Cybersecurity compliance affects your entire enterprise. It is not an IT issue. It is an executive issue, and IT is in the best place to deliver the results to the business. Governing bodies such as DHS, the FFIEC, DHHS, and others are moving to force management and boards of directors to take more active roles in cyber security risk analysis and moving to require a top-down approach because far too many business leaders are choosing ignorance over knowledge and risk over mitigation.
Have you ever sat next to a CEO when he realizes his firm has been breached and much is at risk? We have. It is a very emotional moment and there is tremendous toxicity. Fear, blame, embarrassment, and anger are often present. This is the direct result of the majority of CEO and CFO choosing to avoid knowing their risks and choosing to save money while risking much more. When it happens, all of that guilt comes rushing forward. Its like realizing you lost the poker game in which you bet your house. It is a really bad day.
It doesn’t need to be, and IT leaders can save the CEO and the organization by ensuring that their business leaders know the risks, likelihood, and estimated impacts.