Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and ManagementSecurity & Business Resilience

Cyber risk is a business risk

By Rob Gurzeev
Empty conference room

Image via Unsplash

March 20, 2023

The line between business risk and cyber risk is being obliterated. Increasingly, risk models built around financial uncertainty and legal liabilities can’t be separated from IT security risk. For Risk Management Officers that translates to keeping the company Chief Security Officer (CSO) on speed dial.

Cyber risk as business risk isn’t new. For example, cybersecurity compliance — be it regulatory or industry specific — has long been a reality for organizations. But trends tied to a new post-pandemic reality for employees and businesses will accelerate the blurring of cyber and business risk lines.

Those trends include the pace of globalization, heavy reliance on supply chains, new adversarial tactics and geopolitical targets, cloud dependencies, an economic downturn and the slow migration of employees back to the office. The list is long, but the confluence is forcing organizations to look beyond traditional definitions of risk exposure, assessment, mitigation and monitoring.

Meanwhile C-level security and risk leaders are taking a fresh look at cybersecurity liabilities as regulators take a more aggressive stance against companies that they believe are being negligent when it comes to breaches. There are even instances where a CSO has faced criminal charges tied indirectly to a breach.

Dozens more 2022 breach examples have caught the attention of regulators and class-action attorneys. Financial penalties paid over the past year serve as harbingers of choppy waters ahead for companies that fail to properly safeguard the private information of its customers, resulting in a cyberattack and a data breach.

Arguably, each of these firms misgauged or couldn’t identify risk in their attack surface pre-attack and then wrongly assessed additional risks tied to the post-attack “what-if” scenarios.

Cyber defenses need to address compliance, architecture and post-breach scenarios. But that can’t be all they do. They also need to focus on preventing the cyberattack in the first place. This requires more emphasis on the “attacker’s perspective” of identifying and mitigating external attack surface security blind and weak spots.

The business imperative is always “don’t be breached;” however, there is no such thing as operating a business without operational risk and that includes breaches. That risk can translate to dollars and cents. The average cost of a data breach in 2022 was $9.4 million in the United States, according to a data breach report by the Ponemon Institute.

No return to ‘normal’ post pandemic

In addition, employers are grappling with a post-pandemic whiplash of employees slowly returning to offices, coupled with the Great Resignation of 2022, which is now sliding into what is being called the Great Reset of 2023. This trend is tied to corporate belt tightening related to shifting macroeconomic conditions.

Underlying conditions will likely push IT operations teams to rejigger their IT stacks. Organizations will continue to upgrade and change infrastructure. They will move away from any hastily built pandemic-driven solutions and, instead, will likely prioritize creating more sustainable, affordable and easier-to-manage systems.

However, such changes introduce risk. As internal IT restructuring plays out over coming months, security teams will be forced to juggle supporting an old platform and bringing a new one online at the same time. Managing this switch creates massive risk as even the smallest misconfiguration or overlooked asset can leave holes in a company’s external attack surface and risk profile.

Adding to those adjustments is how organizations get their arms around an external attack surface that has been forever changed by the past three years of the pandemic. Gartner’s advice given in 2021 is still relevant today to risk stakeholders: “Operational support for cloud offerings will need to be maintained while working remotely or with less staff and supply chains will be affected by short supplies due to manufacturing facilities being based in China and other areas impacted by current events.”

Third-party cybersecurity risk may be defined as an organization's reliance on vendors in their supply chain and any partner or subsidiary, including IT service providers, cloud environments and Software as a Service (SaaS) applications. Third-party risk is also posed by downstream and upstream vendors that work with the partners and subsidiaries of the organization.

External forces pose new risk landscape

Globalization is making the world a riskier place, asserts Secretary of Homeland Security Alejandro Mayorkas. In a speech given in December 2022, he said the U.S. faces a “new kind of warfare,” one that makes no distinction between private and public organizations.

“Economic and political instability and our globalized economy have erased borders and increasingly bring threats and challenges directly into our communities — to our schools, hospitals, small businesses, local governments and critical infrastructure,” he said.

Examples include a suspected Russian-backed cyberattack against U.S. satellite firm Viasat early in the Ukraine war and, more recently, Chinese-linked hackers APT41 for stealing at least $20 million in COVID relief benefits.

Responding to this riskier geopolitical pressure has been a wave of new federal and private regulations around risk identification, risk analysis and assessment, and risk mitigation and monitoring.

This past year, the Cybersecurity and Infrastructure Security Agency (CISA) issued the Binding Operational Directive (BOD) 23-01, which mandates that federal agencies identify assets in their attack surface and improve vulnerability detection and remediation capabilities by April 3, 2023.

It goes well beyond this and requires an automated asset discovery (within an organization’s entire IPv4 space) every seven days. Agencies are also required to run a vulnerability assessment for all endpoints and network and mobile devices every 14 days.

Industry standards tied to cybersecurity compliance, such as SOX, HIPAA, HITRUST, PCI and CIS, have each recently revised guidelines addressing the newest healthcare-related cyber threats that are keeping security teams on their toes. However, while compliance is important, it’s not enough.

If you cannot manage your risk, you cannot thrive. Cybersecurity risk management is a component of IT risk management where a cybersecurity lens is placed on the IT infrastructure.

Shifting focus

The threats that keep Chief Executive Officers (CEOs) up at night are those that will have a material impact on their business, according to a 2022 PwC survey of CEOs. In the survey, CEOs shared with PwC that they are most concerned about cyber risks (49%). “CEOs are most worried about the potential for a cyberattack or macroeconomic shock to undermine the achievement of their company’s financial goals — the same goals that most executive compensation packages are still tied to,” PwC found.

That focus on critical business activities is a priority that begs the questions: What’s likely to be attacked and why, what exploits might an attacker use to strike and what effect will it have on business continuity? Addressing business risk requires identifying cyber risk. Moving business leaders to the center of the cybersecurity conversation is about good digital stewardship, business leadership and staying out of the red.

KEYWORDS: business CSO cybersecurity IT pandemic response risk and resilience

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Rob Gurzeev, CEO and Co-Founder of CyCognito, has led the development of offensive security solutions for both the private sector and intelligence agencies.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • SEC1019-career-Feat-slide1_900px

    As Cyber Attacks Become More Prevalent, Here’s Why Your Small Business is at Risk

    See More
  • business-risk-management.jpg

    Why cyber risk assessments should be a part of your business strategy

    See More
  • leadership

    Allianz Risk Barometer: Cyber is a Core Concern for Businesses in 2019

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing