Spencer Young, Regional Vice President EMEA at Imperva
2018 turned out to be a significant year for cybersecurity with breaches and attacks making the news far too often. In fact, a recent report released by the Department for Digital, Culture, Media and Sport reveals that over four in ten businesses (43%) in the UK experienced a cyber security breach or attack last year. The same report goes on to highlight that despite the growing number of cybersecurity threats and attacks fewer than three in ten businesses (27%) have formal cyber security policies in place.
While this discrepancy is worrying, it shines the spotlight on why business leaders are yet to fully embrace the value of cybersecurity.
Although we’re in the era of digital transformation, many organisations are looking for guaranteed returns from their technology investments. Therein lies the problem – with increasingly tight budgets, senior leaders view of cybersecurity systems is currently framed as insurance. So, how do we shift this mindset so that senior leaders can better understand that the value of protecting business critical data extends far beyond just covering your assets?
Cybersecurity and the board
In recent months, we’ve seen the introduction of new regulations such as the EU’s GDPR, as well as constantly shifting privacy laws in nearly every geography. While there is considerable levels of effort required to prepare for these new compliance landscapes, they are putting security strategy decisions at the top of the priority pile of boards and exec teams.
Board members, in particular, are responsible for establishing good governance practices and policies for driving better financial performance and growth. For this reason, it is vital that they have a comprehensive view of their organisation’s cybersecurity strategy, and the required level of investment for buying down their risk.
Where cybersecurity may have previously been considered one subset of operational IT, a cursory glance over the press clippings in recent years will have alerted them to the real challenge. A growing number of business leaders are awakening to the fact that a data breach is all but inevitable. What they need to know is, how they can limit the scope of damage from a data breach with the right level of investment.
Step 1: Making the case to senior leadership
As the levels of liability for failing to govern risk and protect critical data are transferred from the IT department to senior leadership, these leaders need a quantified measurement of risks including:
- Compromised customer data
- Diminished brand and reputation
- Loss of investor and consumer confidence and loyalty
- Stolen sensitive intellectual property
- Compliance and regulatory sanctions
- Business disruptions
Step 2: Assessing the current situation
Once these risks are quantified, due diligence will require leaders to assess the steps their partners and competitors are taking to avoid exposure. Relationships with technology suppliers and lenders then become less transactional, and more of a long-term advisory partnership, as they’re best placed to provide advice on the current trends within your marketplace.
Step 3: Do a complete audit
The next step requires you to conduct a thorough inspection of your current security posture.
This involves understanding where your critical data currently resides, who requires access to it and more critically, who actually has access to it. While it’s a drum we beat perpetually at Imperva, many leaders don’t understand the risks of a potential data breach by careless, compromised, and malicious insiders. Not all data assets carry the same level of risk, and not every employee should be given carte blanche access to all organisational data.
While this may be time consuming, leaving no stone unturned at this stage of the audit will give you a clear understanding of where your security measures stand currently and benefit you greatly in the long run.
Final step: Determine the right investment for your business
By appraising your data assets in terms of their value and risk, you can then begin targeting your investments towards timely threat detection and incident response.
No matter the time and effort invested, it is important to remember that data breaches are inevitable.
Framing this approach as a risk/reward equation and using a tiered security approach ensures that your organisation can protect high-value targets that would cause significant harm if they were compromised.
At the very least, senior leaders need to be made aware of the growing threat they face every day from external cyberattacks and internal data breaches. A single breach has the potential to irreparably damage the financial condition of even the most successful business, and ruin the careers of those leaders involved. Rather than packaging your cybersecurity spending rationale within IT investments, these really need to be highlighted as a high level risk mitigation strategy.
About the author:
As the Regional Vice President of EMEA at Imperva, I’m dedicated to helping IT security professionals realise tangible business value from their security technology, by delivering meaningful and actionable insights to Data and Application activity. If you’d like to have a discussion about how you can begin building a business case for IT security investments that provide real and measurable benefits to your business.