What every C-Suite Executive needs to know about cybersecurity
The typical CEO doesn’t have time to worry about bot mitigation and cybersecurity -- until their company’s website is under attack. And then, as a CISO or security expert, you waste valuable time trying to get your CEO on board - keeping you from addressing the threat. What does a C-suite executive need to know about their organization’s cybersecurity strategy?
In this interview with Niels Henrik Sodemann, CEO & Co-founder of Queue-it, a virtual waiting room that prevents web or app overload, he has cut through the noise and provided important insights that all CEOs and C-Suite executives should read. As a CEO who has been immersed in cybersecurity, he can speak first-hand about what non-technical CEOs should be focused on to ensure their website, customers, and business are protected.
Where does a CEO's biggest knowledge gap or misunderstanding concerning cybersecurity lie?
I believe that most CEO’s understand the risks involved in IT, but completely underestimate the devastating impact security breaches and cybercrime can have on their businesses. It is hard to mentally understand how something intangible and invisible, can potentially bankrupt their business.
What is the #1 thing CISOs should do to develop trust or confidence with their CEO and/or board executives?
Present a solid strategy and follow it up by internal implementation. Internal implementations and projects have the weakness that alliances and consensus can block for objective views and important matters. Most CISOs will deal with external parties, like advisors and suppliers. In my opinion, the strongest strategies and implementations, are those that can be accepted by external parties. For example, it can be done by vetting suppliers in a structured form and getting their approval on living up to the organization’s strategies and regulations.
What are the most important issues facing cybersecurity professionals?
Cybersecurity has become an arms race. The threats are evolving with lightning speed in parallel with ever-increasing demands for further IT support. Companies walk a knife-edge to move forward. This has increased the degree of opportunism in the market for cybersecurity solutions and also with a fair number of charlatans around. Cybersecurity professionals need to scrutinize who they are working with and their actual hands-on experience.
How should cybersecurity professionals measure success?
My rule of thumb is, if you do not see/find any security flaws/breaches, then you are overlooking something. Success should be measured by the number of security flaws you are able to find/detect. There are tons of tools out there that can help. Bot protection tools are a good example.
How does a CEO know when their cybersecurity strategy is working?
They should not believe that their cybersecurity strategy is a bulletproof end-game and is working. They need to understand that they are in an ongoing arms race and prepare for the worst-case scenario. We have large and very skilled customers, who have built emergency systems that allows their customers to log on and get status/information about breaches etc. Prepare for failure.
What are the KPIs or success metrics CEOs should monitor to ensure their cybersecurity strategy is working?
A CEO should see very frequent changes in the cybersecurity strategy and its implementation. The strategy needs to be adaptive and reflect the threat patterns. If you don’t see new developments on a regular basis, you need to understand that you are on a stagnating route.
You also need to see KPIs that indicate an increasing amount of security breach attempts have been stopped.
What resources do you recommend for CEOs and other non-technical business leaders to become more knowledgeable about cybersecurity?
I believe that the CEO needs very trustworthy and skilled CTO / CIO / CISO in his management team. Cybersecurity needs to be an organizational and internal skill/culture.
As a cybersecurity leader, what keeps you up at night?
My worst nightmare is that we potentially can have a breach in our systems that would allow cybercriminals to manipulate the functionality of our systems or inject malicious code into our customers' systems.
Are there any trends or new threats in cybersecurity that you have learned about that other CEOs or CISOs should be aware of?
One of the trends I see is that the awareness and the discourse around security breaches is in itself increasing the incentive for the bad actors. But they are also using the rhetoric as a part of the game. In ticketing, the bad actors used to game the ticketing platforms by carting/buying tickets at lightning speed using bots. Lately, the bad actors are using the same rhetoric on the topic to game the systems, not by buying the tickets and reselling them, but by using bots to block the entire inventory by making reservations. This will force the desperate fans into the hands of the scalpers.
This is the same psychological patterns used by the criminals using ransomware. The rhetoric increases the pain and the stake.
Queue-it is the leading developer of virtual waiting room services to control website traffic surges. The use of Queue-it has ensured online fairness during high-demand online events for billions of consumers worldwide.
To learn more about the business impacts of bad bots and how that affects C-suite executives, check out the blog post The Four High-Level Categories for the Business Impact of Bad Bots.
Niels Henrik Sodemann, Queue-it’s CEO and Co-founder, has a substantial background within IT and business management. System and website performance was always in his mindset, as he designed and implemented solutions, and the challenges that all transactional IT projects face in this context were a great part of the inspiration for the creation of Queue-it.
Queue-it is the leading developer of virtual waiting room services to control website traffic surges. The use of Queue-it has ensured online fairness during high-demand online events for more than 4 billion consumers worldwide.