Talking Security Strategy: Cybersecurity Has a Seat at the Boardroom Table

Talking Security Strategy: Cybersecurity Has a Seat at the Boardroom Table

Cybersecurity is no longer a fringe issue for businesses. What was once a siloed function, there out of necessity more than anything, is now woven into the fabric of any successful business. Any business still treating its cybersecurity initiatives as a side project is setting itself up to fail.

The Security and Exchange Commission (SEC) has laid to rest any doubts about the importance of cybersecurity with new regulations around how boards of directors should approach it. The regulations, which are in the process of being finalized, will require companies to openly report any serious cybersecurity attack and explain who on their board is responsible for dealing with it. The regulations also will require businesses to include board of directors’ cybersecurity experience and credentials as part of any public disclosure. This is yet another indication of how integral cybersecurity is becoming to modern business operations.

Growing Downtime Costs

In 2021, more than two-thirds (66%) of businesses were hit by a ransomware attack, according to a survey by Sophos. That’s a 78% increase from the previous year, with damages incurred totaling costs of around $20 billion. These costs aren’t just down to ransom payments, but also include the downtime and disruption targeted businesses endure. In the Information Technology Industry Council’s Hourly Cost of Downtime Survey, more than 40% of companies reported that hourly downtime costs ranged from $1 million to $5 million USD, not including any legal fees, fines, or penalties — which publicly traded companies who fall short of cybersecurity standards can be subject to.

The evolving threat landscape — combined with new regulatory frameworks like that put forward by the SEC — means that cybersecurity cannot be an afterthought or a bolt-on. It must be core to business operations, and that means it needs a seat at the boardroom table. However, according to a recent analysis of data by the CAP Group, 90% of boards are not ready for the new SEC cyber regulations.

Failure to Prepare Is Preparing to Fail

The cybersecurity ecosystem has progressed in leaps and bounds in recent years. Once a siloed function of business, using reactionary tactics to chase down and isolate threats, it now has a proactive, networkwide presence that often leverages threat intelligence, penetration testing, and AI to bolster cyber resilience. However, most cybersecurity teams are still heavily focused on addressing technical-level threats, which are then used to inform security policy and mitigate risk. This leaves a gap of understanding between security teams and those authoring policies and making decisions higher up the chain.

This gap is a vulnerability. Most cybersecurity teams lack the tools or functionality needed to contextualize threats in a way that can be acted upon by other business, operational, and financial personnel. If this “disconnect” between business objectives and cyber resiliency continues, businesses will leave themselves exposed regardless of how thorough their cybersecurity initiatives are. 

Closing the Communication Gap

It’s the responsibility of chief information and security officers to evaluate threats and understand to what extent they might threaten their organization, so that action can be taken in line with new security regulations. This means that threats need to be contextualized and communicated as part of an overall enterprise risk management strategy involving finance, compliance, operational, and management teams, as well as board members. 

To achieve this, CISOs will need to step out of their technical jargon comfort zone and communicate threats and their potential impact to other C-suite executives in a way that can be easily interpreted and understood.

This will mean evolving security initiatives into broader risk-mitigation initiatives. Machine learning-powered risk mitigation can play a significant role in helping businesses contextualize cyber threats. By analyzing large volumes of data and detecting patterns that may not be immediately visible to human analysts, machine learning algorithms can identify potential security threats so that businesses can take proactive measures to deal with them.

For example, machine learning algorithms can analyze user behavior data to identify patterns that deviate from normal usage patterns, such as repeated failed login attempts or access attempts from unusual locations or devices. By identifying these anomalies, businesses can take proactive measures to identify a potential attack, such as locking user accounts or implementing additional authentication measures. 

Another area where machine learning can be useful in the context of cyber-threat mitigation is in predicting the likelihood of future attacks. By analyzing historical attack data and identifying common characteristics of successful attacks, algorithms can identify potential attack vectors and help businesses prioritize their security efforts accordingly. This might involve analyzing patterns in the frequency and severity of attacks, as well as the methods and techniques used by attackers. This information can then be used to develop predictive models that can help businesses anticipate future threats and take measures to not only mitigate them, but identify and communicate about them with those at the top.

It’s vital that publicly traded companies have a firm understanding of their risk posture and vulnerability. With directors now being held responsible for their company’s cybersecurity infrastructure, it’s even more vital that director-level teams can quickly and easily understand this vulnerability and any potential breaches. This can be achieved through a combination of new, machine learning-powered solutions, advisory hires that can “translate” and parse the potential fallout of threats, and CISOs taking a more consultative and advisory approach in how they deal with cyber threat resilience.

Cybersecurity is no longer a fringe issue — it has a seat at the boardroom table, and if businesses can’t fill that seat, they need to make sure the person sitting there is as well-informed as possible.