Given the recent spate of headline-grabbing data breaches, CIOs need to be prepared to answer a lot of board questions about risk.
By Michael Friedenberg, CIO Magazine
This will be the year when cybersecurity concerns crash the boardroom party and take a seat at the head of the table. The aftershocks of significant data breaches at Anthem, Sony, Home Depot, eBay, JPMorgan Chase, Target and many more have caused headline-grabbing business upheavals that worry customers, affect profit margins and derail corporate careers.
This sharpening of cybersecurity focus has forced corporate boards to have conversations they once considered too technical and back-office-oriented. Now it's all about business risk assessment, not firewalls or data loss prevention tools. How prepared are you to have these discussions with the CEO and the board of directors? What are the most important questions you should be ready to answer? Here are a few to consider:
- What actions are we taking to protect the company from the high risks associated with cybersecurity incidents?
- What is our specific plan to address cybersecurity across our business? Are our employees properly updated and trained?
- If (or more likely when) a breach occurs, what is our response plan? (Internal and external.)
- Do we have the right security talent on board? Are we structured properly to avoid (or reduce the impact of) a breach?
- Have we quantified our risk exposure? (Both hard costs and soft?)
In a 2014 report titled "Risk and Responsibility in a Hyperconnected World" from the World Economic Forum and McKinsey & Co., the total economic cost of ineffective security was projected to top $3 trillion globally by 2020. That's a staggering but unfortunately plausible number. So if there's no question that cybersecurity breaches can devastate the bottom line, why haven't more companies acted to deal with it more effectively?
Should chief security officers report to CEOs instead of CIOs? Our own research--the annual Global State of Information Security Survey conducted by CSO, CIO and PricewaterhouseCoopers--suggests that they should. Our survey of more than 9,000 respondents worldwide found that companies with CSOs reporting directly to CEOs or boards had notably less downtime and smaller financial losses after cybersecurity incidents.
Isn't it time to upgrade cybersecurity to a board-level risk management discussion, not just occasionally but consistently?
What are you waiting for?