Why are cybersecurity incidents so frequent, expensive, and embarrassing? Given the investments organizations make to shore up their defenses and the media's focus on incidents, you'd think everyone would get the message and take steps to eliminate the possibility of an incident. However, I'm surprised recent headlines tell me otherwise.
You may be wondering, what is driving executive inaction when it comes to cybersecurity?
These incidents continue to happen because it's difficult for management to understand how high the cybersecurity risk is and to what extent they need to mitigate it. There is no silver bullet to eliminate the threat. Management often makes the mistake of saying:
- The Information Systems (IS) department manages the risk.
- The organization is too small or not attractive to potential attackers.
- Media reports about cybersecurity incidents often exaggerate their consequences.
Additionally, executives face constant conflicting pressures:
- Shareholder pressure for higher profits.
- Competitors claim to offer lower prices.
- Customers don't want to pay high prices.
- Salary pressure from employees.
- IS leaders claim that the cybersecurity situation remains deteriorating even after record spending on defense.
- Suppliers want or need to increase prices.
- Management wants to keep costs down and maintain bonuses.
In such a tough business environment, executives are hesitant to spend money on cybersecurity defenses that they see as providing little to no benefit. Too often, this inaction has led to disaster.
What are the consequences of management inaction when it comes to cybersecurity?
Here are some consequences of poor cybersecurity defenses you need to avoid:
- Headlines about how cybersecurity failures will damage reputations with customers and suppliers, resulting in lost business.
- the costs and business disruption of cleaning up after a cybersecurity incident;
- Loss of revenue due to business interruption.
- potential regulatory investigations and fines;
- Intellectual property theft creates competitors and causes loss of market share.
- tarnish one's carefully cultivated reputation as a good businessman
While the costs of prevention often seem high or even prohibitive, they are significantly less expensive than the costs of dealing with the impacts of a cybersecurity incident.
What should management do about cybersecurity risks?
First, conduct a cybersecurity risk assessment, which produces facts over opinion, hunch, intuition, and denial.
The results of your cybersecurity risk assessment reveal:
- Which defenses are working well. This fact builds confidence that some cybersecurity defenses are working.
- What defenses need to be strengthened? These findings form the basis of a plan of action for strengthening specific cybersecurity defenses.
- No potential defenses exist. These items provide an agenda for discussion about additional cybersecurity defenses to implement. No organization is required to address every item on the list to mitigate cybersecurity risk.
The findings move the cybersecurity discussion from generalities about risk and cost to multiple, specific, detailed actions whose value and cost can be concretely assessed by executives.
What does a comprehensive cybersecurity risk assessment include?
All too often, executives ask IS leaders for their opinion on the adequacy of cybersecurity defenses. No matter how much trust executives have in IS leaders, without supporting data, their opinion can be dangerously misleading.
When determining the content of a comprehensive cybersecurity risk assessment, you should consider the following:
- Is an in-house developed cybersecurity assessment sufficient? An in-house developed risk assessment framework will not benefit from the contributions of many experts. However, it may be possible to tailor it to the risks and priorities of your organization. It is often better to base your risk assessment on an established cybersecurity framework.
- What cybersecurity framework will you use? Choose a framework that is appropriate for your industry and organization size.
- Who will perform the cybersecurity risk assessment? Audit department employees may not have the necessary technical expertise. Someone on the IS leadership team may be tempted to come up with overly optimistic findings. The objectivity of an external consultant may be well worth it.
Yogi Schulz has over 40 years of information technology experience across a variety of industries. Yogi has worked extensively in the oil industry. He manages projects resulting from changing business requirements, the need to leverage technology opportunities, and mergers. His areas of expertise include IT strategy, web strategy, and project management.
© Troy Media