It took time, and some major monetary losses, but executives are finally beginning to understand the need for C-level cybersecurity leadership. The question now is – what will they do with this newfound understanding?
In a new report issued prior to an upcoming security conference, Gartner identified six trends in security and risk management among CEOs in top companies. While in the past, cybersecurity has not always been a major issue for C-suite executives, recent high-profile breaches have given them a new outlook. Those breaches, the Gartner report says, include the Equifax data breach that cost the CEO, CIO and CSO their jobs; a WannaCry ransomware attack that caused worldwide damage estimated at between $1.5 to $4.0 billion, and Verizon’s recent $350 million discount on its purchase of Yahoo! as a result of the latter’s data breach.
That doesn’t mean, of course, that organisations didn’t have cybersecurity solutions before, but in the past, they may have relied on IT staff to “handle” things. With the stakes so high, executives are taking a closer look at the effectiveness of their security systems.
Part of that change involves a change in emphasis at many organisations. Instead of approaching cyber security as a matter of defending the firm’s computer systems, many organisations now emphasize the importance of ensuring that the organisation can continue to operate or get back on its feet very quickly, regardless of the attacks it sustains or the threats it faces. This is a broader approach known as cyber-resilience, which combines cybersecurity and business continuity. According to Peter Firstbrook, Research Vice President at Gartner, “Business leaders and senior stakeholders at last appreciate security as much more than just tactical, technical stuff done by overly serious, unsmiling types in the company basement” – meaning that scrutiny of the spend on cybersecurity is going to increase, as executives strive to ensure that they won’t be victims of the next big breach.
Traditionally, cybersecurity has been the “property” of the IT department, but with the effort to be more proactive, executives are looking at new approaches to cybersecurity. In the “traditional” defensive mode, IT staff will point to the wide range of threats that require a wide variety of solutions. Anti-virus, sandboxes, IDS, cloud solutions – each deployment has fees for instalment, subscription, updates, new versions to deal with advanced threats, etc.
But C-level executives are beginning to realise that this is not enough. Given the number of threats companies face, a safe assumption would be that the firm will be attacked and that the attack may be one that could potentially shut down operations. The objective, then, must be to develop a way to avoid that outcome and to ensure that despite an attack, an organisation can continue. As a result, many organisations in recent years focus on IT resiliency and not just on protection.
The change in outlook in the executive suite is also impacting the CISO, whose job is to protect the organisation from threats. Cyber-defense plans are morphing into business continuity plans, and in many organisations, the CISO is now expected to look at the bigger security picture as well. And if in the past, “security” meant protecting data and systems from attacks, CISOs are increasingly being called on to not only safeguard systems but to strategise methods by which the organisation can get back on track with minimum downtime, and with up to date mission-critical data in the event of a breach. This is a very logical idea, given that research by IDC shows that infrastructure outages can cost large companies as much as $100,000 per hour, while the failure of critical applications could cost as much as a million dollars an hour. As part of the broader role of CISOs, more of them are finding that their services are wanted in the C-suite. A growing trend, in fact, is the elevation of the CISO to a senior executive position – even above the CIO, traditionally the CISO’s boss and in charge of the organisation’s data.
The new attention executives are paying to cyber security promises to be a boon for organisations, bringing fresh perspectives and ideas on protection, resilience, and recovering from a cyber attack. The key for executives is to keep their eye on the prize – which in cyber security, means taking all preventive measures while preparing to resume critical operations rapidly, safely, and with accurate data in case of a breach.
Written by Yaniv Valik, VP Product Management at Continuity Software.