Given the eye watering costs that can be incurred when security doesn’t do its job, Ricky Magalhaes, head of the Offshore Security Services Division at Logicalis, looks at the steps CIOs can take to avoid data breaches in the first place – and, identifies the five cyber security questions a board might ask a CIO.
Google “data breaches” and in the news you will find daily reports of companies of all shapes and sizes suffering from data losses – and, make no mistake, these breaches are serious. According to IBM the average cost you could be facing is $4 million. It’s no surprise, given the scale of the risk, that cyber threats and data security are now firmly on the boardroom table. For CIOs, however, this serves to raise the stakes - picture explaining multi-million losses to a board that is already in the picture when it comes to data security risks...
CEOs on board
According PwC’s 2015 Global CEO Survey 61% of CEOs are concerned about “cyber threats, including lack of data security”. Cyber security ranked third in terms of strategic importance (78%), just behind mobile technologies for customer engagement (81%) and data mining and analysis (80%). And over half (53%) of those CEOs reported cyber security as being “very important” strategically.
Top executives are getting involved: The PwC 2016 Global CEO Survey reported a double-digit increase in board participation in most aspects of information security, while 46% of CEOs stated they participate in information security budgets.
For the CIO, the increased importance placed on IT security by business leaders means being prepared to answer a lot of their questions about risk. Michael Friedenberg, President and CEO of IDG Communications, lists five security-related questions CIOs should expect from the board:
- What actions are we taking to protect the company from the high risks associated with cyber security incidents?
- What is our specific plan to address cyber security across our business? Are our employees properly updated and trained?
- If (or more likely when) a breach occurs, what is our response plan? (Internal and external.)
- Do we have the right security talent on board? Are we structured properly to avoid (or reduce the impact of) a breach?
- Have we quantified our risk exposure? (Both hard costs and soft?)
Cyber security is now a business issue and CIOs need to be able answer CEOs’ questions in the ‘business’ language of cost and risk. It is vital that these discussions are focused on the risks and costs to the business of a security or data breach, as opposed to the technology required to minimise the risk. Today’s CIO needs to have expertise not only in security but also risk management, corporate governance and overall business objectives.
Overall, this deepened executive involvement is of course good news. It has the potential to improve cyber security practices in numerous ways, including the identification of key risks, helping to foster an organisational culture of security, and better alignment of information security with overall risk management and business goals.
CIOs can add real strategic value to their organisations by having frequent, productive conversations around cyber risks with business executives and overseeing the effectiveness of controls deployed to mitigate them.
In other words, if they are to avoid the risk and cost of cyber threats and data breaches, CIOs must take a business-centric approach to security.
You can learn more about the importance of a business-centric security strategy, and the steps to implementing such a strategy in your organisation, by downloading our whitepaper: ‘Security in a world with no perimeters: a business-centric security architecture’.