May 30, 2019
May 30, 2019
“Cybersecurity risks pose grave threats to our investors, our capital markets, and our country.”
This statement was issued by the US Securities and Exchange Commission (SEC) in February 2018, as part of its guidance on public company cybersecurity incident disclosure responsibilities. As we look back on this statement today, we see that more companies have embraced cybersecurity as part of their enterprise risk management (ERM) discipline.
And yet, many still have not: Research from Optiv found that only 18 percent of enterprises score “high” in aligning business objectives with security program management. This indicates that cybersecurity often functions outside of corporate business processes, which makes it incredibly difficult—if not impossible—to effectively mitigate cybersecurity-related business risk.
Why is this? Simple: it is hard to think of another enterprise risk that has advanced as quickly as cybersecurity. Litigation, succession planning, competitive threats, business stability…all of these risks are timeworn and well understood topics. Cybersecurity, on the other hand, is a party crasher—a threat that, even just 10 years ago, did not seem as serious as other traditional business risks to most companies. While there were some major data breaches back then, they never lived up to the negative hype that accompanied them; in those days, businesses suffering breaches saw everything from stock prices to customer traffic and brand sentiment return to normal very quickly. This is not the case today, because the cybersecurity risk landscape is profoundly more complex.
Consider the risk landscape of 10 years ago. Smartphones were still early in their adoption curve, with about 16 percent of mobile phone market share. Cloud computing was in its infancy (Microsoft Azure, for example, was first announced at the end of 2008). Regulations were more scattershot and loosely enforced than today, and ransomware was a fringe cyberthreat (a status that would dramatically change in 2009 when Bitcoin became operational, creating the ideal ransom-fulfillment platform).
From an ERM perspective, cybersecurity was a secondary consideration. Having a data breach in the headlines was an annoyance—and usually the chief information security officer (CISO) or, if there was no CISO, the IT staffer in charge of security, would pay for it with his or her job—but, in general, it was a survivable incident.
Today, however, data breaches and other incidents have far more damage potential than they did 10 years ago due to the increased causticity of attacks (ransomware, nation-state theft of intellectual property, etc.) and the prevalence of novel computing platforms (mobile, cloud) and trends (digital transformation, Internet of Things, etc.) that open companies to new attack vectors. New regulations that have real teeth (GDPR being the ultimate example) are a direct response to these changes. All of the above factors have conspired to make cybersecurity a tier-1 enterprise risk—and for some companies, cybersecurity is the most dangerous source of risk.
Companies that do not realize this are imperiling their competitive position. In fact, if they do not include cybersecurity as a top-tier risk consideration, they stand to make business decisions that may seem sound, but that are potentially disastrous from a cybersecurity perspective. For example, diversifying supply chains is generally considered a sound business practice. However, if the cybersecurity team is not involved with this process from the beginning, adding supply chain partners also creates brand-new on-ramps for cyberattackers to enter the corporate network. So, while an executive may gain kudos in the boardroom for improving supply chain stability, the company’s security organization must play catch-up at a mad pace to secure the enterprise attack surface that was just expanded. Put it all together, and the perceived reduction in risk (a more resilient supply chain) was actually just a transfer of risk (new cybersecurity vulnerabilities).
An increasing number of companies are bringing CISOs into their regular board meetings and treating cybersecurity as a tier-1 business risk. However, there remains a distressing number of companies still living in the world of 10 years past. If those companies hope to be in a position to discuss risk 10 years from now, this needs to change.
Dustin Owens is division vice president and general manager, Risk and Compliance Advisory, at Optiv, a cybersecurity company that enables its clients to build a sustainable, risk-centric foundation for implementing proactive and measurable security programs.