as an organization, and then maybe a little bit more detailed discussion annually to see if there's anything that you need to do inside your organization from an annual perspective and the changes you need to make and implement to the next year. I just did a workshop this this last week, and I offer these workshops now to organizations. So we talked about, you know, the shift in the mindset of the culture inside the organization to be a secure an innovative culture. And that's really the job of CEOs is to set the vision and the direction for the organization. So as CEOs, we're not necessarily implementing things, but we're setting the vision and direction. So you know, it's important that if you're listening today is learning what you need to do to implement the security, and then contract or work with experts that can help you implement those things.
Sherry Lipp 06:43
And, I imagine, you know, the, the approach might be different depending on the size of the business, or you're gonna hire like an internal you might have, you know, a chief techn ology officer or chief security officer, cybersecurity officer, or maybe outsourcing. So how much do you think a CEO is, but the bottom line is going to come down to them if there's problems, so how involved should they be in the decision making process?
Nathan Whittacre 07:09
Again, I think it's important for the CEO to have an idea of the information of what's out there. So you know, you're you're not as a CEO, gonna know all the details. I mean, there's just, it's impossible. I mean, unless you're a very small organization, you're not filing your own tax return, you're not, you know, maybe doing all your insurance paperwork, you're not, you know, doing everything inside the organization, you're relying on experts to help you with that. So, but you have to know enough about taxes, you have to know enough about, you know, renting a building enough about legal, you know, reading contract, to at least make well informed decisions. And so you're listening to this podcast, and so that's a good start to understand what those decisions are, what needs to be made. So, you know, implementing, as we've talked about in here, security measurements inside your organization to protect against, you know, those bank fraud, you know, email compromised by implementing multi factor authentication on your network. So should know, what multi factor authentication is, maybe not how to implement it, but you know, know that you need that, as an organization, know that you need, you know, the right insurance protection, your cyber liability coverage, or employee theft, your errors and omissions, professional services, insurance, those type of things, and what that what those insurance companies require to get that insurance and may be, you know, implementing MFA is a basic requirement and might be implementing that next generation antivirus and might, depending on the size of your organization, implementing a security operation center to monitor all your systems. So really, I think starting with, you know, where you're at, and implementing a little bit along the way, but, you know, work with those experts and take their recommendations and do a little implementation at a time to improve the security inside your organization and create this mindset around, you know, continuous improvement, and development of a strong technology, culture inside your organization is essential.
Sherry Lipp 09:26
And how do you think as a CEO, you know, we've talked about a lot that cybersecurity isn't just set it and forget it, and it's not just one person? How does a CEO kind of foster that culture of cybersecurity with their team?
Nathan Whittacre 09:41
I think again, going back to the constant discussion is should be on the agenda. In my opinion, you know, of course, this is coming from a technology person, but it should be on the agenda at least quarterly. In your reviews inside our organization. For example, we use EOS which we've talked about on this podcast. And you know that EOS has a cadence of business planning quarterly. If you do it annually, then, you know, to have this discussion annually. What if you're a sole entrepreneur and, you know, maybe if you do your own business planning annually sit down and just add it as an agenda item. And that's really the start of setting this. This culture is, you know, just awareness. And, you know, making sure that it's a part of the general agenda, the company, you know, if you're setting budgets, you know, that's the finance side, if you're setting, you know, operational efficiency, you know, that's the upside, if you're, you know, then technology, cybersecurity should be part of that in larger organizations. I think you mentioned this before Sherry, minute ago, you know, larger organizations have a chief technology officer, they have a chief information officer, and they have a chief security officer, usually, there's three people on the C suite that oversee those parts of the business. And small organizations can't necessarily hire, you know, the VCTO or the CTO, CIO and CSO. And so we had a V at the beginning, I messed that up when I said that, because, you know, it's, it's, it's relying on these experts that are virtual chief security officer or virtual Chief Information Officer, that can assist you in making these decisions. So it's at Stimulus we have quarterly business reviews, quarterly business technology reviews with our clients. And in those we discuss the ongoing projects, the business things, you know, business goals that they have, inside the organization, and how we, as a technology provider, can help them implement that whether it's new software packages, in, you know, migration to the cloud, whatever it may be, you know, that's the Chief Technology Officer hat or virtual CIO, virtual CTO, but there's also a discussion we could have, as a program of of virtual chief security officer that we could discuss with the, with the CEO with the leadership team, or the organization, security mechanisms that they should be putting in place, whether that's, you know, an annual security assessment, security posture assessment, maybe it's an organization that you need to have an ongoing assessment that's reviewing your systems constantly. And so, you know, having that discussion with us, then you can implement those, those things down the road. So that's something that we offer as a company that Stimulus if you don't have that in place, that's, you know, we'd be happy to have that discussion with you.
Sherry Lipp 12:50
And how, how do you approach or how would you advise somebody to approach determining their budget for security and their, I guess it would kind of their needs and their budget,
Nathan Whittacre 13:02
That's a, that's a tough one, because I find a lot of small businesses, one don't budget very well to begin with. So that's, you know, putting a budget together in a line item for technology. And then, you know, for security, I think is a start also, you know, just kind of a broad range, you know, basic security mechanisms in place inside the organization should be budgeted somewhere between 15 and $25 per user per month, more advanced cybersecurity costs upwards of 50 to $75 per user per month. And that's, you know, tools and management and everything that's on there. So, you know, just give you a rough idea of what those security technologies cost, you can just multiply that rough number that I just gave you a per user. And that should be about what you're spending on security, whether you're implementing an in house with your own tools, or using an outside vendor, that's what we're seeing in the marketplace. You know, big enterprises might be spending over $100 per user per month for their for their security systems. And, you know, that adds up pretty quick, but that, you know, that's adding labor internal tools from an external, you know, security operations center. And depending on the compliance needs, also the organization, the cost could go up. So, you know, compliance plays a part of this, too, if you're an organization that has high regulatory burden. Maybe you're a defense defense contractor, or you have HIPAA, or you're under the FTC safeguards rule. Your costs may go up, also, because you need outside audits as part of it. But that's a rough budget, any somewhere between 15 to $50 per user is kind of a rough number we'd rather we'd use
Sherry Lipp 14:59
And have you found and when we do assessments that there are expenses, and that people weren't expecting your upgrades or needs that they weren't expecting?
Nathan Whittacre 15:11
you know, when we go into, you know, a potential client or prospect, you know, we often find the security is very neglected. And that's why they're contacting us, they might have had a ransomware event or some type of other security event that happened. And their IT provider dropped the ball. And And honestly, it's wasn't because the IT provider dropped the ball, it's because the IT provider wasn't providing security, they weren't a managed security provider. And so what we often find is updates not being ran on systems properly, you know, their Windows versions are old, they might have old equipment, their firewalls aren't up to date, they might not have antivirus, or next generation antivirus on all their systems. And so we find all these little holes along the way. And, you know, there's, there's best practices that we recommend, we usually bring in a third party assessment company, that reviews the work that we're doing, and provides us a recommendation from even an another third party. And that helps us to say, you know, this is not what we recommend, but this is what this security expert recommends that you implement inside your system. And this is how we can help you. But we often find, like I said, just, you know, little things here and there. And, and it's, it's really easy, you know, just looking at the chain of events that occurs that, you know, produces a wire fraud or a ransomware attack, you know, it's usually one email account that didn't have MFA turned on, hacker gets into that account, monitors it for, you know, two to six months, and sees what the email traffic's are going, you know, there's going on, maybe impersonate the vendor or impersonate a client, and get somebody inside the organization to do something they wouldn't necessarily do. It's a social engineering attack. And that's the kind of stuff that happens, it's a long term play by these hackers. And it's because something wasn't done right inside the organization, because nobody was monitoring it. So that's the kind of stuff that we find, and we're just finding that the IT providers aren't staying on top of this stuff as much as they should.
Sherry Lipp 17:30
And when it does come to a breach, you know, we've talked a lot about the response and what people what people should do in general, but what role does the CEO have, specifically, when it comes to a security breach, or post breach?
Nathan Whittacre 17:44
It all falls on their shoulders just like everything else, you know, that's, that's really what, you know, the problem and the good thing about being the CEO, you know, it's often said that it's lonely up top, and it really is, because in the end, the responsibility does fall on the captain of the ship, the CEO of the organization. So, you know, you're, as a CEO responsible for any attestation you sign, you know, for an insurance company or for your credit card for PCI compliance, things like that, all those things, you're guaranteeing as the owner of the company, or the CEO of the company, that, that that is true, and, and when something like a breach happens, your employees, your customers, your vendors are going to be looking at you saying Why didn't you provide the guidance to the organization to make sure that those things happen? You know, I, I often share a story, when I do these webinars about a small business owner a few years ago, that was in the news, and it was a small business, you know, call it a few million dollars in annual revenue. So you know, decent sized small business. And, you know, they, they had a breach and part of that breach. They were also investigated by law enforcement for that breach, and all their equipment was taken. And so they were put out of business by law enforcement to help them resolve this breach issue because you know, they needed to get in there and figure out what what occurred and so, you know, it it this company lost, you know, millions of dollars worth of revenue by being down for months and then the reputation loss and eventually put him out of business. And you know that that's not a story that I want to ever share on this podcast about somebody you know, that I know that that personally that that happened to. I do know people personally that have had, you know, they've been victims of wire fraud that have lost hundreds of 1000s of dollars because unsuspecting employee wired money outside the organization to what appeared to be Your legitimate vendor but ended up being a hacker. And man, it just like just thinking about, it just makes me upset. I mean, it makes my blood curdle to think that these hackers are getting away with, you know, hundreds of 1000s of dollars and you know, people that I care about. And I just, you know, I want to protect, you know, my friends, my clients, you know, the people that I work with, and it and, you know, I can't strain enough to say this is stuff that we have to do as CEOs to protect, you know, our longtime investment I've been in business for, you know, 28 years now, I'm sure you've been in business for a very long time, whether it's a year or 50 years, you know, it's a long time to you. And that investment, that time that energy, you don't want to waste it on a hacker or, you know, a bad employee or, or an employee that doesn't know what they're doing, making a mistake that cost you your business, and then it costs your employees, their, their livelihood, it costs your customers, you know, time and energy to switching vendors, it just ruins the marketplace. So that's the last thing I want to have happen to you. And so I implore you to, you know, make sure that you're protecting your companies, you're setting that vision in place, to have that mindset that, you know, you are responsible for securing your company and preventing those risks from happening to your enterprise.
Sherry Lipp 21:28
And if you have, let's say in in those, you know, there's breaches, and there's mistakes, but what if you have an employee that's committing a cyber crime, buy your equipment, or you if you're, if you're not aware, and you didn't make yourself aware of what they're doing? Are you in trouble, too?
Nathan Whittacre 21:46
That's highly possible. You know, again, I would in that case, I would recommend ensuring that you have that employee theft insurance in place, and that you're doing backup proper backup, background checks on your employees, if I can say that way, right. You know, ensuring that you know, your employees are doing what they should be doing and have the monitoring systems in place. But you know, there's you can't be perfect all the time. I mean, we're, we're reaching maybe 95 to 99%, on securing organizations, even with all the tools in place, so that you could have that rogue employee that's getting around those things. But if you're doing everything possible to ensure the organization is safe, you have the right insurance, you have the right security tools, and you're doing everything possible, and you still get the breach, your insurance company is going to help protect you that they're going to come and pay for that. And they're going to help pay for the mitigation, remediation. All that to ensure that your your livelihood stays current, it's just like, if you have a fire in your building, and you did everything you had your fire protection systems, you kept up to date on your, you know, your water and all that and all your protection systems here in Chicago, your insurance company is going to come and rebuild your building for you. And that's what this insurance is there in place. But you have to do all those things. First, for your insurance company to protect you. So, you know, it's not impossible for that to still happen. But I think it's less likely for that to happen if you're doing all the right things.
Sherry Lipp 23:25
And, you know, from a CEO perspective, you know, from your perspective as a CEO, how do you incorporate cybersecurity when you're making decisions about other aspects of your business? And where does cybersecurity like play a role is it in accounting is in everything?
Nathan Whittacre 23:44
I'll share a quick example with you right now. We're implementing a couple of new systems inside our organization trying to streamline our business processes. And one of the vendors, you know, was doing an implementation and requested full access, access in between two of our systems. And, you know, it's just, it was a quick thing to do is a little button to say, oh, allow full access. And it was, you know, without the mindset of saying, Hey, wait, what am I doing to allow this third party system full access into one of our critical systems in our organization? What implications to that? Does that cause? And, you know, that's the kind of question that you should have is, you know, are are the things that I'm doing going to cause additional issues down the road and, and ensure that your team understands that, you know, if a vendor tells you to do something, don't necessarily do it, you know, have those questions answered to ensure that your systems are safe and protected? Because you know, vendors don't really care about your company. Does as much as you do. I'm sure even your employees, they may really care about your company, but you as the owner care more, and that's, or CEO you care more, because that's, you know, that's your baby, that's what you built up, that's what you live for every day. So just having that mindset of, you know, not not just doing things by default, because somebody tells you to do them, you know, vendor says it or an employee says to do it, you know, ensuring you're questioning the actions of others. And again, maybe a little paranoia, but instill that in your team to to question that and say, is that the thing that's gonna keep me protected down the road, because there's so many things that can happen, you know, without putting these protections in place. And I think it's as whether you're the CEO during the implementation, or you're overseeing the team, and you have a, you know, Chief Operating Officer, somebody that's, you know, in kind of that, that role of operations, or finance or whatever, over those organizations, make sure they're questioning those things and have a little paranoia, especially when vendors are doing doing things. So just a quick story, you know, that I see that, you know, way too often that, you know, that these changes can cause disruption inside your organization, it scares me, you know, to as a CEO, thinking about what everybody's doing. But we tried to have that conversation often to ensure that things are protected. And everybody understands that this affects the entire organization and can cause major issues of not taking care of so. And, you know, whether it's finance, whether its operations, whether it's, you know, your technology side, you know, they're all interlinked, and a lot of times are interlinked through technology.
Sherry Lipp 26:48
And if somebody like if one of our clients is asking them, they can call us and be like, We have vendors wanting access to these systems, so they we would help them guide them through.
Nathan Whittacre 26:59
Yeah, certainly. So if you, if you have a vendor, I always recommend this, if a vendor is trying to do something, whether it's as you know, as simple as switching out, you know, the modem to your internet service, or something as complex as in implementing a new ERP system, contact us first, have us involved in the process so that we can ask those questions at the vendor, don't just do it by default, don't do everything the vendor says, Let us be the bad guys and say no, because, you know, we want to ensure that you're protected. And we're happy to answer those conversations and keep you protected. So it's, it's definitely something that we can help you out with.
Sherry Lipp 27:39
And what advice do you have for business owners and CEOs to kind of keep up with, you know, what's new out there and threads without it, you know, overtaking their life?
Nathan Whittacre 27:51
That's, you know, one of the things that I wrote wrote the book for The CEO's Digital Survival Guide, is to help CEOs understand the technologies that are out there, not just from the security front, but also things that they can implement inside their company to make them far more productive. listening to this podcast is a great start attending our webinars, there's also you know, plenty of, you know, the security channels and things out there that are designed around CEOs, but you got to, you know, talk to your experts, again, you know, do those reviews with the experts inside your organization and allow them to guide you through it. But start with the book. I mean, that's what we wrote it for. And, and if you you know, want some additional training inside your organization, we can assist with that, too. Feel free to reach out to me at any time, and we can set something up.
Sherry Lipp 28:39
All right, well, um, that was gonna be my last question was if somebody wants to do one of your workshops, is that something you do in person virtual? Or both? And how do they how do they start getting working on that?
Nathan Whittacre 28:51
So our workshops are usually done in small groups call it 10 to 15 executives, is a great environment, we can do it both virtually, and or in person. So like I said, I just did an in person workshop last week. So happy to do both, again, like to have a group of executives, that, that are interested in this and want to learn more. And it's an interactive about a three to four hour workshop, depending on the questions to just give an overview of what technology is, inside the organization, answer a lot of questions, you know, dispel those myths or at you know, have a better understanding of the acronyms that are thrown out there. And really get down to the core of what you need to be doing inside your organization. So if you have a group of CEOs, if you're a part of a Vistage group, or EO or some other type of peer advisory group, that's those are the type of organizations that I'm speaking to on a workshop basis. So happy to send something like that up and feel free to contact us if you're interested in doing that.
Sherry Lipp 29:53
All right, well, thank you, Nathan. Always valuable insights.
Nathan Whittacre 29:56
Thank you, Sherry. And thanks, everybody for listening today.
