“Just because you’re paranoid doesn’t mean they’re not out to get you,” the old line goes, which seems like a fitting way to talk about cybersecurity and leadership. CEOs have the dilemma of rationally thinking about security threats, while recognizing that those threats are very real.

In my feature for the latest issue of Associations Now, I wrote about some of the latest cybersecurity threats at associations—including ransomware and exploiting the internet of things—and explored some of the ways organizations have responded. As with most important issues, a proactive approach that anticipates threats is helpful. And one critical element of that, of course, is making sure that top leaders are part of that discussion.

There needs to be C-level buy-in to any data security compliance program.

Problem is, the CEO often isn’t. An ISACA/RSA Conference survey earlier this year pointed out that while cybersecurity is a concern for an overwhelming majority of boards, only one in seven security chiefs report directly to the CEO. Moreover, respondents see a problem at the top: Fewer than half (43 percent) said their organization’s executive team follows good security practices themselves.

Frank Schettini, chief innovation officer at ISACA, an association of information-systems professionals, says it’s increasingly critical to frame cybersecurity as a business and strategic concern, not just an IT one. “This is where our industry has to do a better job,” he says. “Now that we’re going to be speaking to board directors and C-suite members, our professionals aren’t used to that. There’s a different level of conversion that needs be had. Training individuals and communicating in a language of board of directors and C-suite is one of the challenges that we’re facing.”

But communication is a two-way street, and many of the experts I spoke with lamented the lack of engagement from the C-suite with cybersecurity threats—indeed, they say that the problems sometimes start from the top. “That’s what I hear time and time again from people who deal with security breaches and do forensic analyses,” says S. Keith Moulsdale, a partner at the law firm Whiteford Taylor Preston who focuses on cybersecurity issues. “What they’re finding is that the biggest culprits in organizations are the people who kind of feel like the rules don’t apply to them, they’re a little more entitled. That creates a culture in organization where people go, ‘Hey, well the CEO, the CTO, or whoever aren’t doing it, why should I do it?’ They really need to set the tone and then send the signal internally: ‘It’s really critical for our organization to protect, not only our employee information that’s collected but also our membership, certificant, or applicant information.’”

So how to clear that hurdle? James DeHoniesto, director of business technology optimization and cybersecurity at SSD Technology partners, recommends that the C-suite be involved in the creation of an incident response plan. That engages leaders in the importance of the problem—and also forestalls them from making it worse. “The CEO and the COO, CFOs are typically involved [after a security breach], but those three need to be engaged prior to this,” he says. “Part of why they need to be involved and engaged in that is so that if this happens, there’s not the panic that can typically occur where people are potentially perpetuating the attack because they’re copying files to other computers because they’re worried about what’s happening internally and/or ignoring it and allowing it to create an even bigger problem or issue.”

“There needs to be C-level buy-in to any data security compliance program,” Moulsdale says. “They really need to set the policy and actually comply with it themselves.”

Association executives talk often about the “tone from the top” in an abstract way—that the temperament and confidence expressed by a CEO trickles down to the rest of the organization in ways that can be difficult to see. Cybersecurity, though, is one of those cases where the engagement of the C-suite makes a palpable difference in the organization, not only keeping the association’s data safe through their own behavior but stressing the importance of everybody to do the same.

How does your organization plan ahead for cyberattacks and communicate the importance of data security? Share your experiences in the comments.

(iStock/Thinkstock)