The relevance and impact of security’s role in business and government organizations achieving their objectives gained tremendous visibility in 2019.
Incidents throughout the year demonstrated security’s key role in core business functions including business continuity, protection of critical assets against ransomware and as a source of evidence for regulatory compliance. As a result, we also saw the C-suite and boards demand to better understand the association between cyber risk and corporate performance.
We also learned that as organizations continue to increase investments in cybersecurity infrastructure, security effectiveness continues to fall behind, as demonstrated by the ever-growing number of attacks and breaches.
As recently reported in Forbes, during the first six months of 2019 there more than 3,800 publicly disclosed breaches that exposed 4.1 billion compromised records. Verodin’s Behavioral Research Team’s research data found that the number of known attacks is but a small subset of the number of attacks that actually occurred. This data reinforces the claim that many organizations are breached without their knowing, and demonstrates a critical need to improve cybersecurity’s effectiveness.
With the growing number of cyber attacks in 2019 and those that took place before this year, we have come to understand that the impact of cyber risk on a company’s operations and financial posture has proven to be significant and long-lasting. Breaches have the potential of translating into millions of dollars in lawsuits and fines, efforts to strengthen a weakened brand, negative impacts on sales, and productivity losses due to lockdowns.
Earlier this year, Gartner reported that CEOs are increasingly blamed and punished as a result of cybersecurity-related events. The research also stated that CIOs are increasingly concerned with IT risk and struggle to communicate an understanding of security effectiveness and risk to the CEO. All of this points to a growing demand for evidence ensuring an organization’s security controls are effective and working as they should.
The validation of security effectiveness improves cyber governance and alignment with core business objectives
We now that the protection of an organization’s assets and infrastructure are a critical concern for business leaders and boards. We are experiencing an increased demand for CISOs and their teams to deliver cyber risk in a more measured and holistic way, and CISOs are being asked how an attack will affect critical business functions across finance, sales, global operations, marketing, customer service, HR and more.
We have also seen a shift where assumptions and general data points no longer satisfy the request; CEOs and boards want quantifiable evidence that demonstrates the effectiveness of security controls and rationalizes further security investments.
Over the past three years, security instrumentation has gained traction as a way for security teams to monitor the effectiveness of security controls in a measured way. This has enabled evidence-based reporting to business leadership – in quantifiable terms – of the company’s exposure to a breach and overall cyber risk.
Through security instrumentation, technical and business teams are able to come together to understand and manage cyber risk and maximize security effectiveness, and they are better able to answer the following questions:
- Regulation: Can we demonstrate we are meeting our regulatory requirements with regard to data privacy and protection?
- Fiduciary duty: Can we prove we are acting appropriately concerning cybersecurity for our customers and shareholders?
- Company liability: If we perform poorly in cybersecurity, how does it affect our business performance overall?
- Personal liability: If we perform poorly in cybersecurity, how does it affect my position as a board member or CIO/CISO?
In summary, 2019 provided a number of lessons to better prepare us for the future and presents a key objective for corporate executives, boards, CIOs/CISOs and security teams as they prepare to address cyber risk in 2020 and establish good cyber governance. The attackers are getting better, their sources in social media are richer in content and the impact of misconfigurations and environmental drift is proving to be more costly.
As we rapidly approach 2020, organizations must plan to not only protect their assets but also defend the success of their leaders. When C-level executives know with certainty that their organization and its investments are effective, it can mean the difference between doing a great job or looking for a new one.