When is a security breach like a natural disaster? When it’s unexpected… which means, almost all the time.
The majority of boards are not involved in deciding security strategy, and research shows that fully three quarters of boards do not review security and privacy risk. All too often, companies let the CIO handle the issue of enterprise risk. It’s viewed as something technical, so they mistakenly believe the risk can completely addressed with the correct tools. As a result, they turn the issue over to the CIO and assume the need for their involvement is over.
Sadly, this common misconception could have disastrous consequences. Business executives need to understand that cyber risk can’t rest solely on the shoulders of the CIO or CISO. It’s an enterprise-wide issue with enterprise-wide implications – and it is far from a technical issue. It takes an average of 205 days to discover an intrusion in a network, and by the time it’s discovered, the attackers have already stolen whatever they want. A serious breach can result in more than stolen data. It can mean the loss of reputation and revenue -- two areas the shareholder cares about, which affects the board in a significant way.
Many CIOs can attest to the challenge of getting the senior executives to free up their calendars and make time for a cyber security reality check. There are always other pressing needs that seem to take precedence. So what’s a CIO to do?
We’ve got to make the c-suite executives and the Board understand that they need an investment plan that matches the overall security strategy. We also need them to recognize they need to play as much of a role in that strategy as any technology we could purchase. I recommend three points to help them see that a security strategy is an insurance policy, of sorts:
- Ask your executives to answer these questions: How secure do we need to be? How good is good enough? Is it enough to meet compliance requirements, or do we want to shore up defenses so attackers can’t get in and steal personal information? Unless we’re willing to spend enough to be 100% secure (and quite frankly, that’s impossible to guarantee), what tradeoffs are we willing to make?
- Talk about the evolving cyber security landscape. Cyber threats are growing faster than any other category of business risk, and the gap is likely to continue to increase. Breaches are inevitable, and the areas put at risk when they happen are broad and deep: from a compromised system or supply chain to the financial implications of non-compliance and breach notification. You not only face compromised or lost data, but your brand will take a huge hit that it may not recover from. Add to that the legal risks resulting from regulatory fines and failure to keep customer commitments, and it adds up to a game-changing argument. Once your decision makers understand the potential losses they face on multiple levels, the cyber protection discussion should flow.
- Balance security against the other projects you manage. The solution is to separate cyber security from your IT budget, and ensure that the amount you’re designating matches your risk profile (determined in question 1).
Conversations about business risk simply have to include discussions about cyber risk. They’re not separate entities, and enterprises can no longer afford to treat them that way. The executive team needs to be involved in decision-making, and they have to understand enough about their organization’s security to get the Board’s buy in. Ultimately, both groups are responsible for protecting the shareholders. One surefire way to do that is to talk about the possibilities and have a disaster plan in place – for hurricanes, tornadoes and breaches alike.