Cybersecurity is high on the agenda of many board meetings. According to IDC, while most corporate budgets are shrinking, global security spending is expected to grow 8.1% annually to reach $174.7 billion by
To be truly effective, management and CFOs must fully understand the risks and make cybersecurity a foundation for nearly every top-down effort.
Massive data breaches and devastating ransomware attacks can wreak havoc on par with natural disasters, often resulting in loss of brand, customer loyalty, partnerships, and business outages. Cyber security Ventures points out that the expected cost of cybercrime in 2021, estimated at $6 trillion, is the “largest economic wealth transfer in history.”
If management and CFOs learned anything in 2020, it was to anticipate the unexpected. But to be truly effective, executives and CFOs must fully understand the risks and make cybersecurity a foundation for nearly every top-down effort.
It’s not just an IT problem
The bottom line is that security measures are no longer just patching and protecting IT systems, they are embedded deep within the operational environment.
Last June, when ransomware brought down the internal network of a global manufacturer, the company was forced to temporarily shut down its manufacturing facilities, customer service and accounting services.
Yet another important point is the widening range of risks faced by large companies. Various socio-technical factors such as the regulatory environment, social and political changes, and culture are influencing threat trends.
Inadequate communication of security policies from management can lead to internal threats and exfiltration of sensitive data. In addition, the introduction of new management policies, M&A activities, and partnerships with suppliers unintentionally provoked hacktivist groups to deface corporate websites, hijack social media accounts, and suspend services due to DDoS attacks. there is a danger of it being caused. Poor data privacy plans can result in significant penalties in some jurisdictions, while in others they can be minor.
While most executives understand the impact security can have on their brands and customer trust, and CFOs are similarly well versed in cost, CISOs (Chief Information Security Officers) I feel a heavy burden in my mission of continuing to communicate risk trends.
Make security a priority
DXC’s security team is focused on helping organizational leaders understand security risks from their perspective. Here are some best practices to help you make security a top priority for your organization.
Consider the risk and ROI of security breaches, not threats and vulnerabilities: Security monitoring tools and threat intelligence clearly show the rise in cyberattacks, but the fundamental question is, “How secure is my organization?” I can’t answer any questions.
Executives need data to understand cost, reliability, and risk, but CISOs must also provide a holistic view of risk.
A corporate culture that is aware of cyber risks starts at the top. With highly sophisticated spear-phishing attacks on the rise, executives are more timid than ever. CISOs need to articulate ROI, as many CFOs think in terms of weighing the cost of risk mitigation against potential risk. That is, the likely impact on stock price and shareholder benefits, or the potential cost of a vulnerability versus the cost of remediation of the vulnerability.
Attempting to protect against every conceivable threat can not only drive up costs, but also hinder business innovation and growth. Decisions must therefore be made in collaboration with different departments, striking the right balance between risk prioritization and effective security management.
Appoint security personnel: In recent years, senior corporate leaders have focused on diversifying the members of their management teams, with diverse backgrounds and perspectives as well as areas such as investment management, IT, human resources, and risk management. Seek the benefits that related skills bring.
In some cases, particularly in industries that are more likely to be targeted by cyberattacks, such as banking, retail, healthcare, and utilities, cyber risk officers (advancement leaders) are added to the executive team. By adding a security officer to the management team, it becomes possible to operate the organization with an emphasis on security. Assistance from members with experience in security measures and dealing with major security breaches will help even those new to technology gain a better understanding of rapidly changing risks.
Don’t rely solely on cyber insurance: Cyber insurance is a relatively new tool for risk mitigation, typically associated with data breaches such as damages, court costs, customer notice, data recovery, and computer system repair. cover liability. However, such cyber insurance may not cover loss of profits due to intellectual property theft or the cost of upgrading software or equipment to prevent attacks.
Many CFOs and CROs (Chief Risk Officers) need to carefully weigh the benefits of cyber insurance versus self-insurance options. After a cyberattack in 2018, the city of Atlanta spent $2.7 million on recovery instead of paying the $50,000 demanded . Most of the money was spent on upgrading the outdated system. Cyber insurance makes it easier for CFOs to refuse to pay, but it can also damage your company’s image. Prevention, rapid response, and operational resilience remain the best defenses.
Implement Agile Management Processes: New vulnerabilities are constantly being discovered, and attackers are constantly changing their tactics, so you need to incorporate agile management processes into your security plan.
Businesses and organizations should follow best practices and implement resilience plans to manage security. This is the same as core systems needing a disaster recovery plan and backups. Just as companies look for continuous improvement in operations, customer service, and other key areas, executives and CFOs need to think the same way about security.
Managing security plans and fending off attackers is always a trade-off between cost and risk, but there are so many things involved that security decisions should be informed, strategic and collaborative. is needed. As such, understanding cybersecurity is a critical component of any discussion by senior management, including the CFO.