CEOs have an important role to play in cybersecurity given the sensitive information they receive and responsibilities they hold. To protect themselves, CEOs should use strong, unique passwords and avoid accessing email from unsecured networks. More broadly, CEOs should be actively engaged in managing cybersecurity risks across their organizations by communicating with security teams, ensuring employee awareness and training, protecting critical assets, and learning from security incidents. Adopting industry standards like ISO can help CEOs implement best practices for effective cybersecurity.

1. www.pecb.org
Cybersecurity Actions
for CEOs

2. Reaching the position of CEO inside a company is definitely one of the highest goals that a person can achieve,
however the responsibilities that come together with this position are even higher.
Generally speaking, a CEO should have work experience and general knowledge. In addition, a CEO should be a
good communicator, be eager to develop and present a vision and a strategy for the company, motivate others,
garner respect and have knowledge about entire management processes inside the company.
However, no one can have a professional knowledge and be a master of everything; this is the reason why a CEO
should be regularly informed over the company’s issues. The data of negotiated contracts, marketing plan decisions,
new employees’ CVs, customers’ information, ideas, etc. All these information a CEO can receive on a daily bases.
The value of these received data goes beyond the written words, especially nowadays when the breaches toward
these data are constantly evolving together with its cost. The Ponemon Institute published the results of data breach
for 2014. According to this institute, the average total cost of a data breach in 2014 was $3.5 million, 15 percent
higher as compared to the previous year, and it is rising to $5.85 million for an organization in the United States.
So, the risk that threats information is constantly growing and its impact in different organization has become
dramatic. As an answer to this condition is the role that cybersecurity has started to have for an organization. The
complexity of security threats has joined together not just the chief information officer (CIO) and the chief information
security officer (CISO), but also the chief executive officer (CEO) and the entire C-suite. Together they are sharing
responsibilities of the cybersecurity.
There are already some activities that are specified for a CEO which can help in cybersecurity.
Since CEOs receive updates and everyday information via emails, it is advisable to be cautious when checking these
email accounts. One of the advices is to use a complex password combined with numbers, letters, and symbols. It
is also advisable not to use a specific user name such as real name, or company name as a password. Therefore,
these passwords should be changed regularly and should not be shared with anyone.
2

3. 3
It is really practicable that nowadays everyone can access email accounts from any location and check
downloaded emails from the server. However, for a CEO who has very important work-related information,
this action is not preferable at all. Many network access points which are used today in a public Wi-Fi transmit
unencrypted traffic. This situation can cause vulnerable activities toward messages during its transmission.
Thus, the rule of using trusted connections only and not letting the smart phones to be connected in automatic
mode should always be respected by CEOs.
In addition, it is very important not to open any email, contents, download images or open links which are sent
by those whose identity isn’t verified. Also, a huge care should be taken when a CEO downloads different
applications from internet. These kinds of applications usually ask for personal data such as GPS location,
password, mobile data, contacts or messages, etc., which can be very useful for an attacker.
As a reaction toward all these, it is advisable for a CEO to use some of the security protection tools such as:
anti-virus, firewalls, monitoring computing devices, etc.
However, despite these individual requirements, a CEO engagement in cybersecurity activities should be in a
much wider range.
Within an organization, a CEO should be actively involved in managing cybersecurity risk. This means that
a CEO should always ask for information, be informed and involved in defining risk strategic framework,
risk assessment and its accepted levels, cost effective of cybersecurity budgets, business needs, regular
evaluation of cybersecurity incidents, IT plans and outsourcing, cloud services, defined policies, etc.
To achieve all these, a CEO has to maintain regular communication with executives and all responsible parts
for managing cybersecurity risk.
Apart from that, a CEO should also be involved in employees’ awareness of possible risks affecting their
organization and associated business impact. Training and testing employees with phishing exercises has
become very important activity to see how well they actually respond to cyber threats.
Another important issue which should have the involvement of the CEO is the protection of critical assets. A
CEO should take active part on processes such as identifying, classifying, protecting and prioritizing assets
according to cyber risk. This will also help to have a clear view of risk impact in financial, competitive and
reputational position of the company.
However, accidents happen and they are part of every organization no matter how well protected they are.
The CEO’s role in incident situation is to have an idea of how to move on. A well-organized company has
always a plan B, which should be prepared and planed in a coordination between CEO, Chief Information
Officer/Chief Information Security Officer, business continuity planners, maintenance and operation sector
and general counsel.
Moreover, the role of CEO here is to ask for documented report for everything that happened in the incident
situations, all network events, which were monitored and the analyses. This report should be used to set new
security policies, model governance, create business continuity and disaster recovery plans. A CEO should
always take part in these situations.
Facing with all these obligations and challenges, is not an easy task for a CEO. All this requires leadership,
cybersecurity knowledge, clear vision and courage, and still, this is not enough. To achieve cybersecurity
objectives, a CEO should have tools that rely on identified best practices. The best practices of cybersecurity
are found in integrated systems which are provided by industry standards. ISO is the standard organization
which has answers on how to implement, develop and deploy solutions based on best international experience
on a lot of issues connected with cybersecurity. This can be very helpful for a CEO.

4. Although, to achieve a high level of cybersecurity, an organization should ensure continuous cooperation of all
kind of levels inside and outside of the organization. Therefore, cybersecurity activities should become part of
the daily responsibilities, and certified personnel is more than needed for this kind of responsibility. And even
more, why not having a certified CEO? S/He would know even better and appreciate more the importance of
these standards which are more than useful for the employees and would be more involved in this enormous
importance of cybersecurity.
Professional Evaluation and Certification Board (PECB) is a personnel certification body on a wide range
of professional standards. It offers ISO 27001, ISO 27002, ISO 27005, ISO 20000 and 22301 training and
certification services for professionals wanting to support organizations on the implementation of these
management systems. ISO Standards and Professional Trainings offered by PECB:
• Certified Lead Implementer (5 days)
• Certified Lead Auditor (5 days)
• Certified Foundation (2 days)
• ISO Introduction (1 day)
Lead Auditor, Lead Implementer and Master are certification schemes accredited by ANSI ISO/IEC 17024.
Rreze Halili is the Security, Continuity and Recovery (SCR) Product Manager at PECB. She is in charge of
developing and maintaining training courses related to SCR. If you have any questions, please do not hesitate
to contact: scr@pecb.org.
For further information, please visit www.pecb.org/en/training
4