The how and why of selling cybersecurity to the boardroom

If statistics take their inevitable toll, you will be a victim of fraud.

Because of that, both businesses and consumers can benefit from these privacy and security tips.

With cyberattacks being a real and growing reality, cyber defense, security and compliance must increase and become most effective. Real leadership is called for in order to thrive in a web and data centric world.

Studies show that chief information security officers and chief information officers report that up to 80% of their board of directors have yet to see and understand their cybersecurity strategy in the last year.

In order to help mitigate damage from breeches and other exposure, tech, legal, business and compliance leaders must help boards understand cyber protection.

Here are efforts and suggestions to help your team build a culture of security.

Twelve cybersecurity tips from four Cleveland experts

 

From data center facility-based cloud operator Kevin Goodman, managing director and partner, BlueBridge Networks:

It is said that more data and information was generated in 2012 alone than all of the previous 5,000 years. If this is true, we must be more vigilant in our practice around privacy and security. The digital era requires that we take the time and effort to instill practices both proactive and reactive, strategic and tactical, while including robust cultural practices, policies and procedures. We must combine these energies in our day-to-day logistics around privacy and data security.

 Be quick to outsource to providers who are third-party audited and hold various certifications; do not run a cyber-shop on your own and without expert consultation and regular updates. Anti-virus companies offer software that will scan your website for malware and alert you of any breach. Entrepreneurs and consumers both could consider using security as a differentiator over their competitors. Car manufacturers tout how safe their cars are; although a bit different in nature, so should a business lead with its security and privacy intention and commitment.

Board and company leaders must understand both their business and IT objectives and laws along with resources at their disposal in order to reduce risk and comply with laws and best practices. Vendor trust becomes paramount as more services move to the cloud and risks increase as we simultaneously open our network perimeters to third parties. We are trusting more information to outside organizations, but we must trust and verify. You can’t outsource accountability. Board and company leaders must be educated and in sync in today’s Digital Age.

“Defense in-depth,” which has been the prevailing wisdom for many years, is still critical, but it’s not enough. Enterprise organizations such as Target, Chase Bank and Sony, among others, have experienced significant security resources but were still breached. Companies must work smarter and harder as the effort must be ongoing and vigilant. Integration and analytics are now among the most important things that organizations need to be capable of in order to actively defend their networks. The unfortunate reality is not if you’re breached but when you’re breached. The question is how quickly you will be able to identify, analyze and act when that breach occurs. The effort required should inspire leaders to champion this business must.

From cyber security and computer forensics expert Timothy M. Opsitnick, founder of Jurinnov Ltd.:

When seeking to garner support from the boardroom or “C-suite” for the formulation and/or implementation of a cybersecurity or compliance effort, far too much time is spent trying to convince them of the dangers, risks and cost of the failure to implement good business practices. I find it more successful to influence in a positive tone and present cybersecurity practices as a way to distinguish your business from the competition and win support from the marketplace, which is particularly receptive to cybersecurity issues today.

It is critical to set expectations by explaining that adopting cybersecurity best practices is an iterative process that takes place over time and is constantly evolving.

Indeed, you are never quite done. The process is ongoing and requires vigilance.

From third-party auditor Tom Aumiller, director of information tech at Maloney + Novotny LLC:

When discussing issues at the “C-suite”or board levels, it’s best to start with something everyone understands: risk — risk of losing customers, risk of losing money, risk of data breach, whatever legitimate risk applies. The board or chief executive can readily discuss the risks to the business that concern them.

If they involve data or digital risk, and many do, then take the next step and discuss an appropriate budget for addressing the risk.

Once you have a budget, you can develop technical solutions that address the risk. No need to turn everyone into an IT specialist if you can find a common ground for discussion. You will have introduced IT security and compliance as a solution to issues that everyone understands.

From attorney Michael D. Stovsky, partner and chair of innovations, information technology and intellectual property practice group, Benesch LLP:

As time goes on, data security and privacy issues and problems are becoming material issues for company’s large and small. Companies with boards of directors should be concerned about these developments. The plaintiff’s bar is particularly active now in bringing both individual and class action lawsuits arising from data security breaches and lack of compliance with legal and technical standards by companies suffering breaches.

What used to be a problem that only reached board level concern in regulated industries (e.g., health care, financial services and others) has now become an issue for every business that handles sensitive personal data. Public companies are most significantly affected due to the obvious potential for implications on stock price that could result from large scale data breaches, but they are by no means the only targets. Boards of directors comprised of veteran executives often do not have substantive background in the area of the protection of sensitive data and are not tech-savvy enough to understand, let alone counsel the executive management team on strategies to effectively manage complicated data and privacy breach risks.

D&O insurance policies maintained by many organizations simply do not cover, or cover in a limited fashion, risks associated with data security and privacy breaches. All of this creates enhanced risk for members of boards of directors that should be addressed by every company. New board committees may need to be established to address data security and privacy obligations much like audit committees address sophisticated financial concerns.

Boards of directors should receive the counsel and advice of experienced and independent outside counsel on these issues since the cost and expense associated with putting into place effective compliance programs and programs for dealing with data security and privacy problems after they arise may be at odds with the desires of the company’s executive management team.

Some final thoughts

Now more than ever, it is crucial that IT leads and speaks the “C-suite” language. In order to affect change, the dialogue should remain less technical and help to meet their peers in understanding on a business level. Work to articulate the real nature and standing of this pervasive threat.

Ask questions like: Are we a target? Have we been breached already? What do we intend to incorporate in order to recover and mitigate risk and potential damage?

It’s important to realize that security and compliance are not to be confused. A board, institution or company should dedicate an internal champion to facilitate both board and “C-suite” direction going forward in a web- and data-centric world.

http://www.crainscleveland.com/article/20160930/BLOGS05/160939980/the-how-and-why-of-selling-cybersecurity-to-the-boardroom