Boardroom: Elevating Cybersecurity Discussions

Uploaded on 2016-04-18 in FREE TO VIEW

As data breaches continue to rise, organizations, regardless of their size or industry they are in, must take into consideration a new mindset.

Despite the FBI’s focus on cybercriminal activity, less than five percent of computer-related crimes are successfully prosecuted.

Unfortunately, jail time and other penalties are rare, despite the pervasiveness of cybercrime and cyber espionage. Corporate decision makers are faced with a shocking reality: from a cyber perspective, they are on their own when it comes to protecting their reputations, intellectual property, finances and consumers.

That having been said, it is no longer a good idea to consider the IT department solely responsible for the protection of important data. Instead, it should be assessed and managed at all levels throughout an organization.

Each operating group within a company is vulnerable due to Internet-connected technology. Taking a broader look at security can help mitigate daily threats that assail companies. When it comes to data breaches, the question is not if, but when a company will be targeted. This should dictate a shift from the current security investment deficit.

Currently, only eight cents of every IT dollar is spent on security, which is inadequate for the majority of organizations, both large and small. At these levels, customer and corporate information is not sufficiently protected when facing the hostile cybercriminal community. Reputations are at stake and brands could be jeopardized due to lax measures. Understanding that more than data is at stake, decision makers and board members must make data protection a top priority.

Boardroom: Rising to the challenge

Appointing a Chief Information Security Officer (CISO) to take the lead in keeping corporate data safe is a step taken by many forward-thinking companies. While this is a move in the right direction, the big question is to whom these individuals should report. In the past, the answer has been the chief information officer (CIO).

While this seems logical, the problem lies in the competing priorities of a CIO and CISO. CIOs are typically only focused on technology infrastructure and resources, with the most concern for increasing efficiencies, access and resiliency.

Though important, these can be in opposition to the needs of a CISO, who aims to improve enterprise-wide security measures and risk management across all silos. When considering governance, placing the CISO within the purview of an executive with broader responsibilities, such as a CEO, is advisable.

Due to the myriad of overarching implications, today’s enterprise leaders should be held accountable for cybersecurity, regardless of their role. A prime example is the chief marketing officers. The executives are typically more focused on how the Web is used, with email campaigns, mobile app development and website updates, but these promotional endeavors can leave the door open for malware or other attacks to be released on unsuspecting customers. At each operating level, the influence of technology demands an awareness of where security fits into everyday functionality.

Preventing the spread

An additional justification for broadening security responsibly across an organization is the propensity for threats to emerge as moving targets. Malware infections often migrate laterally within an enterprise, as well as from third-party vendors. When a network becomes compromised, attacks can be widespread in the entire IT framework and supply chain, in what is known as “island hopping.”

The Target breach is a good example of island hopping at work. The investigation revealed that hackers had infiltrated a vendor’s system in order to steal the retailer’s credentials. As a result, criminals successfully gained access to information of approximately 40 million customer credit cards, potentially affecting more than 100 million consumers. The impact of this attack is still being felt across the retail sector today.

It can be easy to overlook third-party partnerships from a security perspective, but these potential gaps warrant the awareness of corporate leadership. Examining the policies of partner organizations is one way to strengthen internal security, particularly if the company is publicly traded. The fact that these partners often have access to sensitive information, making them attractive targets, cannot be ignored.

A holistic perspective to cybersecurity can help mitigate the risk of system-wide threats.

A new attitude

For the last 20 years, corporate focus has consistently been on cutting costs, improving access and increasing efficiencies. That level of commitment should now be given to customer, partner and investor information, and to making it secure as possible in the digital world. Physical safety is an expected convenience of in-store shopping, and online environments should offer information security. Therefore, enterprises should invest between 10 to 20 percent of their IT budget in cybersecurity as a function of brand protection.

Elevating cybersecurity to an operational and risk management priority will take effort and focus but can yield many dividends. For this practice to become a reality, boards of directors must educate themselves to improve governance and oversight. To stay ahead of the bad guys, a shift in investment strategy, as well as strong improvements to employee training and reporting structure are paramount.

HelpNetSecurity: http://bit.ly/1MaXxOP

« Who’s in Charge When US Suffers A Cyberattack?
EU Cyber Agency Urges Action To Avoid Crisis »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Cofense

Cofense

Cofense (formerly PhishMe) is a leading provider of human-driven phishing defense solutions.

OnSystem Logic

OnSystem Logic

OnSystem Logic has developed a unique, patent-pending solution to solve the problem of the exploitation of flaws in application software as a technique for cyber attacks.

ngCERT

ngCERT

ngCERT is the National Computer Emergency Response Team for Nigeria.

Featurespace

Featurespace

Featurespace is a world-leader in Adaptive Behavioural Analytics and creator of the ARIC platform for fraud and risk management.

Asvin

Asvin

Asvin provides secure update management and delivery for Internet of Things - IoT Edge devices.

Seavus Accelerator

Seavus Accelerator

Seavus Accelerator's goal is to create an enabling and stimulating environment for start-ups growth and provide continuous high quality acceleration and investment support.

Cyber Command - Estonian Defence Forces

Cyber Command - Estonian Defence Forces

The main mission of the Cyber Command is to carry out operations in cyberspace in order to provide command support for Ministry of Defence’s area of responsibility.

Berkeley Varitronic Systems (BVS)

Berkeley Varitronic Systems (BVS)

Berkeley Varitronics Systems is an engineering think tank delivering custom wireless RF engineering products and solutions including cyber security.

Stratum Security

Stratum Security

Stratum Security is an information security consulting company that focuses on providing clear and concise risk guidance to its clients through high quality assessment services.

Tactical Network Systems (TNS)

Tactical Network Systems (TNS)

Tactical Network Solutions helps you discover hidden attack vectors in IoT and connected devices before someone else does.

DeVry University - Cyber Security Degree

DeVry University - Cyber Security Degree

Explore the dynamic world of data protection with a hybrid or online cyber security degree specialization with DeVry's IT & Networking Bachelor's Degree.

SecurIT360

SecurIT360

SecurIT360 is a full-service specialized Cyber Security and Compliance consulting firm.

Atlant Security

Atlant Security

Atlant Security is a cyber and IT security company offering consulting and implementation services.

Digital Security by Design (DSbD)

Digital Security by Design (DSbD)

Digital Security by Design is an initiative supported by the UK government to transform digital technology and create a more resilient, and secure foundation for a safer future.

Focus Digitech

Focus Digitech

Focus Digitech helps you with your digital transformation journey with our main core offerings of Cloud, Cybersecurity, Analytics and DevOps.

Solcon Capital

Solcon Capital

Solcon Capital is a forward-looking, technology-focused investment firm that is committed to identifying and investing in the most promising areas of innovation and development in the tech industry.