Trending Oversight Topics
Governance Surveys
Center for Inclusive Governance
Four Lessons on the Cybersecurity Landscape from Summit Experts
10/28/2021
During NACD Summit 2021 earlier this month, I had the pleasure of participating in a cybersecurity expert panel discussion. Given the ongoing headlines about cyberbreaches, elevated ransomware, and new regulations, it should be no surprise that this discussion sparked a lot of engagement.
In case you missed the panel—which comprised Robin Bienfait, CEO of Emnovate and founder of Atlanta Tech Park; Robert Kress, managing director at Accenture Security; and Jerry Perullo, chief information security officer (CISO) at Intercontinental Exchange—or are just looking to learn more about the current cybersecurity landscape, below is a recap of some of the key points we discussed.
While information technology (IT) security budgets are increasing, confidence in security seems to be decreasing. PwC recently reported that 69 percent of organizations are expecting to increase cybersecurity budgets in 2022, with about one-quarter expecting an increase of 10 percent or more. Meanwhile, according to research by EY, just 9 percent of boards are extremely confident in their organizations’ security and mitigation programs, while 77 percent of respondents to the survey have seen an increase in attacks over the last 12 months.
With the increase in spending and decrease in confidence, one of the most common questions I’m asked by executives and risk practitioners is how organizations can best measure the performance of their cybersecurity programs. From a practical perspective, cyber-risk quantification—quantifying the financial impact of cyber threats—can help with that. But it is also worth understanding cybersecurity landscape trends because the performance of your cybersecurity program relies on them.
On that note, several factors are compounding the challenges that security professionals face in an already asymmetric cyber landscape. For instance, organizations are becoming increasingly digitalized to support their business goals, and this is increasing the attack surface for threat actors. In addition, threat actors are taking advantage of the growing landscape and are constantly scanning organizations for unknown vulnerabilities. These threat actors are also working as an ecosystem and sharing information among themselves. Blind and adversarial testing with red teams can provide valuable insights into how attackers view your organization, but your security team will need resources to execute this in an ongoing manner.
The key point here is that while some executives may question the increased budgets and dwindling confidence, it’s important to recognize that the cybersecurity landscape is in a constant state of flux and that it is largely impacted by how businesses evolve. For example, as noted above, digital transformation and working from home evolved the threat landscape by adding new vulnerabilities to the mix. Recognizing the interconnected relationship between your business and security strategies is a critical step to engaging in more productive security discussions and providing security teams with the support they need.
Since digitalization isn’t going away, there are some things you can do to reduce your exposure. For instance, before you make the transition to the cloud, evaluate the drivers behind making this transition and whether you have a plan around what gets moved and to mitigate risk. As a board member, asking and understanding whether your organization’s security will be as effective as the defense you had in place before moving to the cloud (in other words, asking whether moving to the cloud will create more or new risks and whether you are prepared to mitigate them) is a good way to evaluate whether the transition is worth the risk.
In addition, make sure your IT and security departments know who your cloud providers are. They can vary, from hosting providers such as Microsoft Azure and Amazon Web Services to software-as-a-service (SaaS) providers such as Salesforce. All of these environments need to be monitored, and your security team should be appropriately involved in onboarding and tracking. Finally, having a cloud-agnostic environment, in which you have multiple cloud providers in place in case one goes down, can increase your resilience to attacks.
New regulations and disclosure policies present opportunities for boards to learn and engage. Take the executive order President Joseph R. Biden Jr. issued in May. It illustrates that the government expects organizations to be more proactive in disclosing and sharing cybersecurity information and to implement more rigorous measures to increase supply chain security. These requirements not only will have ripple effects across organizations and industries but also reflect many of the ongoing challenges the private sector has been facing.
So, increased requirements on disclosure could be a good thing. For instance, supply chain risk and third-party risk continue to concern the majority of organizations. In fact, only 35 percent of CISOs believe their third parties would disclose a breach in an adequate period of time. If disclosure requirements can be normalized for the private sector, the result will be better data on risk and response scenarios.
Ultimately, as panelist Jerry Perullo pointed out, many of the new regulatory requirements are around disclosure and recovery, so try not to get bogged down by metrics when talking to your CISO. Instead, reach alignment on your business objectives, primary threat and vulnerability concerns, detection and remediation capabilities, and recovery plans.
While these are just a few points discussed during the Summit session, they illustrate the variety of factors at play in the cybersecurity landscape and how many of these are inherently linked to how business is done today. While it is true that many of the digital practices businesses adopt create new risks, they also enable businesses to achieve more.
Therefore, when you think about cybersecurity return on investment, think beyond prevention and consider how well your security practices enable your business to achieve its objectives while cost-effectively managing the corresponding cyber risks to an acceptable level.
Derek Vadala is senior vice president, head of risk at BitSight, where he leads a team that is focused on creating an automated cyber-risk quantification solution that enables chief information security officers to better communicate cyber risk to boards of directors and senior business executives by translating cyber risk into financial terms. Before joining BitSight, Mr. Vadala was the CEO and founder of VisibleRisk, a joint venture between Moody’s Corp. and Team8, which was acquired by BitSight in 2021. Prior to that, Mr. Vadala was the global head of cyber risk for Moody’s Investors Service, responsible for developing capabilities for evaluating cyber risk and incorporating those capabilities into credit analysis. Mr. Vadala also previously served as the chief information security officer for Moody’s Corp., where he was responsible for global information risk and security across Moody’s businesses worldwide, from 2013 to 2018.