Modern organizations no longer see cybersecurity as solely an IT department problem. As these groups have witnessed the major data-breach disasters over the past several years — not to mention the recent WannaCry ransomware incident — the issue has reached a tipping point, and major decision-makers at American businesses are acknowledging the seriousness of cyber threats on their companies.
Whether the recognition of the issue has translated into meaningful action is another story.
According to recent research, many top executives have pledged to maintain, rather than enhance, their cybersecurity programs. While they may understand that hackers, malware programs and insider threats are worthy of consideration in board meetings, many have yet to be convinced that they need to increase their investment in programs that combat them.
Analysts are taking note of the lacking cybersecurity action on the part of corporate boards, and are considering the ways that security leaders can more effectively make their case for improvements.
Panelists at the MIT Sloan CIO Symposium recently took up this question. Ultimately, these experts pointed to a number of specific measures that can communicate the value of cyber risk mitigation, and they generally called for ongoing efforts to educate board members and other top decision-makers.
While CISOs have generally attempted to frame value conversations around ROI models, the MIT panelists suggested that alternatives could be more effective.
In ransomware cases, for instance, McKinsey partner James Kaplan suggested that estimates of downtime could be a persuasive metric. Christopher Porter, Vice President and CISO at Fannie Mae, noted that a substantial breach of 1 million records at his organization would result in $20 million in compulsory credit monitoring services.
All panelists agreed that continued reinforcement of cases like these could help to persuade the board to action.
Perhaps the component still missing in this equation is the likelihood of a breach or the level of vulnerability an organization actually faces. This information can be supplied without a substantial cost to the organization through a third-party cybersecurity vendor.
Lunarline regularly assists organizations in assessing their risk and vulnerability so they can define programs tailored to them. For more information on the services we provide, contact us online today.