July 16, 2016 Toomas Viira

The role of the Chief Executive in ensuring information security

Over the last twenty years, the way organisations function has changed significantly. The producing efficiency of organisations and the manner in which services are provided has changed considerably. This has largely been made possible by the implementation of various IT solutions. IT has become a natural part of business and it is no longer possible to succeed without it. Or if it is, then only with very limited productivity and functionality. Information is essential in making managerial decisions and for the business processes. To be able to compete, it is essential to focus on increasing your organisation’s efficiency. On the other hand, do we know and acknowledge what would happen if IT solutions stopped working – simply stopped functioning altogether or stopped working the way they were supposed to?

Chief executives often feel inconvenienced in situations where they have to deal with topics, such as IT or information security, or make decisions therein. How do I manage something I do not know much about or something I am unsure of? Communicating with the chief accountant, chief human resources officer or chief marketing officer is generally considered easier. It is easier, because the topics are much more understandable. What should a chief executive do in this new environment and what should they take into account?

The first mistake is not assigning somebody to account for information security. For example, while a specific person is assigned to manage accounting – a CFO or chief accountant –, then the management of information security is often unspecified or vague. It is sometimes expected that the IT manager or the IT department is also responsible for information security. In practice, however, it is either the opposite; they are only partly responsible, or the IT department has not completely understood their responsibilities regarding information security. Therefore, it is important to assign somebody who manages information security within the organisation and who arranges the operations of that area. In the organisations, which significantly depend on IT, either somebody from outside the organisation should be employed or a corresponding service should be acquired. It is advisable to keep the roles of the information security manager and the IT department separated.

Even smaller organizations that do not depend on IT as much should be prepared when something happens to their information system or the data within. In such organizations, the IT manager, an IT specialist, or an IT service provider should ensure the implementation of all necessary security measures.

The information security manager in collaboration with the IT department should assess the level of security of the organisation’s information systems’ and, if necessary, develop additional security measures to ensure the information systems’ sufficient level of security. The information security manager will create an implementation plan for security measures and provide the chief executive with a corresponding overview, which includes, among others, the resources necessary to implement these measures.

There is often not enough funds to implement all security measures, which is why it is important to prioritise and determine which measures need to be implemented first and which ones can wait. The chief executive must ensure the resources necessary for the implementation of security measures that decrease risks.

The information security manager should regularly report to the chief executive officer regarding occurred security incidents; which conclusions have been made regarding those incidents; what has been done to prevent those incidents; which risks still exists; which risks should be accepted; is there progress in implementing various security measures, etc.

It is not smart to count on being a tiny business in a little city in a small country – who is even going to find us, not to mention target us? It does happen, however, regardless of the size of your organisation or its location. It might be as part of a larger attack or why not simply target your organisation specifically?

The chief executive should:

1. Determine if and how much of the organisation’s primary and supporting processes depend on information systems.

2. Determine what happens if the organisation’s IT systems are not functioning (for up to 1 minute, 10 minutes, 1 hour, 1 day, or 1 week).

3. Determine what happens if the data in the information systems is leaked?

4. Determine what happens if the data in the organisation’s information systems is changed? Can it be discovered and when? What does it mean to restore data?

5. Assign accountability of information security (i.e. employ an information security manager or acquire a corresponding service) if it is determined, based on the abovementioned questions, 


that information systems are essential to the operation of the organisation.

6. Make sure that the roles of all employees are defined regarding information security.

7. Let the information security manager to assess the information systems’ current level of security, assess the risks and create an implementation plan of necessary security measures.

8. Provide necessary funds to ensure security.

9. Emphasise the importance of information security in the organisation and the responsibility of every employee in ensuring it.

10. Regularly review the operation of the information security management system and order external IT audits for an objective assessment.