There isn’t a CEO or board member in the world that would publicly state that their organization believes cybersecurity doesn’t matter. A Cybersecurity Ventures report has forecast that cybercrime will cost businesses worldwide an astonishing $10.5 trillion annually by 2025, so it’s an evident and sizable area of concern.
Any CEO not taking this seriously would be roundly criticized by customers, shareholders, partners, and more for such a stance. Yet is there a difference between what is said publicly by CEOs and what is actually done in private?
The volume of cyber attacks and data breaches would suggest that not everyone is as committed to cybersecurity in practice as they are in theory. That so many of these attacks are seemingly the result of sloppy bad practice would indicate that not all organizations have the robust defenses required to stay secure in the face of cyber criminals’ growing threat and professionalism.
Let’s be clear – any organization can fall prey to a cyber attack. But not putting in place the proper cybersecurity measures and ensuring that people are trained to recognize and respond to attacks and breaches is not understandable. What can cybersecurity teams do to ensure cybersecurity matters to the board in their organization?
Communicate the potential cost of a data breach
Whether directly through a CISO or indirectly through a CIO or CTO, most organizations have some cybersecurity representation element on their board. It is vital to ensure that any engagement that results from this presence really makes its mark. It is easy to regard a cyber attack as something that happens to other organizations, so cybersecurity teams must outline what an attack or data breach would mean in real terms for their organization.
2020 Fortra research with CISOs in global banks revealed that when asked what implications of a cyber attack or data breach they fear the most, 51% said damage to brand reputation. 43% were afraid of sensitive customer data being breached, 40% were most concerned about customer-facing downtime, and 34% cited disruption to internal operations as a major issue.
Much of this is intangible – it is hard to quantity loss of trust in a company because people see it as a brand that does not prioritize data security. But such an occurrence could be devasting to a brand, with the potential for long-term impact on the bottom line if people are more reluctant to use that company’s services or buy its products.
There is also the cost of a ransomware attack to consider. Whether an organization should ever pay a cyber criminal in this way is a moot point, but if they do, then the cost can be huge. A recent report revealed that the average ransom paid so far in 2021 was $170,404, but the broader costs are even greater.
The average cost for companies to recover from a ransomware attack is $1.85 million, more than double the 2020 figure. These costs include the ransom, plus downtime, people time, device cost, network cost, lost opportunities, and more. Making sure these potential costs are crystal clear to the board should help prioritize cybersecurity.
Calculate your cybersecurity ROI
To provide CEOs and other board members with even more cybersecurity focus, it is advisable to educate them on calculating cybersecurity ROI. Costs are obviously important to any board, so putting a figure on the likely return from an organization’s cybersecurity investment can be an effective way of making it seem more real.
This should begin by compiling any expenses incurred in mitigating the risk of a cyber attack. These would include cybersecurity staff costs, data security products, technical support, employee training, insurance, and more.
The total of these expenses can then be assessed against the potential costs of a cyber attack. These would include the lost revenue from a customer loss or a pause in operations, the loss of sensitive data, any ransomware fees, increased churn because of loss of reputation, and any additional cybersecurity costs to try and plug subsequent gaps in defenses.
The latter costs will almost inevitably dwarf the costs of mitigating risk, meaning that your CEO can clearly see the substantial ROI to be gained from cybersecurity.
Identify any gaps in your cybersecurity posture
Understanding where gaps are found in an organization’s cybersecurity posture can also help elevate cybersecurity with the c-suite. Knowing where a cyber attack or data breach is most likely to occur, and why improvements are needed, means it is easier to understand the costs of filling that gap.
This is an area in which tools such as Digital Defense’s Vulnerability Management (VM) tool can play an important role. VM refers to the continuous automated process of finding, testing, analyzing, ranking, and tracking vulnerabilities and cyber threats.
It is performed mainly by third parties (such as Digital Defense). A VM program can deliver risk reduction and damage mitigation, which are crucial tools in encouraging board members to take cybersecurity that bit more seriously.
Talking to the board
Getting a handle on costs, ROI, and areas of vulnerability can all help cybersecurity teams instigate board-level conversations about taking cybersecurity more seriously. Justifying investment in anything can be tricky – especially in the current post-pandemic era, where budgets are tighter, and there is a greater need to do more with less – so being armed with supporting data is essential.
The need to keep an organization's data secure and cybersecurity defenses tightened will only increase as the threat from cyber attacks grows and evolves. Demonstrating to the board why this is important is becoming one of the most important challenges a cybersecurity team will face. In Fortra's 2020 research, internal cybersecurity fatigue was cited as an issue by 28% of financial CISOs – don’t let this happen in your organization.