As I sat down to write this, I had just finished reading about a finding in which records for 66 million individuals were discovered in an unprotected database. Now you may ask yourself, so what? After all, just last week we had breaches impacting 500 million people, then 115 million and the next day 100 million.
It is remarkable to think we have become so accustomed to these stories that the fact that the details of 66 million individuals are accessible to anybody barely even gets a mention. It has been said that when a ‘cyber 9-11’ event occurs (and yes I shudder at that term as well) cybersecurity will be taken more seriously. Seriously? Such a major event occurs daily, and yet in many cases it’s a shrug as we look to tweet about the next one.
Our acceptance of such security issues is alarming. Yet it is understandable, since the correlation between cause and effect is almost impossible to identify. Remarkably, the difficulty in determining the true impact exists whether this applies to an individual or an organization. Subsequently, the inability to determine quantifiable loss means that identifying measures to reduce risk are merely estimated at best. Moreover, if the loss is rarely felt, then the value of taking active steps to protect an asset can simply be overlooked.
The opposite is true for physical assets, where the loss can almost be immediately recognized. For example, failure to take measures to protect your car could result in the loss of such an asset where the impact is felt and the cause and effect can be immediately identified.
Such a landscape is felt by many, and so raises the question of how to change this misconception? Awareness is not the answer. Cybersecurity stories are well covered and form a key component of mainstream reporting. Equally, cybersecurity is one of the top topics in boardrooms across the globe, with the role of the CISO a key hire for many organizations. Although it is worth noting that (according to Forrester) only 4% of CISOs at Fortune 500 organizations are at SVP level. Is the CISO really deserving of the C title?
I often ask myself, how many people do I know at CTO, CIO, or even CEO level that have come from a cybersecurity background? Truthfully, the answer is very small. Headlines and surveys will tell you that cybersecurity is a key topic for every organization and yet for such an important area of the business there appears no progression within the business.
A recent study into the educational backgrounds of executives at the biggest companies is highly unlikely to include a cybersecurity discipline. Is this something that will ever change? As businesses become more dependent on technology, as personal data becomes more of a critical revenue stream, or as digital disruption becomes more critical toward maintaining a competitive advantage, will cybersecurity no longer be seen as a cost of doing business in the 21st century?
“Our choice is very simple, we can either bemoan the status quo or identify an approach that allows us to articulate our business value in a quantifiable way”
I do believe cybersecurity is an enabler. It is an innovative industry that can develop new opportunities for major organizations but done so with a clear approach toward managing the risks of doing things differently. As someone who entrusts their data with so many organizations, I would be very comfortable knowing that the most senior executives at the firms that I implicitly trust are managed by someone that has a clear understanding of different consent models, or understands about a threat landscape getting better and more aggressive in its desire to steal and sell information about me.
I titled this blog with reference to a glass ceiling, but we have to look around us and recognize that such an environment does exist. Our choice is very simple, we can either bemoan the status quo or identify an approach that allows us to articulate our business value in a quantifiable way. Every other department can use investment to demonstrate measurable business value, and our challenge will be to do so for an industry that is opaque and where determining ROI and TCO have been notoriously ‘challenging.’ Unless this happens, the breaches will get ever larger and the apathy only worse.