“Cyber defense of DoD systems is [my] highest cyber priority; if DoD systems are not dependable in the face of cyber warfare, all other DoD missions are at risk.” – Secretary of Defense Ashton Carter, April 18, 2015 Cyber security is a leadership issue. Period. Yet, too many boards and CEOs are leaving it in the hands of CIOs, CTOs, CISOs and the like. And even though boards are scrambling to fill open positions with cyber security experts, a 2015 PWC report indicates boards still see cyber security not as CEO matter but as an information technology issue. They’re wrong. Cyber Security Companies Can Only Do So Much Like any cultural shift within an organization it’s going to take time, persistence, hard work and leadership commitment and involvement. Steve Denning, in Forbes, tells us this concerning culture change, “In general, the most fruitful success strategy is to begin with leadership tools, including a vision or story of the future, cement the change in place with management tools, such as role definitions, measurement and control systems, and use the pure power tools of coercion and punishments as a last resort, when all else fails.” It’s not enough to subscribe to a service or simply tell the CIO to implement an information security plan. It’s also not a one person or one department function. It requires each member of the organization to take a proactive approach and to remain vigilant. This only happens if the CEO is engaged, enthused and is a leading advocate of cyber security. Department of Defense Is Doing It Right Earlier this week Secretary of Defense Ash Carter publically released their cyber defense plan. More importantly, Secretary Carter will conduct monthly strategic-level cyber security reviews. Additionally, each level of management below him will dig into deeper detail with smaller sized units reporting their cyber readiness in the Defense Readiness Reporting System (DRRS). I remember very distinctly my three-star boss in 2013 reminding us junior one-star commanders cyber security was commander business and that he would hold us and only us accountable should something go wrong. Trust me, we got the message loud and clear. I understand changing cyber security culture doesn’t sound fun or exciting. There are normally “far more pressing” issues at hand like restructures, reorganizations, buyouts, increasing shareholder value and so on. What happens if the company’s data is breached or held hostage to ransom ware? Won’t this affect everything else? The DoD is the world’s largest employer, has a $600B budget and its mission is national defense. Yet, if Secretary Carter can dedicate his time and attention to cyber defense then can’t CEOs and Boards do the same? Boards Are Getting Serious About Cyber Attacks Boards are hiring more individuals with cyber experience and this is a good start but it’s hardly a panacea.