[BreachExchange] Under Pressure

Mon Jan 9 18:58:18 EST 2017

http://www.securitymagazine.com/blogs/14-security-blog/
post/87704-under-pressure

Under pressure!  No, not the 1982 hit song by Queen that was used in the
1997 American comedy crime film Grosse Pointe Blank. I am describing the
likely 2017 work environment for CSOs and CISO. If CSOs and CISOs thought
they were under pressure in 2016, it is about to increase and go beyond the
usual. Traditional increases in pressure were due to the growing rate of
data breaches and the number, complexity and success rates of cyberattacks.
All of those pressures will increase from 2016 to 2017, but wait there’s
more!  There will be multiple new reasons for the increase and the impact
they will have will be different. The pressure will come from as high as
you can go within your organizations as well as being driven by business
management. Here are just a few drivers of the increased pressure.

1. According to a recent survey, nearly 24 percent identified that
cybersecurity (attacks and breaches) will be at the highest propriety for
board in 2017. Its priority is very close to what is placed on strategy and
general risk oversight. Another interesting aspect of board level pressure
came from another study that found in the past year less than 50 percent of
new board members possessed a technical background, knowledge, capability
and/or experience.

2. The massive breach that struck Yahoo will shake things up as well.
Previous publications state that Verizon planned to bid more than $4.8
billion for the Yahoo's Web Assets. That has changed, and now according to
TheStreet.com, Verizon has reduced its bid for Yahoo by $1 billion. That
would equate to about a 1/5 loss in Yahoo’s value.

3. Another interesting factor uses a recent metric from the 2016 Ponemon
Cost of Data Breach Study, which found the average loss per record stolen
increased and is now $158! If that figure holds true, the calculated cost
of the Yahoo breach would be $158,000,000,000.  $158 billion -- an economic
impact to be sure. These are clearly an indicator of the economic damage of
a successful cyberattack!

It is important to note even small and mid-size company executives are now
paying attention. I am sure they will uncover the recent metrics that
indicate that many small and medium size organizations go out-of-business
within a year to 18 months following a breach.

CSOs and CISOs will experience a lot of pressure from above. Executives and
board members have clearly become sensitive to all the media attention
given to numerous high-profile data breaches and the cost of litigation
that follow these successful cyberattacks. Executive management and the
board want these business assets protected period. They also want to avoid
the high and getting higher costs of successful cyberattacks and data
breaches, including the costs associated with litigation that essentially
follows. Today and moving forward, executives and board members recognize
that they must meet their responsibilities with regard to managing
cybersecurity risks within their organizations. I had a conversation with
Simon Johnson, a senior level management consulting focusing on
cybersecurity at the executive and board level, and he clearly indicated
there would be implications from the Yahoo breach. He said, “The value at
risk is substantial and every executive and board member should understand
the value at risk associated with various risk scenarios. This clarity
creates the clear call to action and value proposition – defined by the
value at risk – that a board and its’ executive could not ignore – or brush
aside.” Given that insight, you can easily see why CSOs and CISOs will be
under increased pressure from the very top of their organizations!

The cyber threat environment continues growth that is virtually unchecked.
With that the patience and understanding of executives and board members
shrinking and rapidly becoming non-existent, the time for action is now.
Given all the highly publicized breaches like Yahoo, the hacker community
will be encouraged. Here is some advice: be ready! No more tech talk and
jargon. No more "planning to do that" – you had better just get it done and
done right. The level of risks now being associated with cyberattacks and
data breaches demand these risks be managed and managed to the executive
team’s and board member’s expectations. If you fail to meet their
expectations, my advice is to update your resume!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170109/ab1707d3/attachment.html>