A crippling cyber threat is on the horizon for every single company.
Yet CISOs, CIOs, and other Information Security Executives (ISEs) still aren’t receiving the support they need to steer clear of these hazards.
Because we’ve been approaching security all wrong. It’s time to reframe the conversation around cyber threats.
It’s time to clearly connect safeguarding data and profitability.
Global cybercrime reached a dark new depth on May 12, 2017
That’s when hackers unleashed WannaCry around the world. The complex piece of ransomware paralyzed several British hospitals, brought French car maker Renault to a halt, obstructed Brazil's court system, and stopped hundreds of other public and private organizations in their tracks.
Hence, an eerie sentiment remains. Both businesses and consumers have shifted from asking "How can we stop this from happening again?" to simply wanting to know "Who's next?". The companies most likely to fall victim are those who silo information security instead of treating it as a core business function.
“It’s perceived to be a tech problem, but it’s really a business issue. And how the business is using technology,” says Candy Alexander, CISSP, CISM, and International Board Member of the Information Systems Security Association.
Undoubtedly, the mass digitization of products and services has created unique challenges for companies. Calling it “the phenomenon of our time,” Ginni Rometty, IBM Corp’s Chairman, President, and CEO, says the vast amount of data that modern organizations collect “is the world’s new natural resource.”
“It is the new basis of competitive advantage, and it is transforming every profession and industry,” adds Rometty.
“If all of this is true—even inevitable—then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world."
It’s About Getting Everyone
This is a fact Information Security Executives have been attempting to drill home to the C-suite for some time. A 2016-2017 Deloitte University Press survey found 45 percent of ISEs believe cybersecurity will have a significant impact on their organization within the next two years. Yet, only 10 percent say they work at companies where cybersecurity is treated as a top business priority. Instead, survey respondents cited customers, performance, growth, and cost as the top four business concerns at their organization.
In order for ISEs to navigate their C-Suite approval chain, they’ll need to demonstrate how a strong cybersecurity program can acquire and retain customers, improve market performance, drive company growth, and cut operational costs. Only when security adopts the language of the business world will ISEs be taken seriously.
To be successful,
an ISE must demonstrate how a strong cybersecurity program can impact these key areas of the business:
According to ISEs, their companies value customers as the single most important business priority.
Not surprisingly, history shows these same customers will lose a tremendous amount of brand loyalty should a breach occur.
When security issues surface, management has virtually no choice but to refocus their efforts and resources to clean up the mess.
This usually means less emphasis on hiring, innovation, growing market share, and staying ahead of the competition.
When considering adding or modifying resources, cost is always one of the first considerations.
Fortunately, when a company spends on cybersecurity, it’s been proven to be a worthwhile investment.
The Ripple Effect Starts with the Customer
To date, WannaCry has impacted about 300,000 computers and 200,000 end users. Among the victims are patients of the National Health Service hospitals of England and Scotland. During the attack, ambulances had to be diverted, critical surgeries were canceled, and care teams were left scrambling to access patient data.
But it’s not always a life and death situation that drives a customer to stop engaging with an organization. Once a company has experienced a breach compromising their customers’ sensitive financial data, 64 percent of consumers say they are unlikely to do business with that company.
Consider Target, whose 2013 customer-depleting credit card hack led to an immediate profit loss of 46 percent compared to the previous quarter, and then a 34 percent profit hit for all of 2013. Such a dramatic dip in sales can be expected, given that research shows a data breach can cost retailers about one-fifth of their customers—even if the company takes steps to remediate the issue.
Timeline of Events
Hackers finalize setup of malware, designed to capture customer credit card info at the registers of all 1,797 Target locations. The retailers cybersecurity partner sends first alert to headquarters, warning about suspicious activity. The alert sits in an inbox, unseen.
The day Target could have completely thwarted one of the largest cyber attacks in history, had someone acted on the alert.
Customer data starts flowing off of Target’s servers, and into hackers’ hands. A second, more urgent alert goes unseen.
Despite additional alerts throughout early December, Target finally pays attention when contacted by Federal government officials. Three more days pass before Target “confirms” the attack internally, and takes action.
Target eradicates the malware, finally stopping the breach.
As customers swipe their cards during the holiday shopping season, their personal info and credit card details are being sent directly to hackers.
Target issues first public statement, revealing that 40 million customer credit card numbers were stolen.
Target admits that in addition to the credit card records, 70 million records containing personal information were also part of the breach.
CIO Beth Jacob resigns as a result of the breach.
CEO Gregg Steinhafel resigns as a result of the breach.
Keeping Performance and Growth Afloat Is Key
In the boat with customer retention is a company's performance and growth. And it's easy to see how a breach can quickly capsize business initiatives. In the short term, CFOs must reconfigure budgets to cover legal fees, crisis management, and emergency cybersecurity measures. Changes in leadership are also seen as necessary to bring stability and correct a dented brand image. Collectively, these modifications impede performance by depressing cash flow, freezing marketing initiatives, and lowering employee morale.
Shareholders feel the effects as well. A recent study by IT consultants CGI and Oxford Economics confirmed what many have suspected—breaches can permanently lower stock prices. Looking at 65 organizations affected since 2013, researchers found companies who suffered severe attacks saw share prices drop an average of 1.8 percent in the long term (severe being defined as an attack consisting of a large amount of compromised records and/or requiring subsequent action by a regulatory agency). Together these breaches are estimated to cost the companies’ shareholders $52.4 billion. The industry hit the worst? Financial services, where breaches appear to be directly connected to the erosion of investor loyalty.
It’s nearly impossible to focus on growing an organization when you’re in recovery mode—something Information Security Executives must convey to the C-Suite. In the knowledge economy, strategic business growth is directly tied to innovation and human capital. This means ISEs should lead the charge in protecting proprietary information, improving processes, and evaluating the security posture of all employees, vendors, and partners. Conversations around industry regulations, talent management, and supply chain management should never happen without the involvement of an ISE.
A look back at the Target breach shows malware was likely installed using stolen credentials from one of the retail giant’s HVAC vendors in rural Pennsylvania. Setting security requirements for everyone who works for and does business with an organization is one of many major initiatives that should fall under the purview of an ISE. Had someone at Target headquarters been aware of this vendor's gap in protection, the retail giant might have been able to avoid having to explain compromised records to jaded shoppers. Not only does this case prove the value of keeping a pulse on every corner of a company’s digital footprint, but it shows the importance of doing so with human eyes and ears.
The Target case also demonstrates it’s not just giant corporations who stand to have their growth stunted by cyber crime. Small businesses without a strong cyber program lose out on opportunities to grow when they don’t meet the security requirements of the large companies with whom they want to partner. More CIOs are taking the time to meticulously assess the cyber risk of their suppliers and partners, and cutting ties with those that pose a threat to the business.
Chief Information Security Officer
Chief Executive Officer,
Chief Information Officer
Head of the Utah Department of
The Most Damaging Cost of Not Acting? Cost
Perhaps the most convincing argument for taking cybersecurity seriously is the cost. Data show the cost of a single attack greatly outweighs the cost of preventing it. IBM has estimated every business experiences 16,856 attacks per year, 46 attacks per day, and two attacks per hour.
IBM estimates every business experiences 16,856 attacks per year, 46 attacks per day, and two attacks per hour.
“Drilling these numbers down to the company level, there is ordinary loss of cost associated with data breaches,” says Jim Halpert, Partner and Co-Chair of U.S. Cybersecurity Practice at DLA Piper.
As someone who counts Fortune 500 companies among his clients, Halpert is well aware of the pricey damage a data security breach can inflict upon an organization.
“The Ponemon Institute released a study noting the average cost of a large data breach at more than $158 loss per record of good will. So for a very large breach, well, you can do the math,” adds Halpert.
With these numbers, it becomes somewhat easier to quantify the financial risk a company faces after a breach. When combined with projected customer churn rate, profit loss, and decreasing stock prices, ISEs can develop a financial model to bolster their case for a vigorous cybersecurity plan. Taking a page from the investment world—a realm the C-Suite knows well—more ISEs are seeing success by developing custom value-at-risk models.
One such model comes from the non-profit think tank FAIR Institute. Their FAIR model has gained popularity as an international framework for quantifying the impact of cyber threats and managing information risk.
Value-at-risk models like FAIR are helping more CEOs become open to the idea of investing in an expanded cyber program and security team. However, when the actual dollar amount to fund such an expanded program is brought to the table, ISEs often hit yet another hurdle. Acquiring top cyber talent and conducting around the clock monitoring comes at a premium, which is why many top organizations outsource a portion of their cybersecurity management. Experts find it’s generally safer and more economical to share the responsibility of protecting data with a cyber firm, rather than relying completely on an internal team.
“In-house expertise is really only 9 to 5. Most companies have this, but they won’t have the level an MSSP can provide around the clock."
"Setting up that capability is expensive and incredibly hard to do unless you have the right person,” says Darren McCue, President of Dunbar Security Solutions.
Estimating the cost of an in-house security operations center (SOC)
When accounting for personnel, technical infrastructure, and ongoing maintenance, the cost of building an in-house SOC generally exceeds the price of partnering with a Managed Security Services Provider (MSSP).
*The cost of partnering with a MSSP varies based on the amount of data being managed, services provided, and other factors. The information below outlines the minimum cost for any 24/7 organization as it is not industry or size dependent. As the data volume increases, there will be a greater need for more people to handle the flow of events.
Tier 1 Employees
~$70,000 yearly salary per employee
Tier 2 Employees
~$90,000 yearly salary per employee
Tier 3 Employees
~$110,000 yearly salary per employee
Cost for hardware, software, storage, security, etc.
Annual Cost to Operate In-House SOC
Adequately staffed to provide 24/7 security monitoring
Once ISEs communicate this reality, they’re likely to win back the attention of decision makers.
“They can spend a fraction of the cost on cybersecurity and have peace of mind knowing they are spending it on the right thing,” says Darren McCue, President of Dunbar Security Solutions.
Experts generally agree the “right thing” means not just machines, but humans as the most critical element.
“The problem is there are unknown attacks on vulnerable systems the community isn't aware of yet. Updated signatures won't work since the software won’t know what to look for. You need a more behavioral approach to it which requires people,” says Dunbar Security Operations Center Engineer and Analyst Sean Burke.
While he acknowledges the great value computer generated algorithms bring to network monitoring and intrusion detection, Burke says not everything in cybersecurity should or can be automated.
“Even if we have computers do all the thinking and working for us, the machines still rely on us to hit the kill switch for these unknown attacks.”
“We track users logging in during the middle of the night, data getting transferred all over the world. Companies need people alongside great technology to distinguish between good vs bad."
at Dunbar Security Solutions
It’s an Investment in a Steady Journey
It’s still not uncommon for leadership to question the merits of a comprehensive cyber solution when an organization has yet to encounter a breach.
“CEOs are thinking, ‘Why do I need to spend money when you’re doing a great job? Why spend when we are doing fine?’,” says Bernie Skoch, Commissioner for CyberPatriot, a cybersecurity education and training program.
“That may have little to do with protection—but it may be that the system just hasn’t been hacked yet,” says Skoch.
“CISOs and enterprises offering protection need to be right 100% of the time. Bad guys only need to be right once.”
And that one instance can easily stay under the radar.
“A company without an MSSP will often go months or even years without knowing, while it lingers and festers, making the damage far more costly to address and much more likely to have sustained irrevocable damage,” says Chris Ensey, COO of Dunbar Security Solutions.
In many cases, getting the sign-off from a superior simply means getting them to view cybersecurity as a holistic issue best tackled by a qualified team.
“A business should devote itself to its core competencies. With any size company—big or small—it makes sense to devote resources to a professional who can do it better, faster, cheaper. Cyber should be seen as an operational expense,” says Skoch.
Once leadership sees what lies above and beneath the surface, they are more likely to chart a course ensuring financial peace of mind and a competitive spot in the marketplace.
“If you know you’re secure, you can spend more resources on innovation, rather than dealing with cleaning up a breach,” says Darren McCue, President of Dunbar Security Solutions.
In a sea of deep threats, the secure survive.
Dunbar Security Solutions offers 360° MSSP security, in action 24/7/365, and tailored precisely to your business needs.
Are you an ISE? Congratulations, your company’s entire future is in your hands.
The sooner you believe you’re the one who can right the ship, the sooner you and your business will be rewarded. Keep an eye on these boxes for helpful tips on approaching and convincing your stakeholders that cybersecurity should be an action item instead of just a line item.
The old saying “Take care of the customer, and everything else takes care of itself,” has never been more relevant.
As an ISE, it’s easy to get bogged down by the insane pace of the cybersecurity industry, and the (sometimes unrealistic) expectations that come with your role. But when you think and speak in terms of how cybersecurity decisions relate to customer protection and retention, you’re showing others that you mean business. Remember to remain laser-focused on this perspective.
Stumped on how to get decision makers to commit to added cybersecurity resources?
Try removing the word “cyber” from “cybersecurity” when discussing it, and be confident in assuring them that this is about so much more than just one facet of the organization. It’s about the overall security of the company’s competitive performance, growth potential, talent retention, and future.
As the ISE, you know the cost of airtight cybersecurity is a drop in the bucket compared to the cost of a breach.
Show executive management how much a single breach can cost compared to the measures it would take to prevent it. Whether you use the figures in this article or your own, remember that a number can paint a thousand words.