Take it to the boardroom: Elevating the cybersecurity discussion
As data breaches continue to rise, organizations, regardless of their size or industry they are in, must take into consideration a new mindset. Despite the FBI’s focus on cybercriminal activity, less than five percent of computer-related crimes are successfully prosecuted. Unfortunately, jail time and other penalties are rare, despite the pervasiveness of cybercrime and cyber espionage. Corporate decision makers are faced with a shocking reality: from a cyber perspective, they are on their own when it comes to protecting their reputations, intellectual property, finances and consumers.
That having been said, it is no longer a good idea to consider the IT department solely responsible for the protection of important data. Instead, it should be assessed and managed at all levels throughout an organization. Each operating group within a company is vulnerable due to Internet-connected technology. Taking a broader look at security can help mitigate daily threats that assail companies. When it comes to data breaches, the question is not if, but when a company will be targeted. This should dictate a shift from the current security investment deficit.
Currently, only eight cents of every IT dollar is spent on security, which is inadequate for the majority of organizations, both large and small. At these levels, customer and corporate information is not sufficiently protected when facing the hostile cybercriminal community. Reputations are at stake and brands could be jeopardized due to lax measures. Understanding that more than data is at stake, decision makers and board members must make data protection a top priority.
Boardroom: Rising to the challenge
Appointing a chief information security officer (CISO) to take the lead in keeping corporate data safe is a step taken by many forward-thinking companies. While this is a move in the right direction, the big question is to whom these individuals should report. In the past, the answer has been the chief information officer (CIO).
While this seems logical, the problem lies in the competing priorities of a CIO and CISO. CIOs are typically only focused on technology infrastructure and resources, with the most concern for increasing efficiencies, access and resiliency.
Though important, these can be in opposition to the needs of a CISO, who aims to improve enterprise-wide security measures and risk management across all silos. When considering governance, placing the CISO within the purview of an executive with broader responsibilities, such as a CEO, is advisable.
Due to the myriad of overarching implications, today’s enterprise leaders should be held accountable for cybersecurity, regardless of their role. A prime example is the chief marketing officers. The executives are typically more focused on how the Web is used, with email campaigns, mobile app development and website updates, but these promotional endeavors can leave the door open for malware or other attacks to be released on unsuspecting customers. At each operating level, the influence of technology demands an awareness of where security fits into everyday functionality.
Preventing the spread
An additional justification for broadening security responsibly across an organization is the propensity for threats to emerge as moving targets. Malware infections often migrate laterally within an enterprise, as well as from third-party vendors. When a network becomes compromised, attacks can be widespread in the entire IT framework and supply chain, in what is known as “island hopping.”
The Target breach is a good example of island hopping at work. The investigation revealed that hackers had infiltrated a vendor’s system in order to steal the retailer’s credentials. As a result, criminals successfully gained access to information of approximately 40 million customer credit cards, potentially affecting more than 100 million consumers. The impact of this attack is still being felt across the retail sector today.
It can be easy to overlook third-party partnerships from a security perspective, but these potential gaps warrant the awareness of corporate leadership. Examining the policies of partner organizations is one way to strengthen internal security, particularly if the company is publicly traded. The fact that these partners often have access to sensitive information, making them attractive targets, cannot be ignored.
A holistic perspective to cybersecurity can help mitigate the risk of system-wide threats.
A new attitude
For the last 20 years, corporate focus has consistently been on cutting costs, improving access and increasing efficiencies. That level of commitment should now be given to customer, partner and investor information, and to making it secure as possible in the digital world. Physical safety is an expected convenience of in-store shopping, and online environments should offer information security. Therefore, enterprises should invest between 10 to 20 percent of their IT budget in cybersecurity as a function of brand protection.
Elevating cybersecurity to an operational and risk management priority will take effort and focus but can yield many dividends. For this practice to become a reality, boards of directors must educate themselves to improve governance and oversight. To stay ahead of the bad guys, a shift in investment strategy, as well as strong improvements to employee training and reporting structure are paramount.