Over the past several weeks, each of my blog posts have focused on informing and empowering you to build a solid case for implementing a comprehensive cybersecurity strategy with your senior management team.
The numbers don’t lie: Cybercrime continues to rise, with costs of attacks jumping 13 percent on a constant currency basis in 2015. The average total cost of attacks by country ranged from $2 million to as high as $15 million – and when you adjust for local currencies, it rose in every single country last year.
As we continue to become more aware of what we need to do, bad actors find more ways to infiltrate our systems.
Cyber-attacks are so prevalent today that it’s impossible for your senior leadership team to be blind to the risks. However, how can you truly drive the point home that it’s time to implement a strategy to protect against, detect, and mitigate breaches?
There are two ways to accomplish this:
- Find out who is handling risk oversight and cybersecurity.
- Speak the language of your senior leadership team – more often than not, that language is return on investment.
Who is handling risk oversight?
Because of millions of dollars being lost to cyber-attacks every year, risk oversight is becoming more formalized according to a recent survey conducted by Deloitte LLP’s Center for Corporate Governance and the Society of Corporate Secretaries and Governance Professionals.
The survey – which focused on all aspects of board composition, tenure, and experience – found risk oversight is handled by an audit committee, a mix of committees, or even by the full board. While the ownership on the board may differ, what is clear is that risk – which includes cybersecurity – is prompting more discussion than ever. Sixty-six percent of survey respondents said their board has a detailed discussion on risk at full board meetings, a 13 percent increase since its last report. Cybersecurity as part of risk oversight is increasing in awareness across all companies surveyed.
The survey results show that most often the full board or the audit committee is responsible for the oversight of cybersecurity matters. Since audit committees are responsible for risk oversight, this isn’t surprising. No respondent, however, said the board has a separate cybersecurity committee: This is generally left to chief information officers and chief technology officers (55 percent and 30 percent, respectively) to communicate to the board.
Speaking the language of ROI
How can you get through to these senior leaders about the importance of cybersecurity technology? You lay out the case for what needs to be done – people, process and technology – what is at risk, and then you show them how a particular set of technologies can help enable the strategy.
When they balk at the price, give them the statistic from the latest Ponemon Institute study on the cost of cyber-attacks. On average, companies deploying cybersecurity technology realize a 15 percent return on their investment. The specific breakdown by technology is as follows:
- Security intelligence systems: 23%
- Encryption technologies: 21%
- Advanced perimeter controls and firewall technologies: 20%
- Access governance tools: 13%
- Data Loss Prevention tools: 12%
- Governance, Risk and Compliance tools: 12%
- Automated policy management tools: 6%
Virtually every company knows it needs to address cybersecurity. It’s a matter of understanding which senior executive is responsible, and showing how technology can not only be an enabler to your strategy but help save the company money in the long run. That’s speaking the language of the board.
We can help enable your cybersecurity strategy: Building on 20 years in cybersecurity, US Cyber Vault protects against threats, provides a secure data storage and computing environment, and is supported by an incident response team of counter intelligence experts. Visit our website to learn more.
Written by Rob LaMear, CEO, US Cyber Vault
Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community. Receive our next issue by signing up here.