Shane Buckley is President and Chief Executive Officer of Gigamon, a leader in deep observability.
In today’s turbulent business landscape, executives are caught in a delicate balancing act. The pressure to boost efficiency, drive growth and improve the bottom line is relentless, particularly in continuing economic headwinds. Yet, amid this high-stakes balancing act, one critical element is too often relegated to the sidelines: cybersecurity.
The reluctance to prioritize cybersecurity isn’t born of ignorance. In fact, it’s sometimes quite the opposite. Some C-suite leaders may unconsciously downplay or avoid fully confronting the scope of their cybersecurity vulnerabilities, given competing priorities. Others may delegate responsibilities to security teams assuming that critical issues will be flagged. But a defensive cybersecurity strategy isn’t enough. This elevates business risk and can leave organizations exposed.
As revealed in the 2024 Gigamon Hybrid Cloud Security Survey, organizations are not prepared for today’s evolving threat landscape. In fact, in the last year, more than 1 in 3 organizations failed to detect a security breach using their existing tools, up from 31% in 2023.
In today’s digitally driven world, cybersecurity’s importance cannot be overstated. And while the U.S. legislative branch has taken steps to improve cybersecurity regulation—i.e., the upcoming zero-trust mandate set to take effect in 2027—this is only the beginning. Much of our nation’s cybersecurity legislation is outdated and ill-equipped to tackle the threats of the 21st century. Furthermore, until every boardroom understands that cyber risk is equally a business risk, we will continue to see these catastrophic consequences of a fragile global network infrastructure rooted in defensive security postures and protocols.
To help overcome these shortcomings, here are six essential tips C-level executives, their boards and our nation’s leaders should consider immediately:
1. CISOs belong in the boardroom.
According to our recent data, 59% of chief information security officers (CISOs) say they would be most empowered by cyber risk becoming a boardroom priority. However, CISOs must update the board regularly for this to become a reality. This includes frequent cybersecurity sessions with the board to educate members on the evolving risks of today’s threat landscape and what is required to stay ahead of threat actors.
2. Never work in silos.
To ensure intellectual debates that keep the business, its priorities and risks at the top of the agenda, it is essential that the chief information officer (CIO), CISO and chief technology officer (CTO) report to the same individual and/or level.
In today’s digital world, CIOs and CTOs are often hyper-focused on increasing efficiency and improving effectiveness within the organization from an application perspective. However, as workloads become more dispersed across hybrid and multicloud environments, an organization’s security posture becomes much more complex, leaving CISOs challenged by the security gaps. When CISOs, CIOs and CTOs work in lockstep with one another and report to the same individual (likely the CEO), the organization and its key stakeholders gain a holistic view of the business and can make informed decisions.
3. It takes a village.
Staying ahead of threat actors takes a village; therefore, it’s important to consider a subcommittee of the board that is responsible for the organization’s overall security posture. This empowers the board to bring outside expertise in for independent assessments. This doesn’t mean the CISO and their capabilities are in question but rather demonstrates an understanding that the responsibility of an organization can’t fall to one individual.
4. Build your KPIs with cybersecurity at the forefront.
As CIOs and CTOs develop key performance indicators (KPIs) to measure their technological progress within the organization, cybersecurity and the associated risk must be part of the conversation. A critical focus on making security a top priority is essential, and to do so, one might have to consider incentives to enforce change. For example, the board may consider assessing the C-suite’s compensation based on the organization’s overall cybersecurity competence.
5. Enhancing basic regulatory standards.
As stated previously, our nation’s cybersecurity regulation is outdated and ill-equipped to keep pace with this new age of cybercrime. There needs to be enhanced regulatory standards that mandate companies disclose where they fall against such standards. This will enable consumers to understand who they put their faith in regarding the privacy of their personal information and make informed decisions about who they do business with.
6. You can’t secure what you can’t see.
The regulation of network infrastructure security has always been hyper-focused on protecting north-south traffic, otherwise known as traffic that flows in and out of an organization. The challenge is that if a nation-state wants to breach a network, it will.
In 2023 we saw countless examples of threat actors bypassing traditional perimeter security enabling “living off the land” techniques to run rampant. These included hackers known as Volt Typhoon, who spent five years spying on U.S. critical infrastructure, and the MGM and Caesars casino breaches. These types of attacks are posing a major threat to the cybersecurity climate. Whether or not regulatory mandates are put into effect, organizations need visibility into all network traffic—north-south and lateral (east-west)—minimizing the risk of making the front page for all the wrong reasons.
With 30,458 security incidents and 10,626 confirmed breaches analyzed in 2023, it is clear we are losing ground against cybercriminals. When will it be enough? When will we collectively take a step back to acknowledge cybersecurity barriers and shortcomings? There is only so much we can control, but by implementing the tips above, partners, customers, board members and shareholders can rest assured they’ve done all they can to reduce business risk and ensure the long-term success of their organization.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
