It has often been said that “at the end of the day, all one has is his or her reputation.”
The issue of cybersecurity embodies this concept. An organization might spend years — perhaps decades — building a strong and respected reputation. Yet, that reputation can be irreparably harmed overnight in a single cybersecurity breach. If the personal data of your donors and clients is accessed by an unauthorized person or entity, you can lose all of your hard-earned trust in an instant. This may sound unfair and unreasonable, but it is the hard reality that everyone in our sector faces.
To minimize this risk, every CEO/leader must embrace — and champion — effective cybersecurity practices. We can’t rely on our tech team to lead, implement, and manage cybersecurity. Given the amount of data we retain on our constituents and stakeholders, the risks are real and too high to be ignored.
Accordingly, cybersecurity needs to be a priority for an organization’s CEO; and equally important, it needs to be a priority for the organization’s board of directors. While tech issues in general, and cybersecurity in particular, can feel mundane or overwhelming, it is crucial that the leaders engage, lead, and champion ongoing cybersecurity awareness and implementation.
An effective CEO and members of an organization’s board should be realistic and humble regarding cybersecurity. They should be comfortable with “knowing what they don’t know.” CEO’s and board members should strive to become more conversant and knowledgeable, and willing to seek guidance and scrutiny from independent, third party security experts who can provide a critical, objective view as to the organization’s cybersecurity effectiveness and opportunities for improvement.
It may be an old school point of view, but the attitude of the CEO on any issue typically permeates throughout an organization. If the employees know that the CEO cares about cybersecurity and tracks the organization’s effectiveness, with virtual certainty the employees will focus on cybersecurity as well. Over time, cybersecurity awareness will become as important to an organization as donor development and mission fulfillment.
What specifically should a CEO do?
Here are a few specific first steps:
- Engage with a third party to complete a a cybersecurity audit at least once a year — signed off by the CEO and presented to the board of directors for its approval.
- Ensure that auditors check all systems — including laptops, servers, and network devices (home office and in office) — to make sure they are both current in their patches and have a process to ensure that they stay current throughout the year.
- Regularly train employees on cybersecurity best practices. This is vital, especially for remote team members.
- Ensure that files are routinely backed up, with a frequency and location appropriate to the type of data.
These are but a few of the many steps an organization needs to take to be effective, or more literally, to help avoid a cybersecurity disaster that could not only harm its reputation, but actually put it out of business. Agree? Disagree? Please let me know!