Why a Comprehensive and Complete Security Strategy Has to Involve Your Board and How to Get Them “On Board”
A recent survey of IT security leaders in the E.U. revealed a startling reality for those responsible for a company’s cybersecurity initiatives: they are burned out and fed up. The survey solicited 3,000 responses from security professionals across the U.K., Germany, and France, and it found that 82% of respondents felt burned out, 64% are considering quitting their job, and 63% are contemplating leaving the industry altogether.
This isn’t just a problem for the E.U., and this shouldn’t be surprising.
The first quarter of 2019 saw a 235% year-over-year increase in ransomware and trojans targeting businesses, and increasingly, the threat landscape isn’t just relegated to the external threats that frequently make headlines. Insider threats pose a significant cybersecurity risk to all types of companies. For example, the healthcare industry recently identified insider threats as their most significant vulnerability.
Taken together, this digital environment can seem overwhelming for even the most seasoned IT professionals. However, they don’t have to go it alone. In the same way that true digital security requires 360-degree protection that addresses both external and internal threats, cybersecurity has to be a holistic priority, something that is embraced and prioritized, especially in the boardroom.
Indeed, getting board members to support cybersecurity initiatives is paramount when protecting the company’s digital assets, and it can help IT professionals thrive at their jobs. By virtually every measure, board member support is a critical asset. Here’s how to get them “on board.”
To be sure, cybersecurity isn’t absent from most board meeting discussions. Indeed, there is evidence to suggest that corporate boards can be the most critical of cybersecurity initiatives. A Deloitte poll found that most IT admins expect greater oversight from their board members than from government regulations.
However, their concerns tend to veer toward external threats because they are visible and can create a veritable PR disaster. Consequently, external threats receive the most attention and the most funding.
Since external threats only account for a portion of the cybersecurity threats, board members need to understand all potential vulnerabilities, which includes evaluating and mitigating the risk of insider threats.
This danger has many variations, and board members need to understand the risks of everything from accidental sharing to malicious theft.
According to McKinsey & Company, insider threats account for at least half of all corporate data breaches, and, as their analysis concluded, “companies are certainly aware of the problem, but they rarely dedicate the resources or executive attention required to solve it.”
Board members want to act in the best interest of their companies, and educating them on this often forgotten component of cybersecurity can bolster resources and help integrate better solutions to effectively secure the company’s technological infrastructure.
Unfortunately, IT security officials only need to highlight the incredible collection of data breaches perpetrated by internal threats to support their push for a more holistic approach to data security.
In every category, data breaches have increased consistently since 2005, and today they are more bombastic than ever before. Head-turning, headline-making breaches at Yahoo, Equifax, and Marriott have set the tone for today’s dangerous digital environment. Meanwhile, the digital landscape is littered with companies whose own employees perpetuated the cybersecurity incident.
What’s more, the cost of a data breach is increasing as well. Today, a data breach will set a company back nearly $4 million, a staggering number that doesn’t even account for the reputational cost that can have cascading consequences for any company.
With privacy laws like Europe’s GDPR taking effect around the world, the costs of failure will only increase with time. Making board members aware of the cost of inaction can be a powerful argument when trying to secure needed resources and upper-level support.
While no industry is immune to the risks posed by insider threats, some are doing a better job than others at alleviating the problem.
In general, financial services, healthcare, and government agencies have been ahead of the game when it comes to combating insider threats. Each of these sectors is governed by data security laws that require them to be proactive about protecting their customers’ data. These sectors are early adopters of effective cybersecurity best practices, making them a model for others to follow.
To put it simply, insider threat prevention can be a taboo subject. Nobody wants to consider their own employees to be a risk, and, in some ways, it can seem to reflect poorly on managers and other personnel.
Fortunately, when these bottlenecks are removed, real solutions do exist.
In an exhaustive report on the growing problem of insider threats, Verizon’s Insider Threat Report promotes a dualistic approach to data security. First, companies should follow successful industries by alleviating risk whenever possible. Restrict access to sensitive information and monitor user behavior for suspicious activity.
At the same time, prioritize detection and response so that, if a data breach occurs, your company is ready to respond appropriately.
By presenting proven best practices to the board room, IT professionals can get the support they need to provide the company with 360-degree cybersecurity coverage.
The solution for 2019 and beyond lies not in a product but in a strategic approach and consistent methodology that aligns with organizational priorities and accounts for the entirety of the data management life cycle from preventing threats to auditing risks, documenting actions, and more.
Most importantly, if IT security leaders are going to be successful at their job, they need the support of the entire organization, something that starts with getting the board “on board.”
By educating board members about today’s complex digital environment, by illuminating the risks of a data breach, and by providing existing models for success, it’s possible to gain their support and the resources necessary to prevent your company from being a part of this growing and troubling trend of data loss events.
*** This is a Security Bloggers Network syndicated blog from RSA Conference Blog authored by Alp Hug. Read the original post at: http://www.rsaconference.com/blogs/tell-your-board-protecting-data-is-a-bottom-line-issue-in-2019