Risks of virtually all types have exploded in 2020, courtesy of the COVID-19 pandemic and the brutal recession accompanying it, and—yes—the list absolutely includes substantially heightened uncertainty in the corporate cybersecurity landscape.
Resources are strained in organizations’ Security Operations Centers (SOCs) as corporations have virtualized their workforce. Millions of new remote workers face heightened cyberattacks outside the corporate security perimeter, requiring markedly more help. And supply chains, increasingly reliant on third-party support, are being targeted by skilled hackers while companies are consumed with chronic transportation restrictions and, according to Symantec, have already had to cope with a 78 percent increase in supply chain attacks in pre-pandemic 2019.
Making matters still worse, phishing and ransomware attacks have also spiked, using COVID-19 as bait to impersonate brands, misleading both customers and employees, according to Deloitte’s Cyber Intelligence Center.
Despite all these ballooning risks, unfettered corporations keep driving to digitize their businesses and maximize the Internet as much as possible, almost as if cyber-risks were receding instead of growing and cybersecurity governance were on a holiday. This sparks a key question: Is corporate risk management truly up to the task of relentlessly pushing into an online world never more awash with danger?
The answer is maybe—maybe not. Yes, substantial improvements in cybersecurity in recent years offer hope. Yet there was already considerable room for further improvement pre-pandemic, and obviously materially more now, and the challenges today and in the future are daunting.
To help cope, companies need more already employed troops to join the fray in adopting a more holistic organizational approach—a concerted commitment ranging from the leadership to rank-and-file employees to establish and execute a plan to address cyber-risk management from all corners of the organization. This includes the creation of a serious cybersecurity strategy—one that also includes an assessment of risk tolerance so that resources are invested in the best places to mitigate the pain from select cyberattacks.
This is not to suggest that companies can downplay cyber-blocking and tackling, which would expose more companies to more cyber-breaches and eventually decimate their reputations. This is why cybersecurity governance encompasses the processes that determine how organizations detect, prevent and respond to cyber-incidents, not just the policies guiding these processes. Mounting phishing and ransomware attacks and third-party supply chain issues are just two examples among many bread-and-butter challenges that must be addressed more aggressively.
The challenge of focusing more attention on the big picture while working to mitigate problems day in and out falls largely into the laps of chief information security officers (CISOs). They’re under growing pressure to learn and embrace key corporate initiatives and business attitudes, such as their risk appetite, and prioritize security concerns accordingly. (Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives—a balancing act between the potential benefits of innovation and the inevitable threats.)
So the plates of CISOs are growing extremely full. Good thing, too, because there is no longer room for the increasingly dated mindset that still treats corporate cybersecurity as a back-office, mostly technical job.
A holistic approach helps bury this mindset by underscoring that cybersecurity can no longer remain an afterthought in big strategic decisions about the likes of business models, product mix, M&A and digital strategy. That’s why corporations are starting to come to terms with the reality that they must view data security as an overarching business problem, not just an IT problem. Some companies have adopted this mindset, but mostly only piecemeal. That’s why cyber-knowledgeable rank-and-file employees must also be in the mix. The more they know about a company’s strategic priorities and appetite for risk, the more helpful they can be.
Corporate boards will obviously play a key role as well because their decision-making power is required.
Consider, for example, a recent survey of cybersecurity leaders that targeted banks, investment companies and insurers. These financial services institutions (FSIs) lead the pack in terms of the average cost of cybercrime incurred by companies in a particular industry. In the survey, conducted by Deloitte, respondents said their worries about cyber-exposure were second only to regulatory/compliance concerns. At the same time, however, only 42 percent of respondents said they felt their organization was “extremely effective” or “very effective” in managing cyber-exposure.
News of such a disconnect these days is too important to go unreported to the board of directors. Directors, like CISOs, can no longer afford to be content with the status quo. Simply weighing data about metrics, resources and compliance, a common drill, is insufficient. Directors must also consider what an organization is doing to protect its data and ultimately its business.
During the past year or so, fortunately, many directors have begun asking hard questions about their company’s cyber-risk. What, exactly, is the company’s risk appetite? Have threat and vulnerability assessments been conducted to evaluate company risk? Does the organization have the expertise and resources needed to reduce risk? And what risk has the organization already mitigated, removed or accepted?
Directors have been noticing shareholder proposals at other companies that directly link CEO pay to cybersecurity, such as Disney and Verizon. Since CEOs report to boards, that hits close to home. Some boards have also begun recruiting cybersecurity experts to join them to ensure the board is fully aware of potential business risks, although so far only a small percentage of S&P 500 companies have identified these experts in their proxy statements.
Meanwhile, CISOs—always critically important—are becoming even more so by taking the time to better educate directors about security issues. Even if the board attracts a cybersecurity expert, it can still benefit from input from an engaging CISO offering additional perspective.
CISOs themselves can also do better, however, and not merely because most today don’t have a sufficient view of the business side of cybersecurity. Many CISOs, for example, don’t have complete lists of IT inventory or third-party suppliers. This may be because the CISO works for an acquired company not fully integrated into the parent company. Or perhaps he or she works for a company with divisions that run their own technology operations and erect silos.
If one of these scenarios is the case, the CISO needs to work to overcome it. Otherwise, these situations leave CISOs without the ability to fully access the security risks of the entire organization—and that should not be tolerated. Every qualified corporate employee has to join the cyber-fight to mitigate risk wherever it exists.