Why Cybersecurity Should be the Concern of Every C-level Executive — Part II23, July 2018
Who gets the blame, and is there an ROI on cybersecurity?
In our previous post, we examined why it was crucial for management to equip their security team with the right tools to enable constant monitoring of users’ access. Today, we look at who gets the blame when sensitive data gets leaked — Is it just the Chief Information Security Officer (CISO) or should the entire C-suite take responsibility for the compromised security? What possible benefits can the CEO, COO, CTO, CMO and CFO jointly add in fighting the internal cybersecurity epidemic? Finally, since all topics involving the C-level audience need to address the bottom line, we will look at cybersecurity ROI.
The blame game
The role of CISO is a recent one. As the senior-level executive who’s responsible for executing and overseeing the company’s cybersecurity strategy, it’s obvious who takes the blame. However, according to one survey, 29 percent of IT decision makers believe that the CEO should have the primary responsibility in a large-scale data breach. Equifax and Target serve as prime examples of this school of thought.
With digital transformation, IoT and big data becoming ubiquitous, cybersecurity cannot and should not be the responsibility of the IT team alone. The spotlight needs to shift from the blame game to putting forth measures to avoid a potential breach. However, our survey revealed a third of the companies are yet to invest in security strategy. The need of the hour is to have each member of the management team come together in determining the company’s cybersecurity strategy.
In Part I, we explored the cost of a data breach from the perspective of the time taken to resolve it. In this post, we look at the consequences of the kind of data that gets compromised. According to a 2018 study, the company’s intellectual property information (57 percent) is seen as the most vulnerable to attacks, followed by privileged account information (52 percent) and sensitive personal information (49 percent). The ASUG survey reiterates the fact that protecting a company’s sensitive data remains the most challenging (nearly 40 percent) and concerning matter for companies.
From the company’s confidential data to the personal information of customers, there are different ramifications to the various types of data breaches.
- Personally Identifiable Information (PII) data: Especially in the case of customers’ or employees’ personal information being compromised, the breached company incurs litigation costs compensating affected customers and being fined from data protection legislations such as GDPR
- Company’s confidential data: Apart from significant revenue losses the impact on competitiveness of the business takes a catastrophic hit
Companies need to identify data that is crucial for their business or will prove to be most expensive when breached and put forth appropriate security strategies. Once the security areas are prioritized, the IT administrators can work to ensure the access privileges to these are restricted to only those who absolutely require it to perform their job.
How can the C-level help?
In the survey, we also noted that dedicated security professionals had a better understanding of the consequences of a data breach and had a more accurate assessment of their security environment — 80 percent of security as opposed to only 25 percent of management being concerned about cybersecurity.
In the event of a data breach, it is the C-level that is answerable when sensitive data gets compromised. So, it makes sense that every aspect of the leadership team is involved in defining the security strategy that will protect the data. Here is how:
- CEO: As the leader in charge of the overall management and strategic vision, the CEO sets the prioritization standards for security within the company; the CEO’s involvement is crucial to ensure the company’s IT security capabilities are aligned with the company’s larger goals
- CTO: The CTO owns the management of the company’s technology, including security around it
- CFO: As the executive responsible for the company’s finances, the CFO should establish strategic priorities and allocate funding based on the business risk associated with breaches
- COO: The COO establishes operational efficiency and is involved with legal and regulatory compliance; the documentation of organizational security falls under the COO’s jurisdiction
- CCO/CMO: When a breach occurs, the communications or marketing executive acts as the bridge between the public, customers, partners, other stakeholders and the company
When the leadership team comes together, the result is a strong, cohesive cybersecurity strategy that is supported across the organization.
ROI from Cybersecurity:
While an investment in security does not provide an increase in revenue, it does provide savings from avoiding an imminent insider threat. The average cost of a data breach as we earlier discussed, is $3.62 million. A typical company loses 5 percent of revenue every year to fraud. Just by establishing security protocols, companies will be saving money. They will also be saving on the costs from avoiding lost business — customer churn, business disruption, and system downtime, all caused due to a data breach. Further, the time, efforts and investment involved in breach remediation all take a toll on the bottom-line. While the above factors are the tangible measures of revenue loss, there is also the looming issue of the loss of trust with customers, partners and shareholders, which is by far the hardest setback to overcome.
Given the significance of protecting critical data and the need to have everybody in the company from top-down involved in protecting it, the highest price to be paid is the cost of doing nothing when it comes to cybersecurity.