It’s that time of year, again, with many companies busying themselves in the art of budgeting and forecasting for 2018.
In some companies, this means the chief information security officer (CISO) having to communicate the importance of including enterprise security in this planning, using a language that the members of the board will understand.
“For some, this will mean being given a short amount of time to make sure a group of non-technical people understand the company’s business risks and believe that your plan to mitigate them is comprehensive, necessary and worthy of investment,” says Anton Jacobsz, MD of Networks Unlimited.
“The keyword here is ‘business’ — we have got to translate our on-the-ground security concerns into business terms, risks and outcomes. We’re all very good at listing statistics but the ability to translate this into business outcomes, which is the language your board understands, is what will win the day.
“Your board’s time, attention span and ability to consume ‘geek speak’ is limited, but there are steps you can take to ensure the time you spend with them matters,” Jacobsz explains.
Time for a few home truths
Is your exco one of the many that thinks their organisation is not going to be of interest to cyber criminals? If yes, then it may be time to explain clearly that every single organisation, regardless of size or business focus, is likely to experience a cyber security breach at one point or another. The reason for this is data.
If your business processes payments of any kind, for example salaries or online payments, or if you transmit or store records, or if you’re developing a cure for a dread disease like cancer, then you have information that a hacker can sell.
Ryan Kearney, executive vice-president: product development and chief technology officer of F5 Networks, advises that telling a compelling story about a security breach, preferably in your industry or locale, will help board members understand the risks here.
“Give examples from your own company. Identify critical information assets — intellectual property, sensitive customer data — and paint a picture of what would happen and what it would cost if they were compromised,” he says.
Use statistics to convince, not just frighten
There are ways to move the statistics conversation from one that leaves exco with a feeling of dread to one where they truly understanding the real potential impact to the enterprise.
F5’s Kearney says the following types of statistics could be used to educate and surprise board members:
* 73% of companies suffered at least one security breach in the past year.
* About a third of employees targeted for phishing will open fraudulent e-mails.
* More than one in 10 take the bait — and it only takes one.
* Less than two minutes can elapse from the hacker hitting send to your systems being compromised.
* Hackers are inside your organisation, on average, for at least four months before they’re discovered.
* Web apps are the number one entry point for breaches.
“As the C-suite leader in charge of cyber defence, it is up to the CISO to explain the impact of this to the board,” says Jacobsz. “This is the point where you should be talking in terms of tangible and intangible losses, which are sure to resonate with them.”
Tangible costs as a result of security breaches include fines as a result of breaks in customer SLAs, revenue losses due to downtime, compliance/audit fines, potential legal fees and incident response costs, which incorporate unplanned costs for hiring third party breach experts.
Less immediately obvious damage could include issues like the impact a breach could have on your company’s brand; existing and potential customer perception/loss; the loss of your competitive advantage and even the potential for the board’s personal reputation being affected.
Introduce security awareness to the company culture
If you talk of such things around the braai, you might have heard somebody complaining about how their company doesn’t allow Dropbox or Wetransfers — how archaic, right? Wrong, says Jacobsz.
“These policies are enforced because someone, somewhere along the lines, opened a mail, clicked on a Dropbox link and downloaded a file from an unknown, untrusted source resulting in a cyber security breach. But this can be avoided. A secure business is one where everyone is educated about threats and does their part to reduce risk.”
F5’s Kearney agrees, saying it starts with rigorous and repeated training and continues with individual buy in.
Furthermore, as a key participant in creating the company culture at the outset, the board members themselves must also be challenged to champion efforts that have no received budget approval, he says.
“You have done your homework and secured funds for some of your efforts but if you have risk areas that need addressing but have no budget allocation, board members need to know this and either accept the risk or champion a solution. There’s no better way to get something accomplished than by saying the board requested it get done.”
Discuss incident response and cyber insurance
As mentioned earlier, the likelihood of organisations remaining untouched by security breaches is minimal. Being prepared is the best line of defence, and employing the services of a good incident response firm is the first step.
The second is considering options in cyber insurance, which is the fastest growing insurance in the world and is projected to grow by 300% from $2,5-billion today in annual premiums by 2020. Here, show your work and do the maths for your board — calculate how much your business can absorb and insure the rest.
“Use your board-facing time wisely,” says Jacobsz. “Make sure you prioritise and focus on the top cyber risks bringing solutions to the table. Above all, demonstrate your burning issues in small, easy to digest chunks. Do this and you and your boards will soon be singing in harmony and protecting the company at the same time.”