Data protection and cybersecurity were, until recently, believed to be the domain of CIOs and IT departments. In recent years though, CEOs and boards of directors have realized the catastrophic consequences data breaches can have on a business and have begun getting more involved in decisions surrounding cybersecurity and data protection strategies.

Companies have traditionally relied on CIOs or IT departments to make the right calls concerning cybersecurity policies. Their responsibilities range from choosing the products that will protect the company network to organizing trainings for employees to raise awareness of cybersecurity threats and the best practices to avoid and report them.

However, as the number of data breaches rapidly escalated, hitting major players of every market, and the adoption of data protection legislation swept the globe, the pressure also mounted on CEOs and boards to ensure data breaches do not occur and reliable cybersecurity frameworks that protect sensitive data are in place.

According to Accenture’s 2018 State of Cyber Resilience report, CEOs and boards had the ultimate say in cybersecurity issues in 66% of the surveyed companies and 59%  of cybersecurity budgets were authorized by boards of directors or CEOs, a 33% increase from 2017.

As CEOs and boards take a more active role in cybersecurity strategies, CIOs and IT departments need to be aware of their key concerns and how they can answer them. Here are the most prominent three:

1. Is the company compliant at all times?

The question of compliance is a complex one. CEOs’ number one concern is ensuring that companies avoid unnecessary fines and the scandal and loss of customer trust that accompany major data breaches. Not only that, their own careers are at stake: many CEOs are forced to resign in the wake of a major data breach.

With countries adopting increasingly complex data protection legislation, CEOs wonder whether their company is compliant at all times. While many data protection regulations share similar requirements – having adequate cybersecurity software in place for example – and many have taken inspiration from the EU’s General Data Protection Regulation, some key points differ from country for country. It is also worth noting that many of these new or updated laws feature an extraterritoriality clause.

It is therefore important that companies doing business across borders, even if only digitally, ensure that they have looked into compliance requirements for all countries they collect sensitive data from.

2. Can all data be protected even when devices are not connected to the company network?

As organizations go global, increasing the need for business trips and a movement for flexible work hours has led to a rise in remote work, CEOs are aware that data does not always stay on company premises, but travels as they themselves often do. To reassure them, managers must look into data protection solutions that work both off-site and on-site. After all, the company network can be an impenetrable fortress, but it will not prevent data loss when employees take sensitive information out of the work place.

Remote work also implies device mobility: laptops, USBs and mobile phones that can be easily physically stolen or misplaced. Managers in charge of data protection policies must make sure that, in this case, all data on devices that are lost or taken cannot be accessed. This is commonly done through encryption and activated remote wipe options.

The problem of compliance also comes into play in this issue as losing the protection afforded by company networks can mean data on the move is not protected as required by data protection laws, effectively making the organization noncompliant and liable to fines if a data breach occurs due to a device located outside the company network. It is therefore important to also consider data protection on the endpoint.

3. What impact do data protection policies have on employee productivity?

A last major concern, employee productivity is an issue many CIOs and IT managers fail to consider due to the necessity of data protection policies to meet compliance and cybersecurity needs. However, for CEOs, employees’ productivity affects the bottom line. Cumbersome policies can also undermine compliance efforts by pushing frustrated employees to look for methods of circumventing these complex, but often not infallible, policies.

CIOs must consequently consider how data protection policies affect the working habits of employees and ensure that they choose granular solutions that allow for a high degree of flexibility based on a person’s department or position. In the same way different departments often use different specialized software to increase their efficiency, so policies must reflect the type and level of sensitivity of the data they work with.

As CEOs and boards get more and more involved in cybersecurity oversight, CIOs and IT managers must be prepared to answer all their concerns and work together with them to build efficient cybersecurity frameworks that will ensure both compliance and protection against data breaches.