Many CEOs I meet are great leaders: They’re smart, visionary, inspiring and fully cognizant of their responsibilities to the board and shareholders (or private investors) they serve. But I bet I could count on just part of one hand the number of chief executives who could articulate their company’s security system. Why? The most common response I hear is, “That’s the CIO’s job – or the CSOs!”
Yes, it is. These two groups, in conjunction with the company’s legal team, comprise the bulwark of every company’s defenses against theft of valuable, proprietary assets, from algorithms and patented products and systems to customer lists and confidential information. As enforcers, these folks buy the necessary software and hardware and execute a plan to protect the company from potential threats within and without.
But these groups can’t really do their jobs without the CEO’s participation and leadership in setting that policy. Who else can set boundaries of what’s acceptable behavior and what’s not? Definitions of right and wrong? Who else has the perspective to tie a security plan to the company’s overarching strategic objectives?
At the very least, a CEO should help outline a security policy. The most efficient way to do that is for the CEO to convene a meeting with the leaders of all groups of the company—finance, accounting, business development, operations, marketing, sales, legal, HR, IT, and so on—and ask some fundamental questions:
- What information needs to be protected?
- Who has access to it?
- What systems are in place to secure the most sensitive data? (and who, if anyone, is allowed to take work home?)
- Has everyone in the organization been assigned a risk level and access privileges appropriate to his or her job title?
- Are there proper communication channels between the departments and, say, IT, legal, HR, and security (and is there a procedure for HR to inform the right groups whenever someone has a change in job title and access to and use of vital information?)?
- Is there a policy for handling employees who leave for another company or are terminated?
These are the larger concerns every CEO should help resolve, even in a preliminary way, leaving the details to the various departments. Division heads will have to determine, for example:
- Who has access to proprietary information and the ability to manipulate and share files via platforms like Dropbox and Box;
- Whether thumb drives are allowed;
- Which individuals have permission to use the company’s Facebook, Twitter, Snapchat, and other social media accounts;
- Whether company or personal e-mail accounts, as well as text messaging, are appropriate;
- Which devices—smartphones, tablets, desktops—can be used at work and taken home;
- Who has printing privileges.
Most CEOs like to focus on offense. That’s natural: It’s forward-looking, strategically-focused play; it’s how you win games. Security is defense—protecting what you already have; it’s holding the line, not moving the ball forward. But in order to win, a company has to play both kinds of games. Every coach understands that. CEOs should, too.