By Guy Golan, CEO and co-founder of the Performanta Group
Every time I board a flight, I marvel at the complexity of what has become a mundane activity. A fully loaded large aircraft lifts more than 350 tonnes when it takes off, using an enormous amount of power to achieve such a feat. But it doesn't take only power. Every aircraft is full of technology and controlled by trained pilots. It takes a lot of effort, energy, and focus to carry me to my destinations.
Let's briefly switch gears to another complex arrangement of technology, skill and focus: the modern company, and the person who runs them, the CEO. CEOs might be well compensated, but they take on a terrific amount of responsibility. Effectively everything in a business ends at the CEO's desk. But it's not feasible for a CEO to cover everything. They delegate those responsibilities and apply their attention relative to the scenario.
For example, if a manufacturer has a machine that could break down soon, releasing poison gas that will affect everyone on the factory floor, the CEO should know about that as a high priority. But what about the paving outside the factory? What if it is uneven and a tripping hazard? The CEO should also know about that, but not with the same urgency. They can receive an update during a quarterly meeting and comfortably delegate the entire project to a subordinate.
Of course, the dangerous machine will also be the responsibility of a lieutenant in the c-suite. But you tell me: which one should keep the CEO awake at night?
Effective leaders know how to prioritise and handle different levels of urgency. They maintain clear communication channels and understand when to sweat the little things. It's how you run an effective business. Yet it's often the opposite of how cybersecurity presents itself in the business world.
My aircraft example explains what's happening. During a flight, would you want the pilots to tell you about every single error they encounter? Problems do occur. Pilots fill in a 'gripe sheet' that they hand to ground staff after every flight, noting minor and major problems, from malfunctioning controls to a broken coffee machine. Do you want to know about all of them?
Of course not—you'd die from stress and heart failure before any sudden reunion with the ground. We rely on pilots to practice discretion. They tell us about upcoming turbulence or to brace for impact. But they spare us the knowledge of issues that don't require our immediate attention.
Cybersecurity does the opposite. Our industry tends to emphasise every problem as a high priority for leaders. We enthusiastically walk behind laws and governance practices that put all the pressures of security on the C-suite. Such laws are good, but they don't change how companies work or magically increase the time and attention of busy executives. There is a lack of context and priority in cyber security discourses that prevent it from operating like any other part of a business.
Cybersafety happens when we get this dynamic right; when cybersecurity practices enable a CEO to tell the difference between dangerous equipment failure and uneven pavements. I base Cybersafety on several pillars:
Companies recognise that cybercrime and negligence are major and ongoing risks.
Leaders have access to cybersecurity expertise at the top, such as a CISO or a security-savvy board member.
The business builds a rapport with these experts and trusts their interpretations.
Security providers focus on the context of their customer's business, not just selling solutions to mitigate risks. Every cheque signed must have a business justification. Every system and service investment must resonate with their business motivation.
The security market prioritises integration over singular big-ticket solutions.
All parties establish cybersecurity as another department that leaders understand in the business' context.
We can't keep putting cybersecurity on a pedestal, expecting our customers to drop everything and appreciate the many risks they face. At the same time, we must stop creating panic and heart failures just because we expose EVERY incident we detect. Yes, the world is under assault from digital criminals and negligence. But security motivated by panic is not sustainable. It doesn't make companies safer—knee-jerk reactions such as buying an expensive big-brand security product often create a false sense of safety. Cybercrime is more complicated than that.
Let's focus on creating Cybersafety. The CEO, board and c-suite don't need to be engaged on every cyber risk. But they must have all the data and transparency to show them what happened in a certain period of time—weekly, monthly, quarterly, etc. They need the levels of information, insight and delegation present in every functional business department.
If they can rely on the same contextualising channels as they do for the rest of their operations, they'll get real safety. CISOs will become the CEO’s trust advisor for Cybersafety and their jobs will be much more impactful. Company leaders will save money, reduce business risk substantially and acquire a genuine appreciation for cybersecurity's demands.
Much of this transition starts with the cybersecurity industry. Our job isn't to sell security. It's to create safety.