New report indicates cyber complacency is a growing problem in corporate boardrooms globally
Los Angeles, Calif. – Jan. 16, 2017
“Every company will be hacked”, according to Roger Grimes, in a recent story he wrote for CSO.
It’s a scary statement to make but Grimes, a 30-year tech industry road warrior who spent the past 11 years as Principal Security Architect at Microsoft, knows his stuff.
I’ve been guilty of making similar bold statements and leveraging the “when, not if” hacking scare tactics but I’m finding more and more that the tone has changed when executives are speaking about cybersecurity. It’s a far more proactive dialogue around “How ready are we?…really”.
It’s hardly a surprise then that cybercrime damages are predicted to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This dramatic rise only reinforces the sharp increase in the number of organizations unprepared for a cyber attack.
DDoS attacks, ransomware, and an increase in zero-day exploits are contributing to the cybercrime damages prediction becoming a reality. What really worries me though, is that all the hype around cybercrime – the headlines, the breach notices etc. – makes us complacent. The risk is very real and we can’t allow ourselves to be lulled into a sense of inevitability.
I say it all the time, but it’s worth repeating in this forum — We all have a role to play in how we protect our businesses from the accelerating threat of cybercrime! And it isn’t just hacks and data breaches that CEOs need to be concerned with. Compliance will be the biggest driver of security in the coming years. I firmly believe compliance drives over 50% of the market today.
Take for example the General Data Protection Regulation (GDPR), which applies to anyone, literally any company in the world, who receives data from the EU. What’s scary about the GDPR is the financial risk associated with non-compliance.
Organizations found to be non-compliant can be fined €20 million or 4% of annual global turnover, whichever is greater. Despite the warnings and the looming compliance date (May 25, 2018), we continue to see companies around the world struggling with the premise. This is a real directive, with aggressive implications and you need to be ready.
GDPR is one of numerous compliance mandates that organizations globally are grappling with. There’s DFARS, NYCRR 500, FISMA, GLBA, SOX, and others.
Don’t let me be the only warning…
Heather Engel, the Chief Strategy Officer at Sera-Brynn, a global cybersecurity audit and advisory firm, was quoted as saying, “If GDPR were an asteroid hurtling towards the United States, those directly in the strike zone would be large, multinational companies”.
Feel the pain now?
So what are you going to do about it?
I get asked all the time – what advice would you give to CEOs? And it always comes back to cybersecurity for me. CEOs today have to become cyber aware, empower their teams and ask the right questions. They MUST be discussing their cyber defense in the boardroom.
The alternative is to wait until after their company is cyber attacked, when it becomes a discussion centering around PR damage control and reputational harm. You plan your corporate strategy years in advance, why not be proactive with your cyber defense?
To help CEOs prepare for the boardroom discussion, my firm, Herjavec Group, has published “Cybersecurity Conversations for the C-Suite in 2018”. The guide covers 5 conversations a CEO should have with their CIO and CISO, and then loop in the COO and CFO to get the cyber defenses and budgets lined up to each other.
The 5 Cybersecurity Conversations CEOs should be having:
- Reviewing readiness for compliance requirements – especially GDPR
- Evaluating cyber insurance policies in advance of a cyber incident
- Using purple-teaming for greater incident response planning
- Establishing a strong cyber hygiene program
- Strengthening mobile and IoT security in your corporate environment
The most important point I can raise is the most basic – it comes down to cyber hygiene. There should be governance around your patching and system updates. In the event of a cyber attack, it will be unacceptable for C-levels to blame the IT department. Every team needs to report on it and the executives need to be aware and feel accountable for the organization’s cyber hygiene.
The goal of our report, and of this new blog, is to spur conversation and share lessons learned from my experiences across the industry. After reading these thoughts and our Cybersecurity Conversations for the C-Suite report, I’m hoping that you’ll kick start those conversations with your direct reports, and executive peers.
If you’re already having them — great. If you don’t have a plan to address each area – make one!
You should feel comfortable tabling each of these topics at your next board meeting.
Make the first order of business for 2018 – Cyber Defense!
To Your Success,
Originally posted January 16th on cybersecurityventures.com