Must Be a Boardroom Priority
Posted by - Robert Erwin, Marketing Director
When I was on the road frequently, attending security and general IT events 2-3 years ago, the general urgency and tone on security concerns was different from today. In those days, when talking to CIO’s about data breaches and potential losses, they admitted the need and agreed it was a concern, but the urgency just wasn’t there. Replies would often be, “Yeah I’ll ask my security guy what he thinks”. It reminded me of being a California resident and having a home inspector explain the need for foundation reinforcements to protect against earthquakes – one sees the value, because the damages could be devastating, but the project sounds expensive and complicated and I’m pretty sure it will never happen to me.
When talking to customers and analysts at RSA this week, it’s clear that today’s cybersecurity urgency has risen to a much higher level, and it’s great to see. In fact it’s rising so much that many are urging cybersecurity to get into the highest level conversations, including inside the boardroom.
But despite this rapidly ascending urgency, too often we hear CIO’s or even CEO’s talking about cybersecurity as if it were an insurance policy. They seem to assume since they haven’t had an incident yet, they’re not a prime target and they’ll deal with it when and if it happens. That attitude is what concerns former Secretary of Defense Leon Panetta, who spoke at a cybersecurity roundtable at RSA, and mentioned how he worries it will take a disastrous attack to get leaders to take cybersecurity seriously enough. As Panetta said, “That’s why it (cybersecurity) has to be lifted up to the level of the CEO and the board of directors. Until we are able to raise that level of awareness, we’re going to wait until crisis drives the process.”
Here are 5 reasons that cybersecurity needs to be a top priority, and it must start with top down buy-in from the CEO:
- It’s no longer a matter of IF you’re defenses will be breached, but WHEN 2-3 years ago it was still assumed that preventive security (SWG, IPS, Sandboxing) could stop the majority of attacks, and US security vendors were busy arguing over who could stop more attacks – whether it was 97% or 99%. But today, given the incredibly sophisticated and stealthy nature of attacks, most agree that stopping 100% is unrealistic.
- Data Breaches have devastating consequences that impact the bottom line and are the result of both direct and indirect costs that can impact an organizations for years. According to a Ponemon report from 2014, the average cost of a data breach is $3.2M – up 15% from the previous year. Costs include directly engaging forensic experts, outsourcing hotline support, free credit monitoring and the harder to measure costs such as customer attrition and damaged reputation.
- No Industry is exempt from attacks. While all of us agree that regulated industries with large amounts of sensitive information are major targets, such as healthcare, finance and energy, the data shows that attacks on other industries are on the rise. The recently published Verizon Data Breach investigation report shows industries such as Retail, Public Sector, Education and Professional Services are experiencing an increase in cybersecurity incidents and confirmed data loss.
- No size company is exempt. Though SMBs may feel somewhat exempt from attack, since the headlines are dominated by marquee-level breaches, statistics show they are popular targets for cyber criminals who consider small to mid-size organizations low-hanging fruit. One security vendor’s study found that 71% of the breaches in 2014 were against SMB organizations. Just because attacks on SMBs don’t make the front pages, doesn’t mean they’re not happening. You can’t assume your organization is too small to be a target.
- There are major security gaps on the vendor side that are leaving most organizations vulnerable. With leading organizations adopting new technologies every day, we’re definitely upping our game and increasing our ability to protect against data loss. But even when I talk to F500 enterprises with 14 layers of security, many are still unaware of the security gap in their networks. This gap is between when they get an active malware infection, and when it is discovered. We call this window dwell time and current research puts the average at 205 days. That’s a decrease over last year’s average of 229 days, but when 80 million records have been transferred out of your network illegally, I’m betting the 24 day improvement won’t be much comfort. That’s why new technology that can analyze data movement and contain data transfers, even before an infection has been detected, will be a critical to closing this gap and minimizing data loss.
Going back to my original earthquake analogy, what if we experienced thousands of earthquakes a day, like we do with cybersecurity attacks? We’d use every tool and build every re-enforcement possible to protect our homes. So let’s keep building cybersecurity awareness until it rises to the top of our organizations and receives the priority it deserves.
Read about iboss in RSA coverage of top technology tools from the recent show.