by Marc Wilczek

Security and the boardroom: From advantage to imperative

Jun 04, 2019
CIOIT LeadershipIT Strategy

Detecting and mitigating cyber threats is getting tougher. A quarter of organization reports greater financial damages.

Over the past year, all around the world, corporate IT teams watched in horror as one expensive and damaging corporate security breach after another popped up in the headlines. But the flashy ones that made the news are only a fraction of the ones that actually occurred. The use of digital technology expands every day, and so does the number of cyber criminals lurking on the Darknet who are ready and willing to take advantage of any weaknesses in the tech they can spot. As a result, as highlighted in CSO’s 2018 US State of Cybercrime Survey, organizations of all shapes and sizes have borne an onslaught of cyber-attacks and incurred billions in financial losses.

These unwelcome trends are pushing more and more firms to take IT security more seriously, which is good. But problems still remain on the governance front.

Threat detection is tougher

Although more time and resources are being directed on security than ever before, many organizations are having a hard time keeping a handle on the ever-evolving threat landscape. In fact, approximately one-quarter (23%) of the companies in the survey reported greater monetary losses than last year.

Indeed, one of the downsides of the explosion in digital uptake in the workplace is that it expands the hunting ground for criminals. The more devices connected to a corporate network – and in some organizations running IoT use cases there may be hundreds of thousands, or millions of endpoints – the more potential ways there are for criminals to somehow find their way in. Complicating this is the fact that, increasingly, the market demands greater connections – between companies and customers, between partners and suppliers. But in today’s digital environment, greater accessibility is practically a synonym for a greater attack surface. 

The more diverse infrastructure landscape also introduces another pitfall: it makes breaches harder to detect. In 2016, the time between intrusion and detection of an attack was 80.6 days. A year later, it was 92.2 days, and last year it was 108.5 days. This also suggests that cyber criminals are becoming ever more sophisticated and launching more complex attacks.

Tightening regulatory frameworks

The result of all this is that security incidents are having a greater impact on businesses than ever. Whether a breach exposes a massive store of PII data, or a DDoS attack shuts down a business for hours or days, it isn’t just the bottom line that takes a hit. So does the firm’s brand and reputation – two words that resonate loudly with customers and shareholders, not to mention other company stakeholders such as partners and suppliers.

In this light, it’s entirely understandable that regulatory frameworks are being revisited and rewritten. After a successful cyber-attack, 84 percent of respondents to the CSO survey had to notify individuals; regulatory bodies; affected businesses; or the government. In 2017, that number was only 31 percent.

Directors are hearing about security

According to the report, 58 percent of companies say their top security executives brief their boards of directors on cyber issues at least quarterly. The number of companies that don’t keep their boards in the security loop has declined, from 29 percent in 2017 to 19 percent in 2018.

While there’s been some undeniable progress, much more can be done – and, according to the report, it appears that the C-suite is the place to start. The survey respondents said that of all groups that needed the most education and training on security, the C-suite ranked highest, cited by 55 percent of respondents.

Another area for improvement is basic security preparedness. The survey found that while 66 percent of organizations are more worried about cyber-attacks than they were the previous year, many organizations are still falling short on preemptive or post-attack measures. Only 65 percent of them have a formal incident response plan, and – out of the ones that do – only 44 percent test it at least annually. The danger here is obvious: when an attack happens and a response has to be coordinated on the fly, everything becomes more complicated, and there are more chances for things to go awry.

Tackling governance issues

The percentage of security executives reporting directly to the CEO dropped from 35 percent in 2017 to 28 percent last year. Meanwhile, the percentage of CISOs reporting to the CIO increased from 16 percent in 2017 to 25 percent in 2018. From a corporate governance point of view, this may seem a positive development. But is it really? Might there be conflicts of interest between these realms?

Often, when a company embraces a new app, platform or digital service, they understandably want to roll it out as quickly as possible. They may have invested considerably in the new service, and they want to put it to work so they can realize their return on that investment.  But sometimes, in the company’s haste to launch, security and vulnerability analysis are lost in the shuffle, or at least downplayed – which can come back to haunt the firm in the event of a crippling breach that might have been averted.

To reduce the risk of this happening, and to strengthen governance for the long haul, organizations should consider empowering their CISOs and having them report directly to the CRO, CEO or board of directors. Failing this, if something goes wrong, fingers could always be pointed at the CIO. But the real question to contemplate isn’t whom to blame in the aftermath. It’s how to prevent a security incident from happening in the first place.