Elevating data risk management to the board level

Brigadier General (retired) Gregory J. Touhill’s appointment is something of a milestone for the cyber security community.

The move was a major recognition from the world’s most powerful organisation that cyber security is a critical imperative, not just a technical issue.

For years, the security industry has worked to up-level cyber security to the most senior decision makers. Work remains, but the message that security must be a board-level priority has been well received.

For most, cybersecurity is something like Climate Change. The facts are widely accepted, but the solution is much more allusive.


In 2015 the global estimated cost of cyber crime was $3 trillion. It is expected to double by 2021. A full $6 trillion – $6,000,000,000,000 – of economic value lost, every year.

The cost includes literal theft (money, IP, data), damaged and destroyed data, lost productivity, embezzlement, fraud, business disruption, investigation, restoration and remediation, and finally, reputational harm.

>See also: How secure is your boardroom data?

Aware of the massive risks, businesses and public organisations are increasing cyber security spending in an attempt to better protect themselves. Gartner predicts an almost 11% annual growth for the cyber security market over the same five-year period ending in 2021.

But increased spending alone can’t fix the problem.

Traditional approaches aren’t working

Despite huge (and growing) security investments, cyber attacks were more expensive and more frequent than ever before in 2016. And the scale and scope of cybercrime will only continue to grow in 2017.

One issue is the reliance on traditional perimeter-based security solutions like anti-virus, and even so called “next-gen” solutions like Endpoint Protection Platforms (EPP).

Perimeter security vendors promise to eliminate “99% of all threats.” Well, that 1% is costing global organisations an estimated $3 trillion.

Effective cyber security in 2017 and beyond will require a layered approach that includes tools for prevention, detection, investigation, remediation, and coordination.

Gartner recommended this year that organisations shift focus from perimeter defence to a “continuous response” mind set. The idea is to assume that systems are already breached, requiring active monitoring and response.

>See also: Bringing security back to the top of the boardroom agenda

Gartner also predicts that by 2020, rapid detection and response solutions will make up the majority (60%) of cyber security budgets, up from only 10% in 2014.

Increased focus on response and bigger budgets are important, but other advancements are needed. Specifically, organisations need to change how they think about data and security together at the highest levels.

The next board-level conversation: data-centric security

Layered security is the right approach for InfoSec teams facing new advanced threats, but it does not address an alarming truth about cyber security – in practice, security teams rarely know where the valuable data they are tasked to protect is located.

In 2017, the c-suite and members of the board should finally demand answers to basic questions like what sensitive data would do the most harm if lost or stolen and where does this sensitive data actually reside?

When InfoSec teams are unable to prioritise data protection, everything must be given equal weight.

This boil-the-ocean approach is inefficient and will become even more challenging with the proliferation of shadow IT, data sprawl, IoT, BYOD, etc.

Organisations need to provide cybersecurity teams with context and insight into their sensitive data so they can understand ‘what’ they are protecting and apply the strongest protection to the most valuable information.

By elevating the discussion of information security and governance to the board level, organizations can start to develop a “data-centric” protection strategy focused on proactive measures to reduce the surface area of digital risk.

The roll of the c-level and board

Executive sponsorship and board-level visibility is a must for a successful data-centric security strategy.

Records management, information security, e-discovery, privacy and risk management must all be coordinated through a data governance structure owned by a c-level executive like the CISO, CIO, chief privacy officer, or chief information governance officer.

>See also: The changing role of the CIO and boardroom in 2017

C-level accountability will ensure the efficient coordination of activities and raise the transparency of any data-centric security model to the highest levels of business decision-making.

This is absolutely critical to safeguarding the driving force of any organisation – personally identifiable information, non-public information, and sensitive corporate data.


The digitisation of almost everything continues to change how companies, consumers, governments, and criminals operate.

Cyber security will only continue to become more important and the best-prepared organisations will coordinate security and information governance through the c-suite with board-level awareness and involvement.

Those that don’t will likely face more significant breaches and greater costs associated with mitigation, remediation and lost trust.


Sourced by Patrick Dennis, CEO, Guidance Software

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Cyber Crime
Cyber Security