CEOs and senior executives must take IT security measures seriously to ensure businesses are protected from the growing threat of cyber attacks.

This is the upshot of recent analysis by global management consultancy McKinsey & Company, which outlined the importance of ensuring the C-Suite leads from the front line on cyber security issues.

The organisation said not enough is being done to protect mission-critical information assets, despite senior executives being well aware of the risks of falling short in this valuable area.

McKinsey noted that many businesses are still facing a number of obstacles, including the difficulty of changing user behaviour.

“For many institutions, the biggest vulnerability lies not with the company but with its customers,” the organisation stated.

“How do you prevent users from clicking on the wrong link, allowing their machines to be infected with malware? How do you stop them from transferring incredibly sensitive information to consumer services that may not be secure?”

Offering IT security training

One way to better educate employees is to conduct comprehensive information security training, with a number of extensive courses available to overcome potential risks.

According to McKinsey, pushing change in user behaviour should be a priority for senior managers hoping to build up ‘cyber resiliency’ in a modern business environment where threats are becoming increasingly common.

“Given how much sensitive data senior managers interact with, they have the chance to change and model their own behaviour for the next level of managers,” the organisation said.

Some simple steps can begin this process, including being more careful when sending documents from corporate to personal email addresses.

Senior executives must also create enough airtime to communicate to front-line staff the importance of protecting the company’s information assets.

Improve strategic decision-making

Businesses were also advised to consider cyber security risk alongside other kinds of risk. As such, they should assess the organisation’s appetite for loss of intellectual property, disruption of operations and disclosure of customer information.

Once these decisions have been made, management teams must communicate with cyber security professionals to help prioritise existing data assets and gauge trade-offs between operational impact and risk reduction.

However, effective IT governance training might also be required. McKinsey noted that regardless of how comprehensive a set of cyber security policies are, some employees may try to work around them.

“Senior management obviously needs to make sure that policies and controls make sense from a business standpoint,” the organisation said.

“If they do, senior managers then need to backstop the cyber security team to help with enforcement.”

In addition to governance, granular reporting is suggested to track how the company is performing against pre-defined targets across the IT security program.

The importance of senior executive buy-in

Research conducted by McKinsey in conjunction with the World Economic Forum showed that senior management time and attention was the most important factor in mature cyber security initiatives.

This meant it had more of an influence on success rates than company size, resources provided and industry or sector.

The data supports a similar survey conducted last year by Frost & Sullivan, in which 69 per cent of respondents confirmed their CEO is now a decision maker regarding IT security issues.

Senior executives from across south-east Asia were polled, with 40 per cent stating the chief executive is the central decision-maker on such matters.

Edison Yu, associate director, ICT Practice, Frost & Sullivan Asia Pacific, said: “More and more firms are realising that security is not the remit of the IT department alone.”

“The impact of a security breach on business is real and broad, and management wants to be proactively involved in preventing it.”

Arm your team with a CISSP certification

Are you an IT professional ready to take advance your expertise? Or are you a senior executive who wants your IT team to have the most up to date qualifications? Sign up to ALC Training’s CISSP course, a comprehensive 5-day course for IT professionals. Our CISSP training covers the 8 domains of the CISSP Common Body of Knowledge to prepare you for the CISSP exam.