Is it time the Chief Cyber Security Officer got a seat at the board room table?

$6 trillion. That’s $6,000,000,000,000. Every year. That’s what cybercrime is forecast to cost the world annually by 2021. Paul Holland, Partner at Signium Ireland, discusses the important role of an organization’s Chief Cybersecurity Officer.

In the aftermath of the US Presidential election, the global profile of cybercrime has been catapulted to unprecedented heights. A new frontier has opened between the superpowers as the US begins to take steps to strike back over the alleged state sponsored hacking of the Democratic National Convention. Meanwhile, here in Ireland, we see our own Taoiseach’s name on a database of 164 million passwords for sale for this very channel (LinkedIn).

In the world of business, there are dramatic changes afoot. As the pace of the digital revolution constantly accelerates, we are increasingly reliant on digital supply chains, in a globally connected world. With multiple devices and networks and critical data stored in the cloud, the points of weakness for a company grow exponentially.

Malware is refocusing from PCs and laptops to mobile devices and the internet of things. Attacks on companies, governments, institutions and consumers have become more sophisticated. Meanwhile there has been a massive increase in ransomware – reportedly up 400% in the last year, according to a Beazley Breach Response Services review of client data breaches.

Industry analysts are anticipating 12-15% annual growth in cybersecurity spending through to 2021 and security to take an increasing share of IT budget. As a result, $1 trillion is forecast to be spent on cybersecurity in those next five years.

Cost goes beyond the initial price tag

To take the booming ransomware threat as an example, the ransom sums involved in an attack are in fact relatively trivial. However, the gross cost to a business of such an attack is far, far greater – requiring security systems to be reviewed and updated defences to be put in place.

But even that is dwarfed by the potential fallout in terms of reputation and direct loss of business from a cyberbreach. It would be interesting to know the full cost to a firm such as Ashley Madison when it was attacked and had the details of over 30 million users leaked on the dark web. If you thought that was bad, it has now been reported that over 400 million accounts on the Adult Friend Finder network have been leaked, making the Ashley Madison example look trivial by comparison. The threat can be existential.

Many need to up their cybersecurity game

What is certain is that very many companies need to up their game in this area. In a survey of IT professionals across 30 countries by RSA, the security division of IT firm EMC, it was found that one third of respondents do not have a formal incident response plan for cyberbreaches. Of those that do, 57% infrequently or never review or update it.

Whereas many consider that this area falls under the remit of a general IT team, RSA says it is critical to have a dedicated security operations staff. “Cybersecurity and information security are related but distinct disciplines,” the report explained. “Both protect information systems, but the purview of cybersecurity extends beyond networks and systems to asset classes such as strategic infrastructure. Cybersecurity is also more proactive. There are other qualifications cybersecurity professionals must possess that are not required of traditional IT executives, including an understanding of business processes, the ability to gather, analyse and act on intelligence, and a deep understanding of the entire organization.

Seat at the table?

The impact of all of this is that we must now ask the question – does the CEO in your organisation know your Chief CyberSecurity Officer? And, if not, why not? Is it now time to elevate the Chief Cybersecurity Officer to a place at the board room table?

At a time when companies seek to become more open and offer more flexible ways of doing business, the Chief Cybersecurity Officer needs to find the optimum balance between risk and responsibility – to address security while demonstrating agility.

Not an easy task. Made a lot more difficult if the person charged with it does not have full board involvement and responsibility.

Therefore, my conclusion is that it won’t be long before the Chief CyberSecurity Officer is an official member of the C-Suite of leading international businesses.

As executive search professionals, the challenge for us will be to help our clients define the key professional and personal attributes required for successful CCSO’s and help them find and develop the executive talent required to “protect” their organisations in the digital age.

*Source: Cybersecurity Ventures