With every business reliant on software and digital services, cybersecurity is more pressing than ever. But most companies have not yet adapted to this new reality, and face challenges obtaining executive buy-in for cyber resilience. This challenge was front and center at the recent Commvault Shift event in New York City, and was the central premise of the keynote presentation by cybersecurity expert Melissa Hathaway. In this article I will explore the strategic, regulatory, and practical reasons pushing executives to focus their attention on cyber resilience.
The Need for Strategic Involvement of Executives
Effective cybersecurity strategies demand more than just passive approval; they require the active leadership of executives. Melissa Hathaway, President of Hathaway Global Strategies, focused on this paradigm shift during her presentation at Commvault Shift in New York. Cyber resilience is not just an IT issue, and backup and recovery teams must be elevated and empowered to protect their organizations. After all, a ransomware attack affects the whole business and can be an existential threat. To navigate the complexity of modern cyber threats, business executives must become involved and actively support cyber readiness.
Hathaway spotlighted four strategic threat vectors: Ransomware, wiper malware, distributed denial of service (DDoS), and supply chain attacks. Preparing and responding to these threats doesn’t just require new technology; they pose strategic challenges that demand a holistic organizational response. Although ransomware is the most-publicized threat, the other issues are just as pressing. Each can effectively take the entire organization offline for an extended period.
Despite these broad digital threats, less than 33% of CEOs are actively involved in preparedness efforts. This statistic underscores the urgent need for greater executive engagement in addressing cybersecurity challenges. It also suggests that the time has come for IT organizations to seek engagement from the business rather than working to address these issues alone.
The consequences of executive inaction in the face of cyber threats are severe. During her Commvault Shift presentation, Hathaway called on the audience to “think about your worst day first” as a way to bring this challenge to the fore. What would you do if your systems were compromised and taken offline? Would you be ready?
Legal and Regulatory Expectations
Most executives are aware of the growing reach of legal requirements for privacy and data protection. The European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) require organizations to protect information privacy. The nature of modern ransomware (which often includes exfiltration and the threat of data exposure) makes these regulations especially relevant. It is not enough to focus on encryption and protection of personal information when a ransomware attack can cause a catastrophic data exposure. The same is true of existing finance and payment card requirements.
Many jurisdictions around the world are also imposing security breach notification requirements. These are intended to notify customers and other parties about security breaches and typically also require specific steps to remedy the situation. These new regulations make it even more important that business executives focus on cyber resilience and data protection.
Leadership in compliance is no longer a checkbox exercise but requires a comprehensive, technically informed approach. Executives must become champions for robust policies, procedures, controls, and technical solutions. It is only a matter of time before this becomes an issue for corporate board oversight.
Bridging the Gap – Executive Leadership in Practice
Melissa Hathaway’s recommendations go beyond gloomy warnings. She emphasized taking action to prepare for the inevitable attacks and legal requirements. Corporate boards must become involved, working with executives to emphasize the importance of cyber resilience. Operational executives must engage proactively to prepare for realistic scenarios such as ransomware attacks, encrypted or exfiltrated data, and denial of service. IT management must strategically patch systems, detect anomalies through advanced threat analysis, and deploy solid data protection solutions to enable recovery. And the entire business must maintain a realistic outlook with achievable technical goals.
The fact that Commvault is stressing these operational and business issues bodes well for the company. And the new leadership, including employees and advisors like Hathaway, suggest that the company is working to become a strategic business partner rather than a technology vendor. Specific capabilities of the new Commvault suite are also intriguing, including Cleanroom Recovery and AI-driven threat detection.
Stephen’s Stance: Cyber Resilience Requires Executive Leadership
Melissa Hathaway’s presentation at Commvault Shift focused on the role of executive leadership in achieving Cyber Resilience. It is imperative for executives to comprehend, endorse, and actively participate in steering organizations to prepare for sophisticated cyber threats. This is not just a trend but a strategic necessity.