Boardroom: Elevating Cybersecurity Discussions

As data breaches continue to rise, organizations, regardless of their size or industry they are in, must take into consideration a new mindset.

Despite the FBI’s focus on cybercriminal activity, less than five percent of computer-related crimes are successfully prosecuted.

Unfortunately, jail time and other penalties are rare, despite the pervasiveness of cybercrime and cyber espionage. Corporate decision makers are faced with a shocking reality: from a cyber perspective, they are on their own when it comes to protecting their reputations, intellectual property, finances and consumers.

That having been said, it is no longer a good idea to consider the IT department solely responsible for the protection of important data. Instead, it should be assessed and managed at all levels throughout an organization.

Each operating group within a company is vulnerable due to Internet-connected technology. Taking a broader look at security can help mitigate daily threats that assail companies. When it comes to data breaches, the question is not if, but when a company will be targeted. This should dictate a shift from the current security investment deficit.

Currently, only eight cents of every IT dollar is spent on security, which is inadequate for the majority of organizations, both large and small. At these levels, customer and corporate information is not sufficiently protected when facing the hostile cybercriminal community. Reputations are at stake and brands could be jeopardized due to lax measures. Understanding that more than data is at stake, decision makers and board members must make data protection a top priority.

Boardroom: Rising to the challenge

Appointing a Chief Information Security Officer (CISO) to take the lead in keeping corporate data safe is a step taken by many forward-thinking companies. While this is a move in the right direction, the big question is to whom these individuals should report. In the past, the answer has been the chief information officer (CIO).

While this seems logical, the problem lies in the competing priorities of a CIO and CISO. CIOs are typically only focused on technology infrastructure and resources, with the most concern for increasing efficiencies, access and resiliency.

Though important, these can be in opposition to the needs of a CISO, who aims to improve enterprise-wide security measures and risk management across all silos. When considering governance, placing the CISO within the purview of an executive with broader responsibilities, such as a CEO, is advisable.

Due to the myriad of overarching implications, today’s enterprise leaders should be held accountable for cybersecurity, regardless of their role. A prime example is the chief marketing officers. The executives are typically more focused on how the Web is used, with email campaigns, mobile app development and website updates, but these promotional endeavors can leave the door open for malware or other attacks to be released on unsuspecting customers. At each operating level, the influence of technology demands an awareness of where security fits into everyday functionality.

Preventing the spread

An additional justification for broadening security responsibly across an organization is the propensity for threats to emerge as moving targets. Malware infections often migrate laterally within an enterprise, as well as from third-party vendors. When a network becomes compromised, attacks can be widespread in the entire IT framework and supply chain, in what is known as “island hopping.”

The Target breach is a good example of island hopping at work. The investigation revealed that hackers had infiltrated a vendor’s system in order to steal the retailer’s credentials. As a result, criminals successfully gained access to information of approximately 40 million customer credit cards, potentially affecting more than 100 million consumers. The impact of this attack is still being felt across the retail sector today.

It can be easy to overlook third-party partnerships from a security perspective, but these potential gaps warrant the awareness of corporate leadership. Examining the policies of partner organizations is one way to strengthen internal security, particularly if the company is publicly traded. The fact that these partners often have access to sensitive information, making them attractive targets, cannot be ignored.

A holistic perspective to cybersecurity can help mitigate the risk of system-wide threats.

A new attitude

For the last 20 years, corporate focus has consistently been on cutting costs, improving access and increasing efficiencies. That level of commitment should now be given to customer, partner and investor information, and to making it secure as possible in the digital world. Physical safety is an expected convenience of in-store shopping, and online environments should offer information security. Therefore, enterprises should invest between 10 to 20 percent of their IT budget in cybersecurity as a function of brand protection.

Elevating cybersecurity to an operational and risk management priority will take effort and focus but can yield many dividends. For this practice to become a reality, boards of directors must educate themselves to improve governance and oversight. To stay ahead of the bad guys, a shift in investment strategy, as well as strong improvements to employee training and reporting structure are paramount.

HelpNetSecurity: http://bit.ly/1MaXxOP

« Who’s in Charge When US Suffers A Cyberattack?
EU Cyber Agency Urges Action To Avoid Crisis »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Reed Smith LLP

Reed Smith LLP

Reed Smith LLP is an international law firm with offices in the USA, Europe, Middle East and Asia. Practice areas include Information Technology, Privacy & Data Security.

Swiss Cyber Storm

Swiss Cyber Storm

Swiss Cyber Storm is a non profit organization hosting the international Swiss Cyber Storm Conference and running the Swiss part of the European Cyber Security Challenges.

ERMProtect

ERMProtect

ERMProtect is a leading Information Security & Training Company that helps businesses improve their cybersecurity posture and comply with regulations.

Fair Isaac Corporation (FICO)

Fair Isaac Corporation (FICO)

FICO provides analytics software and tools used across multiple industries to manage risk, fight fraud, optimize operations and meet strict government regulations.

CSO GmbH

CSO GmbH

CSO GmbH provide specialist consultancy services in the area of IT security.

Corvid

Corvid

Corvid is an experienced team of cyber security experts who are passionate about delivering innovative, robust and extensive defence systems to help protect businesses against cyber threats.

Cyber Protection Group (CPG)

Cyber Protection Group (CPG)

Cyber protection Group specialize in Penetration Testing. We work with enterprise level companies as well as small to medium sized businesses.

eCentre@LindenPointe

eCentre@LindenPointe

The eCenter@LindenPointe provides assistance to the development, management and promotion of STEM (Science, Technology, Engineering, Mathematics) related business ventures.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

AnyTech365

AnyTech365

AnyTech365 is a leading European IT Security and Support company helping end users and small businesses have a worry-free experience with all things tech.

Space Hellas

Space Hellas

Space Hellas is a dynamic, established System Integrator and Value Added Solutions Provider, holding a leading position in the high technology arena.

Praxis Security Labs

Praxis Security Labs

Praxis Security Labs is a research driven cybersecurity company that helps our customers to reduce risk and improve security.

Avatar Managed Services

Avatar Managed Services

Avatar offers proven, process driven IT support to companies who want to utilize their technology to their best advantage.

Dispel

Dispel

Dispel makes the fastest secure remote access for industrial networks. Built by operators for operators: a zero trust engine for your entire OT, IoT, and xIoT stack.

Meta 1st

Meta 1st

Meta 1st are a progressive SAAS enterprise, dedicated to harnessing the power of AI to address the most critical vulnerabilities in the world of cybersecurity: the Human Layer.

Luxembourg House of Cybersecurity (LHC)

Luxembourg House of Cybersecurity (LHC)

Luxembourg House of Cybersecurity (formerly SecurityMadeIn.lu) is the backbone of leading-edge cyber resilience in Luxembourg.