Cyber Tactics / Cyber Security News / Columns

Why Cybersecurity is a Business Necessity

For well over a decade, CEOs have been relegating the operational, legal, reputational and competitive risks associated with cybersecurity to those responsible for Information Technology.

For well over a decade, CEOs have been relegating the operational, legal, reputational and competitive risks associated with cybersecurity to those responsible for Information Technology. Yet, as the recent onslaught of intrusions against retailers confirms, cybersecurity is an enterprise risk management issue that extends beyond the combined efforts of the Chief Information Officer, the Chief Technology Officer, the Chief Security Officer and the Chief Information Security Officer. Cybersecurity is the unsung linchpin of every company that has grown increasingly dependent upon vulnerable technologies, whether to communicate, to store sensitive data, or to manufacture and deliver its products and services. 

Unfortunately, the pervasive attitude that cybersecurity is an IT problem rather than a C-Suite whole-of-enterprise concern likely stems from the top. As the National Association of Corporate Directors recently observed, a lack of cyber expertise on corporate boards presents a real and urgent threat to oversight. Inexplicably though, the NACD also found that “a demand for IT experience generally has not surfaced in director recruitment.” That needs to change. Simply put, thinking of cybersecurity as an IT issue is similar to believing that a company’s entire workforce, from the CEO down, is just one big HR issue.  


What is Cyber Risk?

Businesses need look no further than to guidance published by the Securities Exchange Commission to understand how cybersecurity failings can impact stakeholder value across a broad array of corporate interests. As stated by the SEC, companies that suffer from a significant cyber incident often face one or more of the following material harms:

  • Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused;
  • Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees and engaging third party experts and consultants;
  • Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
  • Litigation; and
  • Reputational damage adversely affecting customer or investor confidence.

To ensure registered companies disclose meaningful information about those “risks and events” that a reasonable investor would consider important, the SEC wrote that corporate filings may be required to address cyber issues under a number of sections, to include Risk Factors, Management’s Discussion and Analysis, Description of Business and Legal Proceedings.  The SEC warned against generic “boilerplate” disclosures and, in 2012, began sending letters to companies that, according to news accounts, suffered major breaches.  


What is the Legal Landscape? 

Many, including myself, consider corporate victims of computer intrusions to be, first and foremost, victims. Still, class action lawyers are presenting legal theories of liability that include negligence, breach of contract, breach of fiduciary duty, invasion of privacy, waste and conversion, infliction of emotional distress and unjust enrichment. 

On occasion, the government has taken a similar approach against corporate cyber victims.  The Federal Trade Commission, often with encouragement from members of Congress, has investigated dozens if not hundreds of companies that have suffered data breaches. The FTC asserts that it has jurisdiction to decide whether a company’s privacy statements and terms of service are objectively or subjectively unfair or deceptive.  Although the FTC has not published any rules on the subject, it has brought charges against companies for failing to have “reasonable and appropriate” procedures for handling personal information or “sufficient measures” to prevent, detect and investigate unauthorized access to computer networks.  

Meanwhile, State Attorneys General are filing civil cases against corporate victims under both federal and state laws, including when a company “unreasonably” delays consumer breach notification. In short, adding to the operational and reputational risks associated with a computer intrusion, the risk of litigation is considerable.



Entirely eliminating the risk of a computer incident is impossible. Therefore, the best that corporate leadership can do is to identify and prioritize the most important company data and systems, and then ensure meaningful oversight of the technical, administrative and physical controls being used to prevent (or quickly recover from) an incident. It is well passed time to take cybersecurity issues out of server rooms and into corporate executive wings and boardrooms. 


About the Columnist:  Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a big-data cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, cybersecurity assessments, and incident response.  He previously served as Deputy Assistant Director of the FBI’s Cyber Division. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Steven Chabinsky

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security May 2015 Issue cover

2015 May

In the May 2015 issue of Security, learn how to be the bridge between busieness and security with "customer facing," how to effectively work with your CFO, and covert security.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive


Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.