Cybersecurity is a critical but often misunderstood aspect of companies’ technology infrastructures. Here’s how business and technology leaders can ensure that important corporate assets remain safe.
Hit or myth? Understanding the true costs and impact of cybersecurity programs
Companies are using all kinds of sophisticated technologies and techniques to protect critical business assets. But the most important factor in any cybersecurity program is trust. It undergirds all the decisions executives make about tools, talent, and processes. Based on our observations, however, trust is generally lacking in many organizations’ cybersecurity initiatives—in part, because of competing agendas.
Senior business leaders and the board may see cybersecurity as a priority only when an intrusion occurs, for instance, while the chief security officer and his team view security as an everyday priority, as even the most routine website transactions present potential holes to be exploited. This lack of trust gives rise to common myths about cybersecurity—for instance, about the types of threats that are most relevant, the amount of spending required to protect critical data, and even about which data sets are most at risk. Perceptions become facts, trust erodes further, and cybersecurity programs end up being less successful than they could be.
If incidence of breaches has been light, for instance, business leaders may tighten the reins on the cybersecurity budget until the CIO or other cybersecurity leaders prove the need for further investment in controls— perhaps opening themselves up to attack. Conversely, if threats have been documented frequently, business leaders may reflexively decide to overspend on new technologies without understanding that there are other, nontechnical remedies to keep data and other corporate assets safe.
Separating myths from facts
Based on our work with companies across industries and geographies, we’ve observed that business and cybersecurity leaders fall under the sway of four core myths when discussing or developing protection programs for corporate assets.
- Myth 1: All assets in the organization must be protected the same way
Not all data are created with equal value. The customer data associated with a bank’s credit-card program or a retailer’s loyalty-card program are of greater value than the generic invoice numbers and policy documents that companies generate in-house.
- Myth 2: The more we spend, the more secure we will be
According to our research, there is no direct correlation between spending on cybersecurity (as a proportion of total IT spending) and success of a company’s cybersecurity program.
- Myth 3: External hackers are the only threat to corporate assets
It is true that threats from outside the company are a huge concern for cybersecurity teams, but there are significant threats inside corporate walls as well.
- Myth 4: The more advanced our technology, the more secure we are
It is true that cybersecurity teams often use powerful, cutting-edge technologies to protect data and other corporate assets. But it is also true that many threats can be mitigated using less-advanced methods.
Building a culture of resilience
Rather than perpetuate myths, business and cybersecurity leaders should focus on bridging the trust gaps that exist between them. We believe most companies can do that when technology and business leaders jointly train their attention on two main issues of control: how to manage trade-offs associated with cybersecurity, and how to discuss cybersecurity issues and protocols more effectively.
How do we manage trade-offs?
Technology professionals have a role to play in reeducating the C-suite about best practices in cybersecurity spending—specifically, illustrating for them why a tiered approach to cybersecurity may be more effective than blanket coverage for all. The budget cannot grow and shrink depending on whether the company recently suffered a system intrusion.
A new posture for cybersecurity in a networked world
Until recently, financial firms and governments were the primary targets of cyberattacks. Today, with every company hooking up more and more of their business to the Internet, the threat is now universal. Consider the havoc wreaked by three recent events. From 2011 to 2014, energy companies in Canada, Europe, and the United States were attacked by the cyberespionage group Dragonfly. In May 2017, WannaCry ransomware held hostage public and private organizations in telecommunications, healthcare, and logistics. Also in 2017, NotPetya ransomware attacked major European companies in a wide variety of industries. And in 2018, Meltdown and Spectre were exposed as perhaps the biggest cyberthreat of all, showing that vulnerabilities are not just in software but hardware too.
Little wonder, then, that risk managers now consider cyberrisk to be the biggest threat to their business. According to a recent McKinsey survey, 75 percent of experts consider cybersecurity to be a top priority. That’s true even of industries like banking and automotive, which one might think would be preoccupied with other enormous risks that have emerged in recent years. But while awareness is building, so is confusion.
Executives are overwhelmed by the challenge. Only 16 percent say their companies are well prepared to deal with cyberrisk. The threat is only getting worse, as growth in most industries depends on new technology, such as artificial intelligence, advanced analytics, and the Internet of Things (IoT), that will bring all kinds of benefits but also expose companies and their customers to new kinds of cyberrisk, arriving in new ways.
Our experience working to protect some of the world’s largest and most sophisticated companies, and our proprietary research, have revealed three broad mandates that can help organizations transform their cybersecurity efforts.