As we’ve repeatedly mentioned in our blog posts, today’s businesses are going through an incredible digital transformation – moving to the cloud, embracing the Internet of Things (IoT), implementing automation, etc. – all at a lightning fast pace. And all of this is opening them up to new and expanding cybersecurity threats that are difficult to manage.
Gartner predicts that by 2021, 60% of digital businesses will suffer major service failures due to the inability of security teams to manage digital risk. “Digital business moves at a faster pace than traditional business, and traditional security approaches designed for maximum control will no longer work in the new era of digital innovation.”
A report from Fortinet reveals that part of the problem revolves around the fact that security hasn’t been seen as a critical business problem by senior executives. But this has finally started changing. They state that there are a number of reasons why cybersecurity is becoming a business priority in 2019. Here are a few of them:
Security Breaches and Global Attacks. The vast majority of organizations have experienced some type of security breach or attack in the past two years. 49% of survey respondents said their organizations increased their focus on security following a global attack such as WannaCry. Increased publicity and attention, along with implications on brand reputation and business operations makes these Board-level issues rather than IT operational undertakings.
Potential Size/Volume of Attack. The adoption of the cloud, emergence of IoT, and growth in big data expands both the circumference of the attack surface as well as its complexity. 74% of survey respondents indicated cloud security is a growing priority for their organizations. Half say their organizations plan cloud security investments over the next 12 months. IoT is just as big a factor when it comes to the ever-expanding attack surface. The number of connected IoT devices is predicted to balloon to more than 8.4 billion by year end according to Gartner. Of these, 3.1 billion belong to businesses. As many IoT devices are difficult to protect, experts concurrently predict that more than 25% of all security attacks will target IoT devices by 2021.
Mandatory Compliance. New government and industry regulations are also increasing the importance of security. Thirty-four percent of respondents indicated that these regulations heighten the awareness of security at the Board level. Passage of the General Data Protection Regulation in the EU, which went into effect last year, is one such example.
In order for business leaders to take the necessary responsibility for cybersecurity, they need to not only understand the fundamentals of cybersecurity, but also keep up-to-date on the status of the program of cybersecurity practices within the organization. Reporting and metrics that we feel are valuable to a company's leadership team include:
Regulatory Updates. Include industry specific updates for Board members that will engage them personally, as well as the organization.
Risk Management. Provide the number of assessments completed. Include significant findings and remediation efforts, as well as exposures and associated decision-making for remediation.
Vendor/Service Provider Management. Present any contractual considerations for new vendors and any performance-related metrics for service level agreements. Let them know if there are any security concerns coming out of due diligence research, incidents or incident notifications to report, or a concentration of risk that needs be examined.I
IT Budget Considerations. Share the effectiveness of implemented technologies and propose new solutions to address any deficiencies. Present your strategic plan and any staffing needs as well.
Security Monitoring and Testing Reports. This can include penetration testing and vulnerability assessment report summaries as well as IDS / IPS metrics.
Incident Management. Report out on any significant incidents and metrics on team response. Provide any testing reports or plan improvement suggestions.
Training Activities. Provide an overview of annual end-user awareness training, IT / IS specific training, as well as periodic training reinforcement program(s) that are required.
Keeping corporate leadership engaged and active can greatly improve the cyber resilience of an organization. Making sure that they have all the knowledge they need to make informed decisions when it comes to cybersecurity will pay dividends in the end.