The IBM Institute for Business Value recently reported some disturbing findings: no one in the C-Suite seems to be paying close attention to threat management and cybersecurity.
But with the current risk landscape, it should be on every executive’s radar. Let’s take a look at how cybersecurity and a data breach would affect each executive and why this isn’t a one-man responsibility.
We’ll start with the most obvious senior executive that should be involved with ensuring corporate cybersecurity. The Chief Information Officer is often the person tasked with ensuring proper processes, practices and procedures are in place to prevent a data breach. In some organizations a Chief Information Security Officer (CISO), Chief Security Office (CSO) or Chief Technology Officer (CTO) may bare more of the hands-on responsibility but often reports to the CIO, making them the top C-Suite executive within this area.
Being the position most directly responsible for ensuring measures are in place to prevent a data breach, if something goes wrong the CIO is going to be the first person everyone turns to for an explanation. With the increasing risk landscape and growing number of breaches, it’s in the CIO’s best interest to advocate strongly for IT/cybersecurity budget and implement best practices. If the CIO ignores cybersecurity it’s not a matter of “if” but “when” a data breach will happen.
Even being the most common role responsible for cyber security, only 56% of CIO/CTO roles are “highly involved in threat management.” That percentage needs to grow aggressively in 2018.
While less involved with security measures specifically, a breach will certainly effect a Chief Operations Officer who is responsible for overseeing overall operations of the organization. When a breach happens, remediation is needed to address the current issue and prevent future incidents. That can be a major undertaking for an organization, oftentimes involving outside consultants and sometimes including close regulatory oversight to ensure proper safeguards are put into place (another operational burden). Not to mention the monetary ramifications associated with a breach.
Even a small breach can have large ripple effects that disrupts the COO’s ability to “ensure financial strength and operating efficiency.”
CEOs are perhaps less involved with cybersecurity (only 45%) because they may be relying on their CIOs and COOs to monitor and address the matter. But as the person at the helm of an organization, the CEO is ultimately the one responsible for anything that happens – and that’s reflected in the increasing number of CEOs who are resigning or being fired in the aftermath of security breaches.
CEOs can no longer blindly entrust cybersecurity to other members of the C-Suite. Their personal job security and reputation are on the line as data breaches and the ensuing executive exits are now major media-worthy events. Data breaches also have a negative impact on company reputation, large financial penalties and major organizational changes to address future risk. A CEO will be expected to answer for all these business disruptors to the board of directors and other stakeholders.
Chief Financial Officers have the lowest reported involvement in threat management, but the cost of a data breach and increasing monetary fines should have CFOs paying attention and asking about their organization’s risk posture.
A 2017 Ponemon study put the average total cost of a data breach a $3.26 million, with an additional $4.13 million in lost business in the U.S. The study also found that practices like having an incident response team, use of encryption and having board-level involvement in risk management can result in big cost savings during breach incidents. CFOs should be actively working with other executives and departments to make sure mitigation measures are in place to prevent a breach or stem the damage if an incident occurs. The price tag for not being involved is hefty.
Breaches Aren’t Unusual
For some organizations and executives, investing in cybersecurity measures is a hard line item to justify because you rarely see tangible payoff. It’s not an investment that visibly increases employee productivity, reduces spending or expands an organization’s market share. Investing in threat management and cybersecurity is in fact paying to stop something from happening. When balancing budgets and trying to maximize profit, it’s tempting to gamble with cybersecurity. But that’s a bet you’re increasingly going to lose.
The Ponemon study found that 1 in 4 organizations will experience a breach – and they’re getting bigger. Equifax had 143 million records compromised and Yahoo admitted that the personal information of every Yahoo customer (3 billion total) was affected by their 2013 breach.
Experts agree that organizations lag far behind the cyber criminals causing many of these breaches, and in many cases companies aren’t even properly addressing internal threats and accidental breaches. The breadth and scope of the impact caused by data breaches, coupled with their increasing intensity and cadence means that this is an issue that touches the entire C-Suite. It’s an important issue that needs to be brought to the table on a regular basis and it’s the job of every executive to make sure that the conversation (and meaningful actions) stay in the forefront for the good of the company (and themselves).