Steve Surdu is a Senior Cybersecurity Advisor at Covington and a member of the firm’s Cybersecurity Incident Response Team. Prior to joining the firm, Steve served as Vice President of Professional Services at Mandiant, a leading cybersecurity firm.

Steve has more than 35 years of experience both as a consultant and as a senior executive at information security companies. His security experience involves evaluating and developing policies, architecting hosted environments, assessing network and application vulnerabilities, and conducting incident response investigations. He has a deep working knowledge of multiple sectors including internet service providers, telecommunications, high technology, financial services, healthcare, manufacturing, retail, and state and federal government.

It’s clear that cybersecurity has become a real business issue. How do you see cybersecurity being managed as a business risk at the executive level?


With cyber breaches making front-page news, security awareness has moved beyond the data center and into the executive suite. Senior management now understands the importance of quickly identifying when data is lost because of escalating fines, class action lawsuits, and significant  reputational damage.  Therefore, they are more engaged in cybersecurity than ever before.

My recent experience working with companies of all sizes and from all different industries has shown me:

  • Security is being given a more prominent position within the organization.

In the not-too-distant past, cybersecurity often did not appear on a high-level organization chart or was buried under layers of  information technology leadership.  Today, cybersecurity has become a standalone entity that reports to the Chief Legal Officer, the Chief Risk Officer, or the Chief Operating Officer.  It is often run by a Chief Information Security Officer or a Director of Security who has spent most of their career specializing in the area.  The separate reporting structure provides a degree of autonomy and allows the organization to strike a better balance between security and operational priorities.

  • Board members are more engaged in cybersecurity.

One criterion that is becoming more common when identifying independent board members is experience with cybersecurity.  While few organizations will add a board member for that skill alone, cybersecurity has gained a high enough profile that the inability of the board to address this issue is viewed as a limitation.

Boards have also begun to focus on cybersecurity as a critical business issue.  Although it may not be a standing topic for the full board, it has become standard practice for the audit committee to include cybersecurity in its agenda.

  • Both C-suite members and boards are increasing their knowledge of how to deal with significant cybersecurity events.

As C-suite members and boards are working to increase their knowledge of how to deal with cybersecurity events, tabletop exercises are becoming commonplace. The objective is to present senior management with a realistic cybersecurity event and require them to work through the scenario under real-world constraints. Following the exercise, it’s important to debrief and discuss both what worked well and what can be improved.

As the cybersecurity industry has matured, corporations have given the area more authority and scrutiny.  While this is most obvious in large organizations and industries that rely heavily on information technology, these changes have occurred to varying degrees across all industries.  Cybersecurity will always remain an area that requires specialized expertise to manage but its importance has become painfully obvious to senior management and they will continue to focus on addressing the risk that comes with it.