The increase in the number of corporate-targeted cyberattacks over the past few years, combined with an increase in the complexity of those attacks, has caused cybersecurity to be scrutinized in the boardroom like never before. As seen with major shake-ups among corporate leaders following massive data breaches, CEOs and other top leadership are now fully invested in the overall security health of the organization, and they will expect CISOs to keep them informed of security concerns, status and potential risk.
For CISOs, this attention is a double-edged sword. The increased visibility of their position could be beneficial, but their performance will be scrutinized by the highest levels of management. In light of this, NYSE Governance Services, in partnership with CA Veracode, recently conducted a survey entitled "Cybersecurity in the Boardroom," in which they asked 200 directors of public companies to gauge their thoughts on cybersecurity.
CISOs may be particularly interested in the findings regarding the board's top concerns. The survey found that brand damage, corporate espionage and breach costs were the top reasons for worry, and fully understanding these concerns can help CISOs target their efforts both when building a security plan and presenting before the board of directors.
There may be no better gauge for how much IT has changed the corporate world than the fact that the number one concern regarding cyberattacks is brand damage. This proves that IT is no longer an ancillary aspect of the business, focused on productivity only, but rather a proxy for the business itself. If customers feel the company's IT can't secure their information, they will simply take their business elsewhere, regardless of how effectively the rest of the business is run.
For CISOs, the concerns regarding brand damage force a response that combines tough security controls with visible efforts to secure the network. At this point, cyberattacks may be inevitable, but if a business can prove they made all reasonable efforts to prevent the attack and reacted quickly (which includes notifying potential victims in an expedited manner), then the damage to the brand may be limited. True cybersecurity requires much more than detection and a response plan, but given the fear over brand damage, highlighting these aspects when presenting to the board may be beneficial for CISOs.
Corporate espionage has been a concern for as long as there have been corporations, but the idea is especially disconcerting when every minute detail of a corporation lies within data files on various systems. A successful breach could provide competitors with enough information to cripple the business, and even if those competitors aren't doing the espionage themselves, hackers are increasingly looking to turn a profit rather than cause mayhem, and they wouldn't think twice before selling secrets collected on the black market.
Given the damage that this loss of information could cause, CISOs must have a cybersecurity plan that mitigates this risk. This includes a network architecture that properly segregates different areas of the network, so a breach in one minor area doesn't immediately provide access to secret or mission-critical information. It also means a focus on breach detection, so multi-stage threats can be neutralized before the final attack occurs. Finally, an intelligent solution is required. Having a cloud-based security solution will keep the solution current, while intelligent analytics can call attention to a potentially dangerous situation, like data suddenly flowing to IPs in an area of the world where the company doesn't operate.
The mitigation of breach costs comes from the standard combination of tight controls and a robust response plan, but those should be part of any CISO's cybersecurity solution anyway. The important thing to note here is that CISOs can utilize the true cost of a breach when working on their budget for the coming quarter or year. Robust cybersecurity can be expensive, but it costs significantly less than a large breach. If the CISO points out the cost of breach cleanup, forensics, lawsuits and credit reporting for affected customers, the ounce of data loss prevention offered by a strong security solution sounds much more favorable than the pound of cure.
CISOs who address the security concerns described in this report as they build their solutions and their message will find themselves with a leg up when dealing with the board. For more on understanding the board's concerns and how to proactively address them, download the full whitepaper here.
Photo Source: Flickr