There isn’t a CEO or board member in the world that would publicly state that their organization believes cybersecurity doesn’t matter. A Cybersecurity Ventures report has forecast that cybercrime will cost businesses worldwide an astonishing $10.5 trillion annually by 2025, so it’s an evident and sizable area of concern.
Any CEO not taking this seriously would be roundly criticized by customers, shareholders, partners, and more for such a stance. Yet is there a difference between what is said publicly by CEOs and what is actually done in private?
The volume of cyber attacks and data breaches would suggest that not everyone is as committed to cybersecurity in practice as they are in theory. That so many of these attacks are seemingly the result of sloppy bad practice would indicate that not all organizations have the robust defenses required to stay secure in the face of cyber criminals’ growing threat and professionalism.
Let’s be clear – any organization can fall prey to a cyber attack. But not putting in place the proper cybersecurity measures and ensuring that people are trained to recognize and respond to attacks and breaches is not understandable. What can cybersecurity teams do to ensure cybersecurity matters to the board in their organization?
Communicate the Cost & Complexities of a Data Breach
Whether directly through a CISO or indirectly through a CIO or CTO, most organizations have some cybersecurity representation element on their board. It is vital to ensure that any engagement that results from this presence really makes its mark. It is easy to regard a cyber attack as something that happens to other organizations, so cybersecurity teams must outline what an attack or data breach would mean in real terms for their organization.
According to Steven Sim, Global CISO for a global logistics company, president of ISACA Singapore and chair of OT-ISAC's Executive Committee, what keeps him up at night is “. . .the risk of having a very sophisticated threat actor that could potentially dwell and lurk within a network without notice for a prolonged period, exfiltrating data from the company." And many CISOs would agree that the residual impacts of a breach such as the one that Sim alludes to can be lengthy and brand reputation can hang in the balance as a result, with a potential for long-term effects on the bottom line if people are more reluctant to use that company’s services or buy its products.
There is also the cost of a ransomware attack to consider. Whether an organization should ever pay a cyber criminal in this way is a moot point, but if they do, then the cost can be huge. According to IBM's recent data breach report, the average cost of a ransomware breach was $4.54 million in 2022. And on average, it costs $1.85 million to recover from a ransomware attack, including the ransom, plus downtime, people time, device cost, network cost, lost opportunities, and more considering that most that make the payment only get 65% of their data back. Making sure these potential costs are crystal clear to the board should help prioritize cybersecurity.
Calculate your Cybersecurity ROI
To provide CEOs and other board members with even more cybersecurity focus, it is advisable to educate them on calculating cybersecurity ROI. Costs are obviously important to any board, so putting a figure on the likely return from an organization’s cybersecurity investment can be an effective way of making it seem more real.
This should begin by compiling any expenses incurred in mitigating the risk of a cyber attack. These would include cybersecurity staff costs, data security products, technical support, employee training, insurance, and more.
The total of these expenses can then be assessed against the potential costs of a cyber attack. These would include the lost revenue from a customer loss or a pause in operations, the loss of sensitive data, any ransomware fees, increased churn because of loss of reputation, and any additional cybersecurity costs to try and plug subsequent gaps in defenses.
The latter costs will almost inevitably dwarf the costs of mitigating risk, meaning that your CEO can clearly see the substantial ROI to be gained from cybersecurity.
Gauge the Gaps in Your Cybersecurity Posture
Understanding where gaps are found in an organization’s cybersecurity posture can also help elevate cybersecurity with the c-suite. Knowing where a cyber attack or data breach is most likely to occur, and why improvements are needed, means it is easier to understand the costs of filling that gap.
This is an area in which tools such as Digital Defense’s Vulnerability Management (VM) tool can play an important role. VM refers to the continuous automated process of finding, testing, analyzing, ranking, and tracking vulnerabilities and cyber threats.
It is performed mainly by third parties (such as Digital Defense). A VM program can deliver risk reduction and damage mitigation, which are crucial tools in encouraging board members to take cybersecurity that bit more seriously.
Talking to the C-Suite
Getting a handle on costs, ROI, and areas of vulnerability can all help cybersecurity teams instigate Board-level conversations about taking cybersecurity more seriously. Justifying investment in anything can be tricky – especially in the current post-pandemic era, where budgets are tighter, and there is a greater need to do more with less – so being armed with supporting data is essential.
The need to keep an organization's data secure and cybersecurity defenses tightened will only increase as the threat from cyber attacks grows and evolves. Demonstrating to the Board why this is important is becoming one of the most important challenges a cybersecurity team will face.