Without educated leadership-level support a culture of security will never succeed, Nachreiner says. “If your leaders do not follow the proper actions, it teaches employees that they don’t have to either. Executives should already have an understanding that they are one of the most targeted groups for phishing and spear-phishing attacks, so they should want to follow good security practices and, frankly, need to remain more vigilant than the average employee.”
Cybersecurity policies are there to enable business, not to constipate them. “If a security policy really does impede business to the level that an executive wants to bypass it, you should consider if the policy is necessary,” Nachreiner says.
“Cybersecurity isn’t about an ivory tower of perfect security practice, but rather a risk-management equation that allows your company to do business with minimal risk. If a security policy is really preventing or slowing business, and the risk associated with it is less than the value it offers the business, then you can also make it an accepted risk.”
The C-suite might need a more bespoke level of security
Some may say that the C-suite needs to receive the white-glove treatment. I count myself among those who believe the C-suite may have a need for a dedicated or accelerated level of support. I used the word may as it isn’t always the case, but a cogent discussion argues for having a dedicated team to ensure their ability to function is always “on” even if perhaps from time to time degraded due to cyber incidents or circumstance.
This begs the question, should the C-suite be wrapped in cotton or simply provided a more bespoke level of support? Taylor believes that 100% protection isn’t possible and recommends a uniform approach to protecting the C-suite. He espouses the strategy of “more in-depth monitoring of these users’ activities in order to identify indicators of compromise (IoC’s) targeting the executive team and their extended families.”
Nachreiner was unambiguous: “Don’t do this anymore than you would with any other high-level or privileged employee. Executives should have the same security controls, policies, and acceptable usage guidelines as all your employees, with the only added measure being you treat them like privileged users or high-value targets”