As technology advances, so does the wide world of cyberattacks, meaning that those in charge of modern businesses must become more aware and more involved in cybersecurity. Not only that, but business leaders must realise that preventing breaches and attacks is just as important as detecting them when they occur.
Cybersecurity Awareness month gives us a chance to reach out to company CEOs and delve into the consequences of attacks, necessary defences, and the power of cyber hygiene. While it is true that many CEOs already have an understanding of the above, few are able to make cybersecurity a personal priority within their company.
A CISO is a Chief Information Security Officer and CEOs employ them to maintain the infrastructure of the company IT systems, keeping cyberattacks at bay. Employing a specific role for this task allows the CEO to delegate and make time for necessary cybersecurity measures and practices. However, there are risks, such as choosing and committing to a sub-par defensive strategy.
Many CISOs have chosen to invest heavily in endpoint protection and threat detection in recent years, with the detection market haven risen by 548% since 2015. However, despite these investments, breaches have increased and cybercriminals have become even more efficient at pulling off successful attacks.
Therefore, CEOs should be extremely concerned with the increased attack speed and financial/reputational damage caused by these breaches. We recommend that CEOs set up brand-new cybersecurity directions for their companies, with an emphasis on cost-efficient and effective cyber risk mitigation.
Cybersecurity is about finding a financial balance that makes sense for your business, while also keeping you safe. That means working out the cost of a potential breach versus the security to prevent it from happening. However, to do this a CEO must evaluate any and all risks that come with that breach, including reputation.
The immediate cost of a breach is the initial disruption to day-to-day business. If a company is forced to shut down for a period of time, whether it be hours, days, or weeks, it costs money. Then comes the impact on customers and the potential legal cases if customer information is breached, as well as HIPPA and GDPR liabilities. Finally, a breach is a word that certainly does brand image and reputation a lot of harm.
Despite CISOs being common practice in business these days, in 2019 figures showed that it still took $8.94 million and 245 days, on average, to detect and deal with a breach. So, the question is, why does cybersecurity seem to be regressing?
Perhaps this is down to the sad truth that cyberattacks are now viewed as inevitable, meaning that companies prepare for when they get breached, not if they get breached. Therefore, the emphasis is on dealing with the fallout, rather than preventing it from happening in the first place. Unfortunately, this emphasis has arguably only provided an oversupply of underperforming detection tools.
The truth is that these shortcomings should not come as a surprise to CEOs. Strategies that are based purely on dealing with cyberattacks after they have already occurred is doomed to fail. While CISOs will argue that containing an attack is more important than the impossibility of preventing it, investing in detection software only serves as a distraction to the truth; they are doing little to improve cybersecurity.
In these cases, it is the duty of the CEO to intervene as companies are spending more on cybersecurity without actually reducing risk or reaping any kind of reward. It’s just bad business.
What is the solution? – A proactive defence strategy.
This comes from the top down. This means that CEOs should be asking for regular cybersecurity reports with an emphasis on proactive measures being put in place. If the numbers are low, CEOs must ask their CISOs what is being done to actually prevent a breach from occurring in the first place. They may argue that certain tools have prevention capabilities built-in, however, this is often untrue.
CEOs should urge their CISOs to invest in new technology designed specifically to prevent attacks, such as moving target defence. This is designed to stay one step ahead of cybercriminals by remaining unpredictable. They should also push that sticking with the big-name vendors and being reluctant to take risks can make a company averse to positive change. The fact is that start-ups are driving innovation. No matter what happens within the company, the blame starts and ends with the CEO. They have the responsibility placed firmly on their shoulders, whether or not they have a CISO in place. Therefore, being proactive at least gives you a fighting chance in the long term. Investing in prevention is far more proactive than simply waiting for an attack to happen.