At many companies, corporate boards hold the keys to cybersecurity spending in a post-pandemic world. Today, with the rise in cybercrime, CISOs and other security executives need to communicate the value of cybersecurity to business continuity and corporate reputation to convince the board that now is the time to invest more — not less — in this area, from staff to technology.
Making the Case for Cybersecurity
The coronavirus pandemic has forced organizations to slash costs, through layoffs, furloughs, reduced salaries, spending freezes, and other actions. In some cases, these reductions have extended to cybersecurity, possibly putting organizations at greater risk from existing and new threats.
Security leaders need to demonstrate to boards that their organizations actually need to invest more in processes and tools — rather than making cuts — in order to better safeguard information assets. As part of their pitch, security executives must clearly explain what could happen if the organization decreases spending on security or reduces staff. New threats are emerging all the time, and many security professionals are already overworked because of skills shortages.
The last thing companies need is to hamper their ability to defend themselves against attacks, known or unknown, leaving themselves vulnerable and creating risk — and costing them down the road. Earlier this year, Chief Judge Thomas W. Thrash, Jr., in the Northern District of Georgia, Atlanta, ordered Equifax, which suffered a data breach in 2017, to spend an additional $1 billion to “strengthen its cybersecurity posture and ensure history doesn’t repeat itself.”
The Ripple Effect of a Data Breach
In recent years, corporate boards have come to appreciate the importance of strong cybersecurity, in large part because of high-profile attacks against some of the world’s best-known companies. In many cases, these assaults led to material damage against these businesses.
As noted in a recent report by the Internet Security Alliance and the National Association of Corporate Directors, “a cybersecurity incident at an organization can no longer be looked at as a mere IT problem. Rather, these incidents represent potential business losses, either realized or unrealized, that must be treated with the same vigilance as more traditional vectors of business disruption and loss of profit.”
Furthermore, in an increasingly connected digital world, an incident or breach at one organization might ripple across supply chains and even industry sectors, the report says, and in some cases result in major structural damage to the nation.
Despite the emphasis on systemic risk and advanced persistent threats, cybersecurity basics still matter a lot, the report says. Basic hygiene is lacking, including simple controls such as backing up systems, patch management, and network segmentation. In ensuring the adoption of these cyber essentials, all organizations have some role to play.
Although the pandemic has had a major negative impact on the economy, the sense of urgency at the board level for robust cybersecurity cannot be allowed to fade into the background. And it’s up to CISOs, CSOs, and other leaders in the field to make sure that does not happen. Remember too that there are other key staff members instrumental to your company’s business continuity and success, from legal and communications to IT and HR, who can help you make your case.
Karen Burke is the Director of Corporate Communications for Farsight Security®, Inc..
