One of the most common misconceptions about cybersecurity is that the responsibility and ownership sits solely on the shoulders of the CISO and the security team.
Common assumptions are anything related to cybersecurity, a security issue or security initiative resides with the security team and the Chief Information Security Officer (CISO). Phishing attacks? That’s a problem for the security department. Vetting vendors and third parties? That belongs to the vendor management team. Data regulation compliance issues? That’s the cybersecurity team’s problem.
The reality, however, is that security is a team sport and we all have a role to play and a responsibility.
Every company needs to build a risk portfolio, have incident response plans for every line of business and automate the risk management process as much as possible. Cybersecurity visibility is at the core of all of this.
Security should never operate in a vacuum, or reside with one person as their sole responsibility. Cybersecurity touches everyone and can negatively affect business goals and have significant consequences on the organization if not everyone is participating. If a data breach occurs, it not only affects the company’s brand, it also puts customers at risk and can have catastrophic financial consequences. According to Ponemon, the average cost of a data breach is $3.86 million.
Below are a few challenges and questions that key decision-makers need to solve, from the board of directors to the head of marketing, procurement, CIO, and CISO.
The Board: ‘How are we managing our risk portfolio and are we investing in the right security solutions to meet our governance requirements?’
The board of directors’ job is to protect the organization as a whole. Board members — even those who don’t understand technology or cybersecurity — want to know that the organization is protected from a breach that might endanger the assets, finances, or reputation of a company. Often, however, the board gets treated to a retrospective: how many attempted breaches were repelled in a quarter, for example.
A better answer is to look forward: present the solutions the company has invested in and show exactly how those products and services protect the organization’s data and networks. If you’ve invested in a security rating service, for example, show your rating to the board of directors, and explain what it means and how exactly knowing your organization’s rating can help your company remain secure and compliant and how you compare to your competitors.
The CEO: ‘How do we continue accelerating our business while still managing to stay secure?’
Chief Executive Officers (CEO) are responsible for scaling up and building out the business, yet with expansion comes increased risk — new verticals, additional remote workers, and a growing supply chain.
CEOs need to create a dedicated team to ensure people, processes, and technologies are being optimized and that there is the right balance between perceived “security roadblocks” and the “speed of doing business”. Managing security and regulatory risks internally and across third-party organizations can also be time-consuming. CEOs need to ensure that all key stakeholders and lines of business are collaborating to support the strategic goals of the business yet not inhibit the business efficiencies.
CEOs also have to act as security advocates and champions, ensuring security processes and plans are in place. Similar to their responsibility to grow company revenue and market share they must also mandate compliance across the entire organization. Embracing security best practices needs to be a focus and a core pillar in a company’s culture in order to avoid negative impacts to their business, customers, and partners.
The CIO: Where is the concentration of risk in my supply chain? Is my infrastructure secure? How can I integrate systems to do more with less?
The Chief Information Officer’s (CIO) core responsibility is focused on business continuity. Under that umbrella, the CIO is responsible for securing the digital supply chain, IT infrastructure, and remote workers while also monitoring risks in Internet of Things (IoT) and Shadow IT.
The digital supply chain has an inherent dependence on suppliers, who could be putting your company at risk — for example, cloud storage or financial services providers. Understanding if your supplier relationships and contractors are risky to do business with is nearly impossible without having a third-party management solution. In today’s world, it is essential to have real-time, continuous monitoring of your vendors, all of your systems integrated into a single pane of glass, and the ability to automate processes and procedures from your incident response plans.
The CISO: What initiatives should we prioritize in order to mitigate cyber risk?
The Chief Information Security Officer’s (CISO) core responsibility is focused on security and risk. They are responsible for third-party risk management, digital supply chain risk management, compliance, and they overlap with the CIO on managing risks in the IoT, Shadow IT, and remote workplace. They are tasked with ensuring the organization’s infrastructure is secure. Despite this, CISOs are often not part of selecting the technology solutions.
Prioritizing different initiatives and mitigating risk can be challenging since CISOs usually have a small team to support the entire organization. To understand which programs or solutions to prioritize, they first need to understand where are the most severe vulnerabilities and risks which is impossible to do without having the proper security risk ratings platform to enable outside-in visibility.
CMO: Is our brand reputation at risk? Are we putting our customers at risk of breach?
A data breach does more than put the finances of an organization at risk — it also puts the brand of a company in danger. If you’ve suffered a major breach, especially if you’ve put customer information in danger, that will impact the trust people have in your brand.
Having a security risk ratings platform and outside-in visibility will reassure the Chief Marketing Officer (CMO) that their brand is secure, proper steps have been taken to protect customers’ personal information, and the third-party vendors and contractors they use are imposing additional risk to the business.
CMOs also need to understand the organization’s security policies and incident response plans in case there is a breach. How will they notify customers if the worst-case scenario occurs? What will they do to mitigate the breach? What impact will this have on the company?
General Counsel: Are we following data protection and breach notification laws?
Compliance is very difficult to manage. There are multiple complex regulations that need to be adhered to, managing them all can be complex and failure to comply with data protection laws can be costly. Take the European Union’s General Data Protection Regulation (GDPR); organizations that don’t comply with GDPR can be fined millions or 4% of the company’s annual revenue, whichever is higher.
To ensure compliance for every applicable law and regulation plus continuous monitoring of controls and regulatory frameworks are a must. Visibility and simplicity is essential for the General Council to quickly assess if they’re up to date and complying with all data protection laws.
Corporate Development: How can we meet our non-organic growth aspirations in the most risk-free way?
Mergers and acquisitions are risky – the ability to make decisions in seconds vs. minutes or hours is essential. Acquisitions, investments, and divesting of portfolios is complex and an investment mistake could have huge financial ramifications. When making an acquisition, you’re not just acquiring the company, you’re also acquiring any existing security risks or vulnerabilities.
A cybersecurity audit must be part of the due diligence process just as a financial audit is. When starting to assess companies to merge or acquire, corporate development needs to make sure they start by looking at the companies’ security risk rating score. This will enable them to quickly assess in seconds and at scale which companies they should move forward with, and which to walk away from.
CFO: Do we have sufficient cyber insurance coverage?
While it’s important to have cyber insurance coverage if a breach occurs, it’s difficult to gage how much cyber insurance is enough. Chief Financial Officers (CFO) may justifiably be worried that their existing policy coverage is not sufficient, or that their organization is spending too much on their policy.
To understand how much cybersecurity is enough, an organization needs to measure its cyber risk. A CFO needs to quantify their risk and understand what their existing policy covers. According to PWC, although regulated industries often have an excellent handle on their cybersecurity and risk, thanks to compliance, less regulated industries are often underinsured. A security score can help with this analysis. Cyber insurance underwriters use security risk ratings scores to set premiums, build policies and assign a company’s risk threshold.
Risk Officer: Are we compliant with security regulations? Are we exposed to fines or penalties?
Non-compliance with security regulations means fines and sanctions, but keeping up with compliance can be difficult — especially with the ever-changing regulations and continuously changing threat landscape. To minimize compliance complexity, choosing a framework that aligns with your specific compliance needs, such as NIST (National Institute of Standards and Technology) which lays out a set of controls and balances to help organizations manage cybersecurity risks is essential. The need for an integrated questionnaire exchange platform to simplify the questionnaire process and security framework adherence is a must-have today.
How can SecurityScorecard help?
Having the ability to quickly and easily understand your organization’s security posture is vital when you’re talking with business leaders about cybersecurity risk. They need to understand how any unknown cybersecurity vulnerabilities can affect their company’s business goals.
Our security ratings are based on an A-F scoring scale making it easy to explain to executive leadership where vulnerabilities have been detected and which need to be prioritized first. In addition, our board reporting documentation can be used to prove governance compliance, as evidence with auditors and insurance underwriters and that your company is effectively managing risk across the entire organization.