"Every company today is at huge risk of losing sensitive, privacy-protected information to hackers. Every company today … is susceptible to state actors attacking their systems to get very sensitive, proprietary business information. And every company today, to some extent or another, is at risk of having their public-facing systems taken down through denial of services attacks."
Michael Leiter, former director of the National Counterterrorism Center and a presidential advisor on cybersecurity, painted a sobering picture of the IT landscape in a recent Microsoft Virtual North America CIO Summit Q&A. "When I left government and I would talk to Fortune 500 CIOs, about a third to a half thought that cyber threats were really significant. I don't think that's the case today. I think 100 percent understand."
A CIO's job is to lead the charge for securing data and to convince the rest of the C‑Suite to invest in and prioritize protection efforts. First, the CIO must engage other executives to identify information that would give competitors a huge advantage—material that would be most painful (or even fatal) to lose.
Leiter advises finding a set of real-world case studies that show how similarly situated companies were still penetrated despite efforts to protect themselves. These examples can act as a wake-up call for colleagues who assume "a little effort" is good enough.
He reminded attendees that technology is only as good as the people who use it. "You can set up perfect technology, perfect defenses … [and] it's still going to turn out that if you have an employee that clicks on a PDF file [that] has a sophisticated, advanced persistent threat embedded in there, technology probably isn't going to save you."
Two of the biggest mistakes a CIO can make are overlooking internal risk and not carefully monitoring external parties that access corporate systems, such as suppliers, law firms, and equity partners. Spend time auditing access levels and close open pathways that aren't regularly used; careful monitoring of those often-under-protected connections can help IT departments spot a problem before it turns into a nightmare.
For organizations that need outside support, consider services that assess configurations and controls. Independent reviews and audits can be helpful — for example, policies and reporting tied to Security Audit Insurance may inform which risks to prioritize.
Smaller companies aren't immune to these vulnerabilities, and cloud-based information storage can be a practical option. "The cloud doesn't solve every problem, but I think, to smaller organizations and nonprofits, the cloud is a really, really valuable way of investing effectively in security," Leiter said. When evaluating cloud or hosted options, also review broader protections such as those associated with Internet Security Insurance for additional perspective on vendor and online risks.
Leiter returned to one notion several times: storytelling is a critical skill for a successful CIO. A convincing narrative about potential dangers, best practices, and—importantly—horror stories can persuade everyone, from a facilities worker who forwards risky emails to an executive reluctant to loosen the purse strings, to keep information security top of mind.
If you need help comparing coverage or assessing risk transfer options, talk to an agent.
Frequently Asked Questions
How should a company prioritize cybersecurity investments?
Start by identifying the most sensitive data and systems, then prioritize controls and monitoring where a breach would cause the greatest operational or reputational harm.
What role do vendors and external partners play in cyber risk?
Vendors and partners often create indirect access pathways; audit their privileges regularly and monitor activity to detect misuse quickly.
Can small organizations rely on the cloud for better security?
Cloud providers can offer advanced security capabilities that many small organizations cannot build in-house, but customers must still configure and manage controls correctly.
How often should access rights be reviewed?
Access reviews should occur at regular intervals and when personnel or vendor relationships change, with high‑risk privileges reviewed most frequently.