Is the Cybersecurity Critical for Business Executives?

Is the Cybersecurity Critical for Business Executives?

Making sense of information security is a challenge in and of itself for business executives. However, deciding whether or not your organization is vulnerable is, to put it mildly, daunting. Today, the majority of boardrooms include some form of information security representation. Many businesses expect cyber risks to be articulated, whether by an IT director, CISO, or even technical staff. However, many board members leave these presentations with a limited understanding of the actual risks and threats contained within. Technical presentations that go into great detail about system vulnerabilities, network anomalies, and suspicious events add little value to executives making operational and financial decisions.

In March of last year, AI detected sophisticated, targeted marketing cyber or Ransomware attacks that targeted multiple businesses via a zero-day vulnerability. The AI detected, investigated, and contained the attack and determined that it was an entirely novel threat. Within two weeks, this campaign was publicly attributed to APT41, a Chinese nation-state actor. The attack targeted government entities, critical infrastructure, large companies, and perhaps surprisingly, midsize businesses.

We have entered a new era of cybercrime. If cybercrimes were a country, it would be the worlds third-largest economy, behind the United States and China. Midsized businesses are frequently viewed as a soft target for cybercriminals. Cybercriminals frequently believe that midsize businesses take preliminary steps to strengthen their cybersecurity, making them an attractive target. As with APT41, they are frequently used as a launching pad for attacks on higher-value targets, critical services, and highly classified info. Most are planning to implement, or have already implemented, the broad, technology-driven organizational changes that define a digital transformation, and an increasing majority believe these changes will become critical to their competitiveness shortly.

However, the cyber threat facing midsize businesses is multifaceted. They are, in fact, under-resourced and are disproportionately impacted by global cyber skills. Small or non-existent, cybersecurity teams are tasked with defending the business against a broad range of cyber threats from advanced, novel, and targeted campaigns to lightning-fast smash-and-grab attacks all while managing jurisdiction employees and complex digital infrastructure. The challenge extends beyond adequate resources; the threats these organizations face are too fast or too stealthy for humans to handle, and the number of new entry points for hackers is growing at a rate that security teams cannot keep up with.

It is long past time for information security professionals to speak the language of business executives. There must be a short and unambiguous methodology for tracking key performance indicators and accurately depicting the threats and risks that such organizations may face and their implications for business. Executives make strategic and operational decisions that shape, drive, and grow the organization. Professionals in information security are on hand to assist with those missions. As a result, executives, board members, and information security departments are responsible for setting the table with quantifiable objectives and repeated risk thresholds. According to the cybersecurity experts, everyday language to build that bridge and convey the critical nature of cyber risks that might otherwise go unnoticed:

Critical Risk: Likely to cause irreversible damage to the business, result in significant financial loss, or significantly tarnish the brand image or consumer confidence. Critical cyber risks are occasionally irreversible. Consider critically security flaws that would almost certainly result in a widespread ransomware attack that company backups would be unable to resolve.

While less likely to happen, the adverse effects could result in irreparable damage to the organization and financial loss that could be fully covered by cyber insurance and would necessitate attention to product marketing and consumer confidence.

Moderate Risk: While an adverse event is improbable, if it does occur, it will require a moderate amount of attention to correct, eradicate, or otherwise mitigate. Financial loss, brand health, and consumer confidence are unlikely to be impacted.

These are illustrations of the language that can communicate risk to executives and establish decision-making thresholds. It is critical to remember that not everything is critical, and businesses, unless they are cybersecurity companies, have a mission other than information security.

Corporate leaders and information security professionals should collaborate to develop a universal language and metrics, thresholds, and decision points. The first time these two parties speak should not be in a crisis. Business leaders must take the following steps to reintroduce this conversation and establish a framework for expectations, accountability, and regular updates:

Determine the security standards that your organization will adhere to. CIS 18, SOC2, ISO-27001 and NIST are all excellent starting points. Business leaders and security professionals should agree upon this.

Conduct a security assessment to determine the current state of security. I highly suggest that an independent security firm conduct this assessment to ensure that the results are objective and viewed from a different perspective.

Make recurring meetings (monthly, quarterly, etc.) a required and regular habit! Hold one another accountable, establish goals, and achieve them. This is the security departments chance to communicate risks, articulate successes, and sound the alarm when something is seriously wrong and requires attention.

Signs and symptoms. All too frequently, cybersecurity becomes a topic of conversation only during 911 emergencies. The security department must be capable of detecting and responding to security events before them escalate into data breaches or complete intrusions. When the elephants in the room are identified, address them. Risks must be discussed and remedied expeditiously.

Business people and information security representatives must become acquainted, communicate frequently, and communicate in a common language. Determine and define your organizations risk tolerance and cyber-resilience, and then confront threats head-on.

Social Share

Trending Posts

Join Thousand of Happy Students!

Subscribe our newsletter & get latest news and updation!