Not if, but when…
The sad reality is that experiencing a security breach is no longer a matter of if, but when.
Yet, when it comes to creating the requisite security safeguards, achieving meaningful engagement and ultimately buy-in from the Board of Directors can be a frustrating experience. All too often business risk priorities can end up misaligned, delayed, or at worse, ignored.
Creating confidence in cybersecurity initiatives seems to thrive in a climate of due diligence, open-mindedness, and sheer tenacity in order to break through the noise and hyperbole from various so-called industry experts.
Shoring up defences
The proverbial sky may seem like it’s falling, yet with a thoughtful and logical approach, and support from key stakeholders, it can certainly be propped up long enough to shore up defences and prevent a catastrophic – and costly – cyber event. And they are costly. According to Ponemon, the global average cost of a data breach this year is now $3.92 million, a 1.5 percent increase on 2018.
There is no doubt as to the importance of having at least a cursory level of security literacy and understanding of cyber risk within the boardroom. Yet, there is a dichotomy. Due to the low quality of reporting on information security, 52% of respondents think their Boards are not fully knowledgeable about the risks the organisation is taking and the measures that are in place. However, Gartner estimates that by 2020, 100% of large enterprises will be asked to report to their Board of Directors on cybersecurity and technology risk at least annually. Yet, 87% of Board members and C-level executives have said they lack confidence in their organisation’s level of cybersecurity.
The reality is that whilst most Board members may be familiar with business risk in general, most are not up-to-date with the myriad incarnations of what constitutes cyber risks today. To say that threats are evolving daily is not so much of an understatement as it is a call to arms. With the increasing level of sophistication and financing to carry out attacks, malicious actors and rogue nation states pose a real and credible threat across the globe for businesses of all sizes.
The need for threat intelligence
Since a Board is typically business strategy and financial results oriented, be sure to gather valid and timely threat intelligence to better inform and make actionable recommendations. Whether the firm is a publicly-traded company or in a heavily regulated industry such as finance, healthcare, retail, or energy and utilities will make a difference in what key metrics a Board cares about.
Potential repercussions of a cyberbreach or compromise could include liabilities, impact to shareholders, reputational damage, and a loss of customer loyalty. As such, flesh out answers to these two basic questions to highlight security gaps in any overarching cyber defence strategy:
What am I trying to protect, and prevent from happening?
What is the worst possible potential outcome?
One key assertion to make is to differentiate between meeting regulatory compliance and bolstering security. While a company may diligently adhere to certain geographical and empirical mandates and standards such as GDPR, PCI or HIPAA, it is by no means a surety that a company is impervious to an attack.
A champion for security
It is important to create an internal task force or find a champion for your organisation’s security. Accept the fact that you may not be able to educate and influence the entire Board. Not every Board member will have the enthusiasm and desire to know all the details. Collaborating with a stakeholder task force or champion provides an opportunity to really roll up your sleeves and articulate risk thresholds and business impacts with those who share an appetite for the minutia.
He or she could be the one person with whom to dive deep on current solutions, help accelerate a program, and/or remove bottlenecks. They could help outline the cybersecurity metrics and measurements that are most important for the Board, presented in terms that will resonate the strongest.
Keep it simple
When communicating with the Board, it is best to present facts and simple stories. Help demystify technology-laden and complex language. Use business terms and outcomes if possible. When tasked with presenting data, or metrics that require an engineering degree to decipher, choose to err on the side of over-simplification. Raw numbers may not make sense or convey critical conditions.
Many people find it difficult to conceptualise large volumes of data sets, so consider using simple visuals and diagrams if possible. Sharing easy-to-follow red, yellow, or green status milestones is often an effective option over complicated and mind-numbing data via charts and graphs.
If your Board is more literate and engaged, create a timeline that highlights current operational efficiencies and the areas that need improvement. Ask yourselves if you are keeping pace with current threats in a particular industry (e.g. ransomware hitting government municipalities and healthcare/hospitals.)
By following the advice above you create safety in numbers and ensure that you are as prepared a you can be for a security breach.
By Dena DeAngelo, Contrast Security
Dena DeAngelo has over 20 years of marketing experience in Silicon Valley, having worked with a variety of start-ups and Fortune 500 companies and clients. She’s well-versed in all things marketing, including content, branding, sales enablement, and product promotions.
About Contrast Security
Contrast Security is the pioneer in enabling “self-protecting” software with security safeguards built directly into modern software. Only Contrast Security has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development to operations, to production.
More information can be found at www.contrastsecurity.com or by following Contrast on Twitter at @ContrastSec.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.