How corporate America can fight cybersecurity threats by Bob Moritz @FortuneMagazine February 17, 2015, 12:55 PM EDT E-mail Tweet Facebook Google Plus Linkedin Share icons Last week, President Obama, business leaders, consumer and privacy advocates, and law enforcement officials gathered for a summit at Stanford University to talk about cybersecurity. This conversation is long overdue. By any measure, cybersecurity is the biggest common threat organizations face. It is also the one where we see the largest gap between threat and preparedness. While companies are devoting significant resources to the problem, they must recognize that playing catch-up is inherent to tackling the problem. While last year’s data breaches might have received plenty of attention —from corporate and celebrity hacks to government penetrations — cybersecurity has been a problem for several years now. For companies, these breaches cause strategic setbacks, harm business operations, affect their customers, and take profits directly from the bottom line. U.S. CEOs now understand this. In PwC’s 18th Annual CEO Survey, 90% of U.S. CEOs say cybersecurity is strategically important, 87% are concerned about cyber threats, and 45% are extremely concerned about them. Knowing that a problem exists is only half the battle; fixing that problem is the other half. And in this case, it’s particularly hard. One of the most vexing aspects of cyber threats is that they are constantly evolving. Organized criminals, hacktivists, and some nation states are almost always developing new techniques and tools. As Lisa Monaco, assistant to the president for Homeland Security and Counterterrorism, explained at Stanford last Friday, “We face more attacks, more methods, more actors, and more victims, and no one is immune.” This is why it is so important for businesses to combine vigilance with preparedness and action. So what are the principal steps companies can take? First, they must prioritize this issue from the top down and from the bottom up. It is not enough for CEOs, CFOs, CIOs, and other key officers and employees to engage; we need boards of directors to do so from a governance perspective. Oversight is always important, but cybersecurity is becoming such a strategic imperative that just as companies seek outside expertise for legal and financial matters, they should now be looking for experts in cybersecurity and data privacy. From the bottom-up perspective, employee training and awareness are essential because the weakest link is often human error (and understandably so). Companies should invest in employee security-training programs. To keep their data and networks safe, it is essential to arm even the most junior employees with the tools they need to contribute. Second, companies must recognize that minimizing their risks requires a holistic approach — technology is not enough. When asked what technological capabilities were strategically important to their organization, 75% of U.S. CEOs said cybersecurity was very important, according to PwC’s CEO Survey. However, companies must also address the non-technological tools of cybersecurity. For example, current and former employees are the most frequently-cited culprits in cyber breaches. That’s why companies at the forefront of tackling the problems are going beyond a compliance checklist approach to an information security approach. They are developing broader data governance policies and practices to protect sensitive information. Thus, rather than key in on defending themselves from external threats, these companies are developing and implementing policies for the creation, use, storage, and deletion of information. The leading U.S. banks, many of the largest defense contractors, and many other companies in technology, transportation, pharmaceuticals, as well as other industries, are also addressing the fact that breaches via third-party partners are on the rise. Consequently, they are establishing security standards for third parties, performing risk assessments, monitoring for adherence to policies, and enforcing those policies. Third, the private and public sectors must come together and address the cybersecurity challenge. When asked about the impact of collaboration among government and businesses on working closer together on cybersecurity strategies, only 34% of U.S. CEOs said they were seeing changes in international policies and regulations; 50% said they did not see any changes. This needs to change, and will only do so if both sides work together. As the CEO of eBay John Donahoe told us, “When you step back and look at the role of a company versus the role of a government, clearly if we’re going to provide the safest possible [customer] experience in [the] aggregate, government and companies need to work together.” One thing is certain—regulatory compliance alone is not enough to address the cybersecurity challenge that America faces today. Companies must keep their processes up-to-date, train personnel, and use tools to detect, analyze, and respond to incidents. They must work together with the government and non-governmental organizations to find the right policies and strategies to protect organizations and citizens from hacks and other cyber threats. Bob Moritz is chairman of PricewaterhouseCoopers and David Burg is the leader of PwC’s cybersecurity practice.