4 Reasons Why CISOs Cannot Protect Executives’ Personal Digital Lives
It’s a common misconception that it’s the responsibility of the CISO to protect executives’ personal digital lives. After all, a cyber attack on an executive can be an attack on the company.
At BlackCloak, we contend that the CISOs job should not prevail outside the corporate walls. Indeed, we frequently state that “because of privacy and compliance reasons, CISOs cannot solve the problem of protecting executives in their personal digital lives, even if they wanted to.”
But what are those privacy and compliance limitations? And why do they present a problem that no CISO or enterprise cybersecurity solution can fix?
Here are four reasons why CISOs cannot protect executives’ personal digital lives alone, even if they wanted to.
1. Undue burden
If you use company personnel to protect executives in their personal lives, then those responsible for ensuring an executive’s online security at home or on the road would be required to act as an agent of the organization 24x7x365. Not only is this a time-consuming task, but it also creates an undue burden of responsibility and accountability on that security team member.
Consider this scenario: A security analyst decides to use corporate tools to monitor an executive’s personal computer for potential risk. While doing so, he notices that confidential corporate materials are being sent to his Gmail and accessed and downloaded to that device (a common practice known as the corporate sneakernet).
This observation creates a dilemma. Company rules dictate that the analyst must report the observation to HR as a potential violation of the company’s data privacy and confidentiality policy. In turn, this creates a problem for HR. The executive was likely accessing the information in good faith, unaware of the security risk of storing sensitive materials on an unprotected personal device. What should they do?
Unfortunately, there’s no clear resolution to a problem like this. It’s a breach of company policy, but the executive was only trying to do his job.
2. Potential for discrimination or reputation harm
Personal inboxes or social media feeds offer insight into personal ideologies, whether political, religious, or cultural. Executives rarely want that information made public, and they certainly don’t want a member of the security team coming across it
However, should the security team discover, through routine risk analysis, that the executive or a family member supports a controversial cause, that knowledge could be communicated internally. Besides harming the executive’s reputation, the information may also be used to discriminate against that executive if their viewpoint is inconsistent with the company’s values or those of its employees.
3. Ethical risk for employees
Protecting executive cybersecurity and online privacy in their non-work life is a hands-on job. A security team member would need to regularly converse with the executive to ensure their personal devices, home network, credentials, and other vulnerable assets are secure. In addition, since family members share the same network and devices, the team member must also be familiar with their digital habits.
For many organizations, this level of intimacy would be considered improper.
4. Reporting liabilities
To protect critical industries and national infrastructure, many companies must report cybersecurity incidents to the SEC or the federal government. But what if that incident results from sloppy cyber manners by executives at home?
Any CISO, legal counsel or compliance officer would be reluctant to report an executive, their family, or even the internal employee in charge of their digital protection as a cyber liability.
Leave protecting executives’ personal digital lives to the experts
In addition to the reasons CISOs cannot protect executives’ personal digital lives that were cited above, it’s important to remember that no organization has the authority to mandate security controls or enforce security and privacy policies inside the home of its executives. As such, a clear divide exists between an executive’s at-work digital life and their non-work digital life. Even if the executive and family were amenable, legal teams would not allow them to monitor personal networks and devices due to personal privacy concerns.
Call it a separation of church and state or think “Severance,” the Apple TV+ show where workers undergo a “severance” procedure to create a version of the self that only exists at work and is separate from their non-work self.There are compelling compliance, ethical, legal, and privacy reasons why CISOs and their teams can’t protect executives in their personal digital lives, even if they wanted to.
That’s why BlackCloak pioneered digital executive protection. Our Concierge Cybersecurity & Privacy™ Platform helps reduce cybersecurity risks to executives in their personal digital lives – without getting in the way of their productivity or privacy.
BlackCloak also lifts the burden of executive protection from the security team. As a SaaS-based platform with white-glove concierge support, BlackCloak is simple and seamless, making it easy for executives to monitor activity in real-time with help just a phone call away.
Furthermore, BlackCloak is frictionless, highly-tailored, and fits in with family life without onerous rules or controls. Executives and their families can even view it as a perk.
If you’re wondering what more you can do to protect your executives, step back and let BlackCloak’s digital executive protection solution do the work.