The increasing adoption of hybrid cloud – a mix of public cloud services and privately owned data centers, already in place for 70 percent of companies on a global level – is giving rise to new security challenges and prompting CISOs to adopt different technologies to fight zero-day exploits, advanced persistent threats, and other devastating types of cybercrime.
Both IT C-suite decision-makers and boards are increasingly concerned about security, not only due to the cost of a breach, but also because the company’s future is at stake when the most valuable data is exposed. Almost 90 percent of boards view cybersecurity as a serious risk management issue with the understanding there could be severe reputational and financial consequences.
According to a recent Bitdefender survey, security concerns and issues have reached the board level in the overwhelming majority of large companies from France (95 percent), Italy (94 percent), Germany (91 percent) and the United States (90 percent). Lower, yet still good, numbers have been reported in Sweden (85 percent), the United Kingdom (81 percent) and Denmark (74 percent).
As evidenced by previous research, the rising pressure of cyber breaches and Blitzkrieg attacks has prompted CEOs to consider CIOs and CISOs as some of the most important C- level managers. Today, 34 percent of U.S. IT execs feel their job is more important than ever before, and another 30 percent admit their job has completely changed in recent years. Even though nine in 10 IT decision-makers perceive IT security as a top priority for their companies, they think the budgets need to increase by 34 percent to deliver efficient IT security policies.
But how can CISOs persuade boards and the C-level suite to increase security spending or buying competitive security solutions?
Unlike other acquisitions, security cannot be put off until next quarter, nor can it be fragmented. Boards need to be made aware that security must be unified from the start; it allows for better contextual threat intelligence data, and it’s probably less expensive in the long run to get the entire package instead of adding modules or integrating new solutions along the way.
When articulating security risks, C-level managers often respond better to the business impact of those risks, instead of technical details about zero-day vulnerabilities, advanced persistent threats and patch management. It’s also critical to keep in mind what is considered the most valuable data when approaching boards so you are prepared to offer solutions that will resonate. Companies mostly fear losing information about their customers (51 percent), followed by financial information (44 percent), information about certain employees (33 percent), research about new products (37 percent), product info and specifications (30 percent), intellectual property (27 percent), and research about the competition (18 percent).
Reminding the CEO that any security issue or infrastructure downtime has a direct proportional financial outcome in dropped stocks, lost customers, or even lawsuits can sometimes help build the business case needed to be heard. Bitdefender’s survey points out that 75 percent of U.S. CISOs state the worst consequences of an attacker gaining access to their companies’ most valuable asset would be the financial cost and reputational damage. However, more than a third (35 percent) say the financial cost could lead to bankruptcy. Even if it sounds alarming, loss of life – mentioned by 18 percent of the US respondents - is a severe yet real consequence of an APT. Targeted attacks could also aim at critical national or transnational infrastructures (i.e. nuclear power plants, national energy grids, urban water supplies, transportation management systems, traffic controller systems, hospitals and other healthcare facilities). In a modern environment where automation has become a reality, targeted attacks can practically paralyze countries and, unfortunately, lead to human casualties.
It should be emphasized to boards that security must be unified from the start; it allows for better contextual threat intelligence data and it’s probably less expensive in the long run to get the entire system instead of adding modules or integrating new solutions along the way.
Focusing on implications and cost-versus-benefit ratios is also helpful as long as you throw in numbers and statistics to back up your claims. Reminding the board that any security issue or infrastructure downtime has a directly proportional financial outcome in dropped stocks, lost customers, or even lawsuits can sometimes help build your case.