Security has typically fallen under the purview of IT, but it’s time to elevate it to a C-suite level discussion. Seemingly every time we turn around there’s something in the news or on social media about high-profile companies like Target, Sony Pictures, Home Depot and JP Morgan Chase experiencing data breaches -- making them almost commonplace and lowering their shock value as a result. Yet, that’s a compelling reason why organizations need to come together and discuss how to protect their network infrastructure. It’s no longer an IT issue. Here’s an eye opener. The average cost of a security breach to an organization was $3.5 million in 2014, up 15% from what it cost in 2013, according to the Ponemon Institute.
Don’t think it can’t happen to you. In 2014, there were 783 reported, known data breaches. This represents a 27.5% increase over the number reported in 2013, according to the Identity Theft Resource Center. As organizations adopt new and emerging technologies, embrace BYOD, and race into the Internet of Things, their attack surfaces only increase.
Consider that all the attention cyberattacks now receive means security is more frequently on your customers’ radars. Potential customers have begun asking how their information will be safeguarded and a solid cybersecurity plan is now a key requirement for winning contracts. IT, therefore, needs to make the case to upper management for being proactive, rather than reactive. Depending on the culture in your organization, however, getting upper management to hear you can remain a challenge. In fact, a recent study by KPMG found that board communication remains the biggest threat to cyber risk awareness. The study found that only slightly more than half (55%) of board members said they understood the potential impact of losing their company’s key information and data assets while 65% said they “rarely or never” reviewed risk management around valuable company information.
IT cannot operate in a vacuum, and neither can corporate executives when it comes to making decisions. It’s not putting too fine a point on it to say if you don’t have a chief information security officer (CISO) or a senior member of IT who is designated as the security point person in charge of your organization’s tech assets, then your C-level executives are at a disadvantage. They need someone who can educate them on how to mitigate threats, whether that means someone with internal expertise or third-party consultants. In either case, this has become an essential resource.
There are signs CEOs are recognizing the importance of participating in security discussions. Some organizations are forming cybersecurity subcommittees with board members to address questions like:
- How do we assess our vulnerabilities?
- Do we have an incident response plan in place?
- How do we respond and minimize the damage done by an attack?
But that has to become more the norm rather than the exception.
So back to the issue of communication point. Although top-level executives sometimes fail to leverage the expertise of their IT staff before making decisions for the organization, IT security personnel have been known to act unilaterally, usually with the best interests of their organization in mind but often without a complete understanding of big-picture strategic priorities. Both sides need to recognize they bring valuable – and different -- perspectives to the table and they have to work together to develop a consistent, mindful and sensible approach to security. Often, people make judgments and form opinions that are not necessarily grounded in fact, and there is much to be gained on both sides as the specter of cyberattacks only continues to grow.