When a natural disaster hits, communities are often caught off guard and have to rush to respond. More often than not, these communities didn’t anticipate the disaster and therefore are operating in reactive mode. If they had planned ahead, much of the trauma and impact of the disaster could have been mitigated and controlled more quickly.
The same challenge can apply to an organization that experiences a security breach. CFOs and Board members are always keeping an eye on costs and are focused on appropriate budgeting and spending to meet bottom-line targets. However, if a meaningful security breach happens, expense controls can go out the window as companies desperately try to close the breach, bring systems back online, and beef up previously lacking security defenses. Even worse, the brand is affected and top-line sales are often lost.
The cost of cybercrime to corporations has skyrocketed, but investments in security simply haven’t kept up. The typical company only spends between 1-5% of revenue on IT security, which seems small when compared to the risk of lost sales, productivity, and brand damage associated with a breach.
Think of one of the most massive security breaches ever that happened a few years ago at a national retail chain. Following disclosure of their breach, the company’s sales declined, causing the company to miss their Q4 guidance. Customers were terrified about their financial privacy, the company’s stock fell, and the CEO was fired as a result. There have been many since, from medical and government organizations, to all types of global businesses. Each time, valuable information is lost and C-level leaders often lose their jobs or face tough scrutiny.
Cost is not the only issue. Another key concern is the current shortage of skilled security professionals, Cybersecurity has no national boundaries, and we are seeing increasing attacks targeted at emerging economies. In fact, two of the highest profile breaches of this past year were not because of their lack of security investment, but due to the lack of skilled professionals. In addition, new security regulations are being implemented, and companies including Board members - will be held accountable if they do not meet these new requirements.
Today, the reality is that when dealing with a security event, the majority of organizations continue to work in reactive mode. We need to step away from merely managing breaches and start working to develop a culture of security, moving out of reactive and into proactive mode.
One could argue that the role of the C-suite, and especially that of the CFO, has transformed with respect to this trend. The CFO in particular could very well now be called the CPO – Chief Protection Officer. If you think about it, cybersecurity potentially puts a company’s finances and value at risk, challenges compliance and regulatory strategies, and increases the need for mature policies and practices that safeguard a company’s data and overall security. A CFO as a strategic business and risk management executive should have significant oversight and guidance in these areas. They are no longer “IT only” considerations.
It has now become table stakes for the CFO and Board to be at the forefront of proactive approaches to security in modern organizations. Although there are ways that security staff and organizations can mitigate the damage resulting from increasingly frequent and sophisticated attacks, they don’t control the budget, and as the old saying goes, an ounce of prevention is worth a pound of cure.
There are more than a few naysayers who claim that the cost of adequate security is more than the cost of recovering from a breach. This is not, however, a sustainable or responsible approach. All evidence indicates that breaches will become more frequent, attacks will become more persistent and sophisticated, and the costs of reacting to these breaches will continue to increase. Clearly, brands, jobs, and share prices are all at risk.
Stewardship goes far beyond making money or ensuring the financial success of an organization. It means caring for and protecting the long-term interests of the company, and thinking holistically about the diverse stakeholders touched by the business. However, when it comes to security, the traditional stewards of the organization are not always equipped with the necessary perspective, skills, or knowledge to do this. As a result, security often ends up being viewed as a cost center rather than an essential element of risk management.
But if stewardship is really about the protection and oversight of a company’s assets, both tangible and intangible, then the most critical assets are data, IP, reputation, customer trust, and loyalty. Which means security needs to be a central pillar of that stewardship. Because, as we have seen all too frequently, poor security can undermine or destroy all of these assets, and instead create a loss of value through unnecessary volatility.
More importantly, as stewards of their respective organizations, Boards and executives have a responsibility to their customers, their intellectual property, and their shareholders to ensure the safety and security of their data and systems. Again, this ultimately comes down to thinking about security as a stewardship issue to be addressed directly by the Board.
We can never entirely eliminate risk. It is inherent in everything we do. Given the low cost for cybercriminals to generate a data breach, the difficulty in locating and prosecuting them, and the lucrative reward of a successful breach, it’s safe to say there will always be attacks and attempts at data theft.
However, just because we can’t eliminate risk doesn’t mean that we can’t manage it. This has always been a key function of the Board – assess risk and make appropriate tradeoffs to manage it, while considering the impact across the organization. Security is no different. IT departments can, and should, consider what innovation must be applied to protect the business – for example, pursuing the implementation of new, essential strategies, such as internal segmentation should be their area of expertise. But prioritizing what business assets should be accessible by whom, both within and external to the business, must be the purview of the Board, and should be the determination that then leads to action by IT.
In conjunction with the CISO and the rest of the C-Suite, the Board must consider and proactively manage security versus many other factors, including cost, performance, agility, resource allocation (including talent), autonomy and empowerment, strategic initiatives, projects and planning, and go-to-market.
Additionally, some of the most critical areas for consideration are policy and information governance. These are areas where the Board and senior leadership can really make a substantial contribution to an organization’s security. While the technical details can be worked out by a well-funded, savvy, and empowered IT department, and HR and other line of business staff can address specific elements of policy and procedure, high level decisions on policy and the organization’s approach to information security needs to come from the offices of C-level executives.
As the arms race among cybercriminals, nation-states, organizations, and the security community heats up, this fundamental shift in approach to cybersecurity will not only keep the good guys one step ahead, but also ensure that organizations can respond swiftly and appropriately when breaches occur. And if recent history has taught us anything, it’s not a matter of if but when they will occur.
*Originally published by American Security Today on August 4, 2016.