Breaches are happening more often. In 2023, the number of reported breaches neared 3,000, compromising more than eight million records. And that’s just the ones we know about. There could be an active, undetected attack happening right now that leads to the next Target or Equifax or LinkedIn.
Even when security is “doing its job”, it’s not a guarantee that a company is 100% secure. Security teams are stopping millions of attacks each year, but that’s not what grabs the attention of investors, boards, and the media. It just takes one attack slipping through for a company to make headlines and become a case study the rest of us learn from.
What we’ve learned from these high profile breaches is that a successful attack rarely comes down to just one person or one misconfigured technology. It’s typically a combination of factors, something the House Oversight Committee described as a “culture of cybersecurity complacency” in their report on the 2017 Equifax breach. They noted a “lack of accountability and management structure” within the IT department and “complex and outdated IT systems” that were a result of aggressive growth strategies.
Striking the balance between business and security needs is not necessarily a new problem, but it is getting more difficult. In response to global economic trends and events like the Covid-19 pandemic, organizations have adopted new technologies and ways of working to become more agile and innovative. Often this comes at the expense of security, which may be viewed as a roadblock rather than business partner that it should be.
Changing the perception takes a realignment of expectations around security, and more importantly, risk. It would be irresponsible to expect perfect security just as it would be to expect zero risk. Neither is realistic. Instead, the conversation should focus on risk appetite — how much risk is acceptable and how do we mitigate risk that is not? Facilitating this alignment may be new or unfamiliar territory for some CISOs. These six strategies can help you get started.
Contents
Shift from security management to risk management
In most cases, a successful breach does not come down to one single point of failure. It’s often a combination of factors — complex infrastructures, poor communication lines, vulnerable systems, misplaced priorities and investments — that creates an environment that is more susceptible to attack. In other words, these factors collectively raise the risk profile of the organization.
Senior leadership is often familiar with other types of risk management — credit risk, market risk, liquidity risk, etc. — and cyber risk should be part of that same conversation. CISOs, of course, play an important role in informing, advising and facilitating discussions about cyber risk with leadership. However, deciding how much risk the business should accept in pursuit of its goals is not the CISOs responsibility. That decision is ultimately up to the board and senior leadership team.
Read the blog: Getting started with Cyber Risk Quantification and Decisioning
Develop soft skills over hard skills
With the shift to a risk management approach, the CISO role has expanded beyond building and executing a security program and now requires more soft skills than technical. In order to facilitate risk discussions, CISOs need to be good at building relationships, and they need to be able to effectively communicate the impact of security investments and threats on the organization’s overall risk profile.
Advocate for security expertise on the board and leadership teams
In response to their breach, Equifax changed its management structure so that the CISO reported directly to the CEO. This was voluntary on their part, and though no formal regulation is in place, it has become an industry best practice.
There has also been a push for board members to have more security oversight. In 2023, the SEC adopted new rules that standardize the way companies report on cybersecurity risk management, strategy, and governance. In their annual filing, public companies are required to describe the board’s oversight of cybersecurity risks as well as management’s role and expertise in assessing and managing cybersecurity risk.
Transfer risk with cyber insurance
Many organizations have started carrying cyber insurance policies as a way to transfer some of their accepted risk to an insurer. Policies can help cover costs associated with a cyber attack or data breach, including revenue losses, fines, legal fees, ransoms, and more. Cyber insurance can be costly, so it is important to discuss with senior leadership — or a trusted advisor — how much and what type of coverage the business needs and how much can be self-insured.
Move security up in the product lifecycle
In a perfect world, strong regulations and harsh punishments would be enough to stop cyber criminals. This, however, is not the reality we face today. As the director of the CISA Jen Easterly stated, “It’s not sustainable to bend the behavior of these bad actors or arrest them. We have to take a different approach.” She advocates for secure-by-design product development where security features are “seamlessly baked in the same way you get in a car and you have a seatbelt and airbags.”
Whether by regulation or by choice, it’s critical that manufacturers and technology vendors consider security early on in the development process. This ensures security controls are embedded by default before a product is released, providing the front-line risk management that a hyper-connected world demands.
Complacency is not an option
Developing a strong security culture will be an organization-wide effort, starting with a commitment from senior leadership. It’s not something the CISO can shoulder alone. Rather, CISOs should take an active role in facilitating discussions about cyber risk and how best to mitigate it. It’s an expanded role that will require CISOs to look at security through a business lens and to develop new skills and relationships. As we’ve learned, complacency is not an option when customer data, brand reputation, revenue, and, in some cases, national security are on the line.
