Security is no longer just an IT concern – it has shifted to being an issue discussed in the boardroom. There are three reasons for this move. First, enterprises of all sizes understand that they are under relentless attack from cyber criminals. The value of financial and personal data is substantial, measured either in the criminal proceeds derived from data theft or the damage to reputation suffered as a consequence of a data breach.
Second, new EU rules that become effective in 2018 include mandatory breach notification clauses. This means that a breach will have to be disclosed to the prevailing supervisory authority. We expect to see the number of declared security breaches increase dramatically as the legislation is implemented, revealing the true state of security at large. Boardrooms worry about the damage to reputation and brand equity that may result from a data breach, more so than the potential of heavy fines introduced by GDPR.
Finally, and most importantly, boards need to invest in new strategies and technologies to keep their businesses growing and profitable. But new technology introduces new security challenges, and security has traditionally been a blocker to the adoption of such innovations. The business imperatives that drive the use of new technology now demand that security enables innovation, rather than hampers it.
Boards often do not understand the technical details of security, given that their members are unlikely to come from a deeply technical background, and security gets very technical very quickly. However, they do understand risk. The expression of a security strategy articulated in terms of risk means that board members are more likely to understand both the importance of what is being proposed, and the consequences of not paying sufficient attention to security.
To drive a new approach to fostering board-level buy-in, where should a risk-based security strategy begin? IDC believes that security starts with data. It is imperative that any enterprise understand what data it holds, the value and importance of that data, and the risk associated with that data being lost or stolen. Once an enterprise understands its data and its risks it can then deploy appropriate people, process and technologies to secure its most sensitive assets.
But achieving an understanding of the exposure to risk for data is not as easy as it sounds. Many organisations have a malformed understanding of the data that they have and its significance. In addition, enterprises copy data and distribute it throughout the organisation, usually for very good reasons (reporting, analytics, back-up, etc.). Such data dispersal makes it difficult to control.
Another challenge for organisations is ascertaining data's value and importance. Certain types of documents, such as contracts, have an inherent commercial sensitivity, and data classification tools can detect key personal data formats such as credit card numbers and dates of birth. But what about sources of data that have less clear cut boundaries in terms of their sensitivity, such as the content of emails? Or files shared between business partners via the cloud? Or the location of plant and machinery? Each of these are potentially very sensitive depending on who has access to the data and what their intentions are.
The job of the board in security strategy is to provide clarity on the value and importance of data to the rest of the business. Often, the validity or otherwise of a risk assessment only becomes apparent in the aftermath of a major incident. In considering their security risk position, board members may wish to take this test. Are they willing to stand up in a court (of law, or public opinion) and justify their risk assessment, having just suffered a data breach? If not, they should reassess their risk assessment.
Complete the IDC Cyber Risk Assessment for help making informed decisions around cyber risk strategy and to understand the benefits associated with increasing your readiness in the face of evolving threats.
Duncan Brown is Research Director, European Security Practice, at IDC and leads the firm’s security research program in Europe.