Ever since the pandemic-led lockdown required enterprises to rethink cybersecurity from a remote-working perspective, cyber experts have waxed eloquent about the need for solutions originating from Boardrooms. Today, geopolitical instability, fast-maturing technologies and lack of adequate talent has added fuel to the raging fire that is represented by enhanced shareholder and regulatory expectations. CISOs are concerned more than ever before of the impact of rapid digital transformation and its impact on cybersecurity with one of the immediate priorities being the building of bridges between public and private sectors and between business leaders and cyber experts.
The World Economic Forum’s latest Global Cybersecurity Outlook has reiterated the need for communicating cyber risk and its impact directly to the C-suite and the Boards with a view of using it to tackle emerging cyber threats in a timely and effective manner. The report points out that “hearing is not the same as listening,” and how this is how the relationship between cyber and business leaders in most organizations pan out. “The significance of cyber risk has certainly been heard in C-suites and boardrooms. Whether cyber leaders and business leaders understand each other well enough to meet this challenge is, on the other hand, an open question,” says the report. While business leaders are more aware of cyber issues now than a year ago, and more willing to take them on, cyber experts continue to struggle to clearly articulate these risks in a language that business counterparts can act upon.
A published report said UK businesses spent almost $1.2 billion on cybersecurity while cyberattacks on enterprises cost the enterprises $41 billion. This number has increased year-on-year making it clear that there’s still a long way to go to even this equation out. More investment, both in terms of time and money, needs to be made in cybersecurity to keep data security and given the magnitude of spending, such decisions can only be made in Boardrooms. In the US, the government allocated $15.6 billion for cybersecurity, with the major chunk of $11.2 billion being appropriated by defense. The notable point here is that the private sector’s involvement is minimal as only $2.9 billion goes to the Cybersecurity and Infrastructure Agency (CISA), an organization that works with industries.
Given these constraints it is quite obvious that cybersecurity needs to get bubbled up to the Boardrooms with the C-suite being constantly aware of the threats of data breaches, phishing attacks, malware infections and ransomware. Though most organizations include cybersecurity in the agenda for board meetings, the WEF report believes that CISOs need to demystify such threats and create actionable goals that Board Members can act upon. Amidst these challenges, there is also a silver lining. The evolving regulations around cyber compliances is driving business leaders to create an organizational culture of cybersecurity that percolates down across the enterprise as well as the vendor ecosystem.
An Accenture report notes that business priorities face the spotlight during a ransomware attack, but the reality lies elsewhere. It quotes a research report to suggest that the connection between business strategy and security efforts needs a closer alignment for it to become effective. In fact, it lays out three key points that the Boardroom should consider when reviewing the cybersecurity levels in an enterprise. These are:
- Is the company treating cyberattacks as just a security problem or has it evolved into a business-focused crisis management approach that makes it a team sport?
- Are crisis communications making sense or does it still fulfill the need to check some boxes without any understanding of the industry, its regulations and customers
- What is the level of comprehensiveness in the company’s approach? Does it consider the business and its entire ecosystem of vendors, investors, subsidiaries while creating a crisis response?
Towards this end, the business leaders would do well to establish certain strategies from a top-down approach in order to reinforce the cybersecurity culture within an organization. Such a move would generate transparency over what is at stake as well as prepare every individual to play the team sport in case of a cyber attack:
Establish a culture of security within the organization
Employee carelessness and phishing present as significant contributors to malware attacks. Hence, C-suite must understand the significance of the “human element” when formulating cybersecurity strategies and prioritizing employee buy-in before implementing these strategies across the organization. This can include having regular discussions with employees about the importance of cybersecurity and giving resources and support to help them practice safe behavior when using the Internet. The management must lead by example and ensure that all staff are trained in proper cybersecurity practices. The C-level suite should also set up policies around data protection, system updates, and monitoring activities that help protect sensitive information from potential attackers.
Develop a universal language for basic cybersecurity knowledge
To implement an effective cybersecurity strategy for an organization, the C-level executive must understand the difference between VPN and Zero trust capabilities. As a result, the C-level suites should get accustomed to the language and the basic concepts that the team will use while discussing cybersecurity, so management people can actively participate in such discussions and resolve any issues that arise.
Create and circulate the cybersecurity policy and strategy
Most organizations should follow a broad cybersecurity policy that discusses measures to keep the network safe from cybercriminals. The top officials ensure adequate training is provided for staff and customers so that the staff members can stay updated with best practices regarding cyber security. Further, these organizations create tailored plans to protect the data from cyber theft.
Involve business leaders at all levels in cybercrime response
Implementing and executing a robust Incident Response Plan (IRP) ensures that the C-level executives of a business firm are more often ready to respond quickly when an incident occurs, regardless of the seriousness involved with a particular incident. These leaders can easily articulate how the organization will respond to cybersecurity incidents. Getting the mid-tier management involved in the process ensures that cybersecurity policies and strategies get to every employee in a large enterprise at a faster pace.
Regularly reviewing and updating the plan
Due to the dynamic nature of cyber threats, it is necessary to review and update the cybersecurity plan to ensure its continued efficiency. Further, it includes best practices like keeping up with the most recent threats, conducting regular risk assessments, and testing systems and policies. Later, Practus believes in hassle-free solutions by ensuring the plan is updated! Our team remains in touch with the companies to know what’s going on and how to update the plan by analyzing the results and trends.
Maintaining legal conformity
For example, the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS) are two examples of industry-specific laws and regulations that may apply to a company. The company’s upper management needs to ensure that it follows specific laws and regulations to reduce its cyber-attack vulnerability. With proper consultation from industry experts, businesses can find out the loopholes and how to maintain the legal rules without any issues.
Mapping out Cybersecurity budgets is the key
For all of the above to function seamlessly in a crisis, the critical element yet again boils down to how much an enterprise spends on cyber protection. A deeper understanding of the risk and the return on investment is the need of the hour and CISOs of the future need to be both data-driven and forceful while presenting their case to the rest of the C-suite. Two key factors in determining budgets would be the cost of technology and talent – the latter being mission critical as they’re the ones that roll out cybersecurity initiatives and close the gaps identified by the risk management processes.
The WEF report found that 91% of survey respondents were expecting a far-reaching and catastrophic cyber event is likely over the next two years, with specific concerns being around critical infrastructure sectors such as energy, public transport and manufacturing. In fact, US cybersecurity rating firm SecurityScorecard recently reported that 48% of all manufacturing companies surveyed were at a significant risk of a cyber breach. “Vulnerabilities within the critical manufacturing sector haven’t gone unnoticed by cybercriminals either,” says Aleksandr Yampolskiy, SecurityScorecard’s CEO.
In conclusion, the Boardrooms must recognize that potential targets for cybercrime are increasing by the day with targets no more limited to government or Fortune-500 companies but any business that handles consumer data, however small. It is more about cyber resilience than cybersecurity as there is no such thing as a hundred percent guarantee of safety in cyberspace. While employees, managers, the C-suite and the Boardrooms need to up their respective ante about cybersecurity, there is an equal need for consumers to enhance their understanding of data loss and its impact on their personal lives.