As Cyber Risk Escalates, the C-Suite Must Take Action
This article was published on LinkedIn on April 19, 2018. You can read the original post here.
So far, 2018 has started out to be a very good year for cybercriminals. In the first week of April alone, restaurant chains and large department stores, some of America’s major retailers, disclosed significant data breaches. A multitude of government and healthcare organizations around the world have also been breached in the short three-and-a-half months of this year.
The trend is accelerating, and the disclosure of breaches has moved from weekly to nearly daily and sometimes several within a day. With the role C-suites and boards have in the management of the organization’s financial and reputational risks, the questions business leaders need to ask themselves are: How prepared is my organization, from top to bottom? Are the right people responsible for cyberthreat preparedness? How well does our C-suite and board understand the plan and the liability issues they may face in poor cybersecurity planning and incident management? How resilient is our organization in the aftermath of a significant breach?
C-Level and Board Responsibility for Cyber Risk — Still Over-Focused on IT
In one report from CSO Online called “The Current State of Cybercrime,” from a study conducted less than a year ago in the U.S., it was found that 6 out of 10 boards “believe cyber risk is an IT problem.” As long this belief exists, organization leaders will remain disengaged from the solutions and their role in supporting a robust cyber risk management strategy. With the number and severity of cyber risks growing exponentially, the magnitude of this risk needs to be better understood by many business leaders.
For those who still think cyber risk is an IT problem, I challenge them to consider this:
- Cybercriminals are organized. They may have more ’employees’ than your security department and better tools than your IT department. Cybercrime is coordinated, automated and well-funded. The criminals are sharing tools and collaborating globally. Are you?
- Your organization’s exposure to attacks (through mobile devices, in the cloud, through IoT) is growing exponentially. The days of simply building walls around your data center are over.
- Criminals are opportunistically seeking your organization’s “inadvertent insider” who will blindly click on an attachment.The latest IBM X-Force Threat Intelligence Index report found that inadvertent insiders were responsible for more than 20 percent of the breaches in 2017, up from the previous year, and for more than two-thirds of total records compromised.
- With a global skills shortage, other organizations are trying to poach your security employees and pay them better than you can. This will be a continuing problem. Open cybersecurity jobs are forecast to hit 1.5–2 million globally by 2020. So those enlisted to protect your organization may not be there next week or next month, including your security leadership.
Organizationwide Responsibility Is Critical in Security Strategy
Having a high-level, comprehensive cybersecurity strategy has never been more important, particularly in light of the digital transformation taking place across industries. Innovative new business models using new technologies like the Internet of Things (IoT), blockchain, mobile and cloud must include top-down recognition and protection from the tremendous cyber risks created if business-enabling innovations are not managed properly and systematically. Based on our experience and research, one thing is very clear: An effective security program, including risk identification, investments, plans and a well-coordinated incident response plan, is an organizationwide responsibility. C-suite executives that take cybersecurity seriously should implement best practices across the company. They need to:
- Understand the true exposure. Have an accurate assessment of your cyber risk. Understand your “crown jewels,” both data and systems that are at risk. Where is the company implementing new digital initiatives such as cloud or blockchain or IoT? Have you considered the risk and how to manage those initiatives in a secure and compliant way? Have you tested your controls and decided which need strengthening?
- Prioritize security investments in a way that links with this assessed risk.
- Ensure that your program includes intelligence of new and emerging cyberthreats.
- Implement a response and recovery plan to keep your business running in the event of cyberattack. This should be practiced routinely across the C-suite. Our experiences from our IBM Cyber Range show that small details (e.g., know who is in charge, how you will communicate and what are the roles of the team) can be the difference between success and failure in responding in a timely manner.
- Remain vigilant. Keep challenging your approach. There must be a culture of cybersecurity awareness, essential training, and constant questioning and testing across the organization. The threat is constantly changing; security requires vigilance and a mindset that never assumes, “We’ve fixed security now.”
Plans Don’t Have to Be Perfect
The best plans are not perfect, but they are robust. Robust plans consider failure points, build in contingencies, and are designed to help us learn quickly and adjust. In cybersecurity planning, C-level executives and boards need to build a strategy that prepares the organization for the entire threat and risk management life cycle, from insight to determining priority vulnerabilities and potential threats, through to prevention, detection, and response and recovery. The response and recovery plans need be tested and practiced, something we are helping thousands of clients simulate in our Cyber Range.
In a highly publicized speech in 2014 titled “Boards of Directors, Corporate Governance and Cyber Risks: Sharpening the Focus,” then-Securities and Exchange Commission Chair Luis Aguilar made some critical recommendations:
- Boards should consider the NIST Cybersecurity Framework.
- Boards should consider structural changes to focus on cyber risk.
- Internal roles should be focused on cyber risk.
- Boards need to ensure preparedness for the inevitable cyberattack. This was some of the best advice then, and it’s still some of the best advice today.
Now, more than ever, it is critical that a cybersecurity strategy is viewed as more than a set of technologies and instead as an enterprisewide program, led from the top, that creates a comprehensive approach tailored to risk and compliance, governance, risk reduction and, above all, business resiliency.