For a modern organisation, the threat of a security breach is omnipresent. Every attack differs in scope and reach. However, a serious breach could be the equivalent of a natural disaster for a corporation.
The majority of corporate boards are not involved in security strategy.
Research shows that three-quarters of boards do not review security and privacy risk. All too often, companies are content with the CIO handling the issue of enterprise risk. Viewed as something purely technical, they mistakenly believe the risk can simply be addressed with the correct tools.
As a result, they turn the issue over to the CIO, mistakenly assuming that their role ends there.
Sadly, this common misconception could have disastrous consequences. Business executives need to understand that cyber risk can’t rest solely on the shoulders of the CIO (chief information officer) or CISO (chief information security officer). According to a study conducted by International Data Corporation (IDC), 57 per cent of enterprises say that having a secure IT environment was their biggest concern in 2014. Those responsible for heading IT departments cited a distinct lack of executive management support and information security strategy among their main enterprise security challenges.
Cybersecurity is an enterprise-wide issue with enterprise-wide implications, and is far from being a technical issue. It takes an average of 205 days to discover an intrusion in a network. By the time the breach has been discovered, the attackers have had enough time to get in, extract the information they want, and get out.
And a serious breach can have repercussions that go beyond merely stolen data. The loss of reputation and revenue — two areas the shareholder cares about and which affect the board in a significant way — can have long-term damage for any organisation.
Many CIOs can attest to the challenge of getting senior executives to make time for a cybersecurity reality check. There are always other pressing needs that seem to take precedence. So what’s a CIO to do?
C-suite executives and the board of directors need to understand that any investment plan should match overall security strategy. They also need to recognise the fact that their role is no less important than the technology that will be used to implement that strategy, and this is where the CIO comes in.
Ask your executives to answer these questions: How secure do we need to be?
How good is good enough? Does it mean simply meeting compliance requirements or do we want to shore up defences to keep attackers out? Unless we’re willing to spend enough to be 100 per cent secure — which is impossible to guarantee- what trade-offs are we willing to make?
It is important to talk about the ever-evolving cybersecurity landscape. Cyberthreats are growing faster than any other category of business risk, and the gap is likely to increase. Breaches are inevitable, and the areas put at risk when they happen are broad and deep, from a compromised system or supply chain to the financial implications of non-compliance and breach notification.
A brand faces not only compromised or lost data, but also taking a huge hit that it may never recover from. Add to that the legal risks resulting from regulatory fines and failure to keep customer commitments, and it adds up to a game-changing argument.
Once decision-makers understand the potential losses they face on multiple levels, the cyber protection discussion should flow.
Balance security against the other projects you manage. The solution is to separate cybersecurity from your IT budget and ensure that the amount you allocate to this particular item matches your risk profile.
However, a fundamental shift in thinking is making itself evident, if slowly, among regional enterprises. A slew of targeted and complex attacks across the region is making organisations take notice and embrace the idea of information security. Furthermore, game-changing concepts such as bring-your-own-device (BYOD), the cloud, big data, enterprise mobility and social platforms will further change the way that organisations and executive management deal with the complicated issue of cybersecurity.
Conversations about business risk simply have to include discussions about cyber risk.
They are not separate subjects and enterprises can no longer afford to treat them that way. The executive team needs to be involved in decision-making, and they have to understand enough about their organisation’s security to get the board of directors to buy in. Ultimately, both groups are responsible for protecting the shareholders. The sure-fire way to do that is to talk about the possibilities and have a plan in place — for natural disasters and breaches alike.
The writer is the senior vice-president of business operations and CIO at FireEye.
