The chairman and co-founder of for-profit educational organisation Udacity, and former VP of Google, Sebastian Thurn, is also a computer scientist who knows a thing or two about education and talent transformation.
Recently, Thurn shared his beliefs that the entire c-suite should be responsible for cyber security with the folks at Venture Beat.
Thurn said: The average number of attempted cyberattacks per company rose 31% between 2020 and 2021, according to Accenture’s latest State of Cybersecurity Report. With 70% of organizations including cybersecurity as an item for discussion in every board meeting, and 72% of CEOs stating that strong cybersecurity strategies are critical for their reporting and trust to key stakeholders, it’s clear security is a top concern for business leaders. Evaluating and responding to cyber risk is no longer viewed as separate from core business goals, but rather an essential element to keeping a business alive.
So, who at an enterprise is responsible for understanding, developing and initiating a strong cybersecurity strategy? Well, according to the same survey of 260 C-suite executives interviewed globally, 98% believe that the entire C-suite is responsible for the management of cybersecurity — the work doesn’t fall to any one individual expert, CRO or CISO.
However, according to a global research study conducted by Trend Micro, which included the perspectives of over 5,000 IT professionals in 26 countries, only half of the respondents said they believe C-suite executives fully understand cybersecurity threats and risk management. The reality is, C-suite and C-suite minus 1 executives are not knowledgeable about core cybersecurity concepts like zero-trust security architectures. Faced with managing massive incidents like the December 2021 Log4j vulnerability, this skills gap highlights a huge mismatch between expertise and responsibility at the executive level.
In order to protect a business and its sensitive internal and customer data, executive leaders must now also be cybersecurity experts.
The responsibility of the C-suite
A business is only as strong as its leaders. Whether it’s the CEO, CFO, COO, CHRO or CMO, cybersecurity should be a top concern for all of us. C-suite and senior-level managers must be able to identify potential cyberthreats to their organisation and understand systemic risks present within its digital ecosystem of suppliers, vendors and customers.
Yet many organisations have struggled to keep pace with their industries’ digital transformations, leaving significant knowledge, process and technology gaps in how they manage threats. In addition, the changing landscape of national and international compliance regulations has created an environment in which companies are constantly forced to evolve, trying to stay updated and compliant with data and cybersecurity requirements.
Business leaders who upskill themselves in the core tenets of modern cybersecurity can drive an organisational culture of cybersecurity and strengthen their tech stacks, processes and teams from the top down. CEOs and CMOs don’t need to become information security analysts, penetration testers or white-hat hackers — instead, they need to demonstrate five core competencies that impact their work and leadership:
- Developing a common language and understanding of cybersecurity risks and best practices: Understanding the difference between VPN and zero-trust capabilities is the first step to implementing the right security strategy for your organisation. Business leaders should familiarise themselves with the language and core concepts their teams will use in cybersecurity discussions to ensure they can effectively participate in discussions and guide the decision-making process when issues arise.
- Identifying potential cyberthreats and systemic risks present within their digital ecosystem of suppliers, vendors and customers: Mapping the risk landscape — with the help of expert team members — is the first step to addressing vulnerabilities. Business leaders should be able to evaluate whether additions they want to make to their tech stack or new processes they want to implement could create additional risk in their ecosystem.
- Evaluating how to respond to low, medium and high-risk cyber threats: Designing and implementing a strong Incident Response Plan (IRP) ensures organisations are ready to respond when an incident occurs — regardless of the severity. Business leaders should be able to articulate how their organisations will detect, respond to and limit consequences of malicious cyber events.
- Creating a culture of cybersecurity across the organization: Getting buy-in from employees is a critical first step to implementing a true culture of cybersecurity in any organisation. To be successful, business leaders need to know how to design awareness campaigns, training plans and accountability measures that will encourage every employee to take ownership over security measures and become advocates for cybersecurity best practices.
- Scoping cybersecurity budgets for their organisation: Prioritising cybersecurity investments requires a deep understanding of both risk and potential ROI. Business leaders should outline the tech and talent budgets needed to support the rollout of cybersecurity initiatives and close gaps they’ve identified in their current enterprise risk management processes.
Business leaders who master these skills will be able to confidently lead conversations about cybersecurity with internal and external stakeholders and ultimately drive their organisations forward, ensuring they meet board expectations for cybersecurity accountability.
Transforming the broader cybersecurity ecosystem
No organisation or role is safe when it comes to cyber attacks — from small businesses to major tech companies and from C-suite to entry-level employees, cybercriminals know no bounds. While the C-suite works to create an organizational culture of cybersecurity, they need support from deep practitioners and indeed every employee in the organisation to drive true progress. By transforming talent in every role, starting as early in the employee lifecycle as onboarding, you can ensure that every employee has a base level of cybersecurity knowledge and has a solid plan in place to avoid cyberthreats. And when you strengthen the entire organisation, you’ll also make yourself a much less desirable target for attackers.
With high demand for technical roles in particular, organisations worldwide are facing steep competition for a limited pool of top talent. It’s a gap that gets wider every day; according to Cybersecurity Ventures, there will be 3.5 million cybersecurity jobs unfilled globally by 2025, a 350% increase over eight years. And only 3% of U.S. bachelor’s degree graduates have cybersecurity-related skills. There simply aren’t enough practitioners to meet demand. I recently spoke with a CISO at a top financial services entity. They expressed that the firm is in an all-out war for cybersecurity talent. They simply can’t hire the skills they need, so they’re having to manufacture it internally by training existing employees.
I can guarantee this firm isn’t the only one facing this battle. In this competitive environment, it is more important than ever that companies look to upskill current employees or hire with the intent to train, rather than assuming they’ll be able to fill every role with a highly-skilled external candidate.
With enough passion, intelligence and effort, any one of your employees can become a cybersecurity expert, if you provide them with the upskilling they need to be successful. Pursuing talent transformation initiatives that emphasise hands-on, practical learning will enable your employees to build skills in in-demand roles like cybersecurity, ultimately increasing engagement, retention rates and your business’s security overall. A win-win-win, really.
While the strength of a cybersecurity strategy starts in the C-suite, a true talent transformation strategy goes beyond training to put critical thinking and real-world skills into practice at all levels. By upskilling employees at all levels of the organisation, you can be confident in your ability to respond to the next big vulnerability.
Sebastian Thrun is a chairman and cofounder of Udacity and a German-American entrepreneur, educator and computer scientist. Before that, he was a Google VP and Fellow, and a Professor of computer science at Stanford University and Carnegie Mellon University.