Boardroom: Elevating Cybersecurity Discussions

As data breaches continue to rise, organizations, regardless of their size or industry they are in, must take into consideration a new mindset.

Despite the FBI’s focus on cybercriminal activity, less than five percent of computer-related crimes are successfully prosecuted.

Unfortunately, jail time and other penalties are rare, despite the pervasiveness of cybercrime and cyber espionage. Corporate decision makers are faced with a shocking reality: from a cyber perspective, they are on their own when it comes to protecting their reputations, intellectual property, finances and consumers.

That having been said, it is no longer a good idea to consider the IT department solely responsible for the protection of important data. Instead, it should be assessed and managed at all levels throughout an organization.

Each operating group within a company is vulnerable due to Internet-connected technology. Taking a broader look at security can help mitigate daily threats that assail companies. When it comes to data breaches, the question is not if, but when a company will be targeted. This should dictate a shift from the current security investment deficit.

Currently, only eight cents of every IT dollar is spent on security, which is inadequate for the majority of organizations, both large and small. At these levels, customer and corporate information is not sufficiently protected when facing the hostile cybercriminal community. Reputations are at stake and brands could be jeopardized due to lax measures. Understanding that more than data is at stake, decision makers and board members must make data protection a top priority.

Boardroom: Rising to the challenge

Appointing a Chief Information Security Officer (CISO) to take the lead in keeping corporate data safe is a step taken by many forward-thinking companies. While this is a move in the right direction, the big question is to whom these individuals should report. In the past, the answer has been the chief information officer (CIO).

While this seems logical, the problem lies in the competing priorities of a CIO and CISO. CIOs are typically only focused on technology infrastructure and resources, with the most concern for increasing efficiencies, access and resiliency.

Though important, these can be in opposition to the needs of a CISO, who aims to improve enterprise-wide security measures and risk management across all silos. When considering governance, placing the CISO within the purview of an executive with broader responsibilities, such as a CEO, is advisable.

Due to the myriad of overarching implications, today’s enterprise leaders should be held accountable for cybersecurity, regardless of their role. A prime example is the chief marketing officers. The executives are typically more focused on how the Web is used, with email campaigns, mobile app development and website updates, but these promotional endeavors can leave the door open for malware or other attacks to be released on unsuspecting customers. At each operating level, the influence of technology demands an awareness of where security fits into everyday functionality.

Preventing the spread

An additional justification for broadening security responsibly across an organization is the propensity for threats to emerge as moving targets. Malware infections often migrate laterally within an enterprise, as well as from third-party vendors. When a network becomes compromised, attacks can be widespread in the entire IT framework and supply chain, in what is known as “island hopping.”

The Target breach is a good example of island hopping at work. The investigation revealed that hackers had infiltrated a vendor’s system in order to steal the retailer’s credentials. As a result, criminals successfully gained access to information of approximately 40 million customer credit cards, potentially affecting more than 100 million consumers. The impact of this attack is still being felt across the retail sector today.

It can be easy to overlook third-party partnerships from a security perspective, but these potential gaps warrant the awareness of corporate leadership. Examining the policies of partner organizations is one way to strengthen internal security, particularly if the company is publicly traded. The fact that these partners often have access to sensitive information, making them attractive targets, cannot be ignored.

A holistic perspective to cybersecurity can help mitigate the risk of system-wide threats.

A new attitude

For the last 20 years, corporate focus has consistently been on cutting costs, improving access and increasing efficiencies. That level of commitment should now be given to customer, partner and investor information, and to making it secure as possible in the digital world. Physical safety is an expected convenience of in-store shopping, and online environments should offer information security. Therefore, enterprises should invest between 10 to 20 percent of their IT budget in cybersecurity as a function of brand protection.

Elevating cybersecurity to an operational and risk management priority will take effort and focus but can yield many dividends. For this practice to become a reality, boards of directors must educate themselves to improve governance and oversight. To stay ahead of the bad guys, a shift in investment strategy, as well as strong improvements to employee training and reporting structure are paramount.

HelpNetSecurity: http://bit.ly/1MaXxOP

« Who’s in Charge When US Suffers A Cyberattack?
EU Cyber Agency Urges Action To Avoid Crisis »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

authen2cate

authen2cate

Authen2cate offers a simple way to provide application access with our Identity and Access Management (IAM) solutions for enterprise, small business, and individual customers alike.

Fredda Stanza

Fredda Stanza

Fredda Stanza specialize in Information Security and Forensics Consulting.

Absolute Software

Absolute Software

Absolute provides persistent endpoint security and data risk management solutions for mobile devices - computers, tablets, and smartphones.

Grimm Cyber

Grimm Cyber

GRIMM makes the world a more secure place by increasing the cyber resiliency of our client’s systems, networks, and products.

Lirex

Lirex

Lirex offer consulting and outsourcing services, complete design, construction and maintenance of ICT solutions and systems including cybersecurity.

Robert Walters

Robert Walters

Robert Walters is one of the world's leading global specialist professional recruitment and recruitment process outsourcing consultancies.

National Cyber Coordination & Command Centre (NC4) - Malaysia

National Cyber Coordination & Command Centre (NC4) - Malaysia

NC4 is established as a center for dealing with cyber threats and crisis at the national level in Malaysia.

Acmetek Global Solutions

Acmetek Global Solutions

Acmetek is a Global Distributor and a Trusted Advisor of PKI /IOT & SSL Security Products and a Managed Services Company.

Conseal Security

Conseal Security

Mobile app security testing done well. Conseal Security are specialists in mobile app penetration testing. Our expert-led security analysis quickly finds security vulnerabilities in your apps.

Solvere One

Solvere One

Solvere One is a managed service provider (MSP) focused on corporate consulting and partnership.

Delinea

Delinea

Delinea is a leading provider of cloud-ready privileged access management (PAM) solutions that empower cybersecurity for the modern, hybrid enterprise.

Ministry of Electronics & Information Technology (MeitY)

Ministry of Electronics & Information Technology (MeitY)

The Ministry of Electronics & Information Technology is an executive agency responsible for IT policy, strategy and development of the electronics industry.

Breathe Technology

Breathe Technology

Breathe Technology has been providing Managed IT Support/ Service Desk, Cloud Services, Cyber Security & Communications to businesses and schools since 2003.

Iron EagleX

Iron EagleX

Iron EagleX deliver engineering solutions in cloud computing, big data, cyber, and machine learning technologies to US Government customers.

ClearSale (CLSA3)

ClearSale (CLSA3)

Clearsale’s innovative fraud solutions combine advanced technology with a passionate team of seasoned experts that understand every client’s unique needs.

Cyro Cyber

Cyro Cyber

Cyro Cyber is a collective of some of the UK’s most experienced and savvy cybersecurity, information assurance, data protection, IT governance and compliance experts.