It's no surprise that when businesses experience data breaches, they are subject to severe penalties. Hefty fines can be followed by loss of the business, reputational damage, lawsuits and a flurry of investigations. Fear and doubt could lead organizations to invest in numerous commercial tools. Some are mandated by compliance; others promise to solve intricate problems, many of which cannot be solved by technology alone. While we are often reminded about liability, I've found very few articles during my 15 years as an information security leader and subject matter expert that attempt to discuss leadership responsibility and good decision making.
I believe leaders have a fiduciary duty to protect sensitive company information. To that extent, risks of data breaches must be managed and mitigated, as they can seldom be completely eliminated. Keeping information available, confidential and integral is the everlasting guiding principle to good cybersecurity. The core principles remain the same, but the threat landscape is constantly changing and deserves continual monitoring.
The past few years have been marked by cyber attacks that didn't aim to extract data from servers, but instead used the servers' processing power to mine cryptocurrency. Many attacks are profit-focused, which I believe is good news for business leaders. Attackers likely will not invest more resources to strike than the actual value of the information. If the cost to conduct an attack raises over a certain threshold, hackers might move on to business competitors that have not made significant investments in protecting its data. So I believe a way to look at your investment in cybersecurity is to never to be lower than your competitors'.
At a basic level, the risk is measured as the probability of something happening multiplied by the potential impact, which is also represented as probability ranging between zero and one. While this information is telling, it does not lend itself well to executive decision making without associating a remediation cost. Once the cost is mapped, the information can be divided into four quadrants: high risk and low remediation cost, low risk and low remediation cost, low risk and high remediation cost, and high risk and high remediation cost.
I believe matters that fall in the high risk, low remediation cost quadrant should be fixed as soon as possible. They are often seen as low-hanging fruit and have a high return on investment, as they require modest investments related to time, effort and allocation of budget. They can also save the company from significant brand reputation damage or interruption in operations.
In my experience, investments to remediate findings in the lower left quadrant of low risk and low cost are discretionary and should be addressed routinely according to the organization's risk appetite and established processes. Such vulnerabilities might not be required to be fixed by regulatory compliance and, if exploited, likely will not cause material damage to the organization or its clients.
The two quadrants where costs are high deserve further analysis and options. High risks that require high investments might not be able to be completely eliminated, but they can be mitigated using different approaches. One approach is to use compensating controls, such as security tools and company processes, that might help reduce the odds or the impact of a successful attack. The residual risk that is not addressed by the compensating controls might be transferred by purchasing cyber insurance.
Another plausible solution is to avoid the risk entirely. One way to do so is always to ask whether the organization absolutely needs to collect the piece of sensitive information it's collecting. Is a birth date really needed, or can the business process information use only the birth year? Is the exact customer address needed, or is just the zip code sufficient?
Last, you can accept the risk. If the risk is not a matter of â??if,â?? but â??when,â?? as most risks are in my experience, organizations should create contingency and incident response plans. A good plan involves various teams, including leadership, information security, engineering, communication, legal, compliance and customer relations, to name a few. It also includes points of contact in other companies that provide critical infrastructure, such as web services.
In recent years, leaders of big conglomerates, such as Target and Yahoo, lost their jobs or had their bonuses significantly affected by security incidents. Because of our heavy reliance on technology, cybersecurity became a board topic of increasing importance. Leaders must pave the way to safety by leading by example and shaping their organizations' security cultures, processes, and procedures. These goals can only be achieved if leaders gain a fair understanding of the issue and how to manage the risks and investments necessary to protect their businesses.