By David Raissipour, Mimecast Chief Technology & Product Officer.
In an evolving threat environment where adversaries seemingly grow more dangerous by the day, cyber risk is no longer just an IT problem—it’s a critical vulnerability that directly influences the health of the collective enterprise. A successful cyberattack can lead to damaging ramifications that are too severe to overlook amid high levels of economic volatility and geopolitical tension across the globe.
The average cost of a data breach ballooned to a record-high $9.4 million in 2022, but the ripple effects of a single successful attack often linger long after operations are restored. A cyber incident exposing sensitive customer data, for example, can significantly diminish a brand’s reputation years into the future, potentially resulting in steep declines in YoY revenue. More than 60% of consumers said they would lose trust in their favorite brand if it disclosed personal information to a spoofed version of its website. Furthermore, according to the same report, 57% would stop spending money on their favorite brand altogether after falling victim to an impersonation attack of that brand.
On a federal level, the Biden administration’s new U.S. national cybersecurity strategy aims to hold the private sector accountable for breaches by “placing increased responsibility on those within our digital ecosystem that are best positioned to reduce risk.” This will essentially shift liability away from attack victims in favor of systems and software vendors to help drive more secure product development practices. The Securities and Exchange Commission (SEC) will also soon require public companies to disclose their cybersecurity governance capabilities, including the board’s oversight of cyber risk and its inclusion within their business strategy, risk management profile and budgetary controls.
The correlation between cyber risk and business risk isn’t a foreign concept by any means. Cyber resilience leaders across sectors have been beating this drum for years. But recent upticks in high-profile attacks coupled with accelerated cloud adoption, narrowing profit margins and new federal compliance mandates have raised the stakes entirely. The lines between cybersecurity and enterprise risk management are far less blurred. CISOs finally have the C-suite’s full attention.
It Takes A Village
Companies can’t afford a poor security posture that places their wider business ecosystem employees, customers, partners, investor—and supply distributors alike—in the crosshairs of attacks or stringent regulatory penalties. And with the growing rate of multi-vector supply chain attacks, companies can’t afford to collaborate with poorly secured external parties that subsequently heighten their own level of risk. Cybersecurity is a team sport, and a team is only as strong as its weakest link.
In turn, maintaining cyber resilience is a mandate for all involved. The notion that cyber risk is business risk must permeate throughout every layer of the enterprise. Strategic business decisions like mergers & acquisitions, third-party vendor transactions and supply chain partnerships should be shaped around their degree of cyber risk. Employees should be positioned to reduce risk via scalable user awareness training tailored to their unique learning styles.
Layering security across the business ecosystem also requires a firm understanding of the organization’s risk profile and end-to-end visibility of its attack surface. That starts by determining primary risks based on their security environment, high-value assets, compliance protocols, staffing levels, technology stack and specific industry. Then, align third-party relationships with an integrated “defense-in-depth” model that promotes sharing of real-time threat intelligence across the wider business ecosystem, enabling SOC teams to bridge prevention, detection and response controls for swift remediation.
Once the risk profile is established, construct a robust security architecture that addresses its exposures based on its level of quantifiable risk. This maximizes protection around key areas of the business to avoid costly disruptions and operational downtime. Also, ensure that clear KPIs are in place, and then continuously monitor and adjust the architecture as needed with input from the C-suite and board.
Articulating Risk To Drive Action
With rising awareness around the severity of cyber risk, progress is underway toward integrating more cybersecurity expertise within corporate leadership teams. Gartner predicts that by 2026, 70% of boards will include at least one member with cybersecurity experience. However, regardless of cyber representation levels, CISOs still must be able to effectively articulate the connection between cyber risk and business risk to a non-technical audience. Keep these recommendations in mind when approaching the C-suite and board regarding matters of cybersecurity.
• During conversations with corporate leadership, avoid technical jargon while demystifying the immediate and long-term risk that cyber threats pose to the organization.
• When promoting the benefits of security tool adoption and adequate spending, link cyber threats to specific business outcomes for a more impactful message.
• Create detailed mechanisms that align cyber risk with overall business risk to help implement built-in security functions.
• Don’t turn every incident into a doomsday scenario, but how your organization responds to them is what matters most.
• Adopt a tactical approach to framing cyber risk to the board so that it doesn’t require a major breach to generate buy-in.
Now more than ever, cyber risk is a fundamental business risk for the modern enterprise, and it’s imperative to design security architectures accordingly. By establishing cyber resilience as a foundational tenet of their wider business ecosystem, organizations can make measurable strides toward a safer and more secure future.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here