Why are there still cybersecurity incidents?
Why are there still frequent, expensive and embarrassing cybersecurity incidents? With all the investments organizations are making to strengthen their defences and all the media attention devoted to incidents, you’d think everyone has received the message and taken action to eliminate the possibility of more incidents. I’m surprised by the recent headlines that say otherwise:
What, you may be asking, is causing management inaction about cybersecurity?
These incidents keep happening because it’s difficult for management to know how high their cybersecurity risk is and how far it needs to be managed down. There’s no silver bullet for eliminating the threat. Management often falsely believes that:
- The Information Systems (IS) department is managing the risk.
- Its organization is too small or not attractive to potential attackers.
- Media articles about cybersecurity incidents exaggerate the consequences.
Also, management is continuously under conflicting pressures, including:
- Shareholder pressure for higher returns.
- Competitors claim to offer lower prices.
- Customers do not want to pay higher prices.
- Employee pressure for higher pay.
- IS leadership claims that the cybersecurity sky is still falling after record spending on defences.
- Suppliers want or need to raise prices.
- Management desires to preserve their bonuses by keeping costs down.
In this demanding business environment, management is reluctant to spend money on cybersecurity defences that appear to offer little return. In too many cases, this inaction has produced disaster.
What are the consequences of management inaction about cybersecurity?
You want to avoid these consequences of inadequate cybersecurity defences:
- A headline about your cybersecurity lapses creating reputational damage among customers and suppliers, leading to loss of business.
- The cost and business disruption of cleaning up after a cybersecurity incident.
- Loss of revenue due to operational disruption.
- The likelihood of an investigation and a fine from a regulatory agency.
- Market share losses when theft of intellectual property creates competitors.
- Tarnish to your carefully cultivated, stellar executive reputation
Even though the cost of prevention often feels high or even outrageous, it’s significantly cheaper than the cost of addressing the consequences of a cybersecurity incident.
What should management do about cybersecurity risk?
Start by conducting a cybersecurity risk assessment. This work creates facts that trump opinions, hunches, gut feelings, and denial.
The findings of a cybersecurity risk assessment will tell you:
- What defences are working well. That fact builds confidence that some cybersecurity defences are working.
- What defences need strengthening. Those findings form the basis for an action plan to reinforce specific cybersecurity defences.
- What potential defences don’t exist. These items form the agenda for discussing additional cybersecurity defences to implement. No organization needs to address all the items on the list to lower cybersecurity risk.
The findings move the cybersecurity discussion from generalities about risk and cost to multiple specific, granular actions where management can concretely assess the value and cost.
What does a comprehensive cybersecurity risk assessment consist of?
Too often, management asks IS leadership for an opinion about the sufficiency of cybersecurity defences. No matter how confident management is in its IS leadership, that opinion, without supporting data, is dangerously misleading.
Determining what a comprehensive cybersecurity risk assessment consists of should include the following considerations:
- Is an internally developed cybersecurity assessment sufficient? An internally developed risk assessment framework will not benefit from the contributions of many experts. However, it may be better tailored to your organization’s risks and priorities. It’s often better to base the risk assessment on a well-established cybersecurity framework.
- What cybersecurity framework will it use? Select a framework appropriate for your industry and the organization’s size.
- Who will conduct the cybersecurity risk assessment? Audit department employees do not have the requisite technical expertise. Someone from the IS leadership team may be tempted to produce an overly optimistic set of findings. The objectivity of an external consultant may provide sufficient value.
Yogi Schulz has over 40 years of information technology experience in various industries. Yogi works extensively in the petroleum industry. He manages projects that arise from changes in business requirements, the need to leverage technology opportunities, and mergers. His specialties include IT strategy, web strategy and project management.