Cybersecurity: What's Really Keeping Your Clients Up at Night?
Cybersecurity breaches pose the third largest threat to organizations today, according to a recent global survey of C-suite executives by the consulting firm Protiviti. Two years ago, cybersecurity ranked seventh on the list of top threats. PwC estimates that there were 42.8 million breaches worldwide during 2014, a 48% increase compared to 2013. The speed and sophistication of these breaches has surprised the business world, with high profile casualties including Sony, Target, and JP Morgan. In many instances, organizations have more comprehensive insurance for fires, floods and ice storms than they do for cyber security breaches and data attacks.
While North Korea’s hacking of Sony and Iran’s hacking of American billionaire Sheldon Adelson have gathered headlines, it is incorrect to assume that this issue only effects large organizations or that it only happens in the United States. Hackers do this for many different reasons, whether it is financial, ethical, political, for the prestige of breaking into a high profile website or database, or simply for entertainment. Similarly, hackers can be external or, in the case of the NSA, internal.
Anthony Batchelor, Partner at Odgers Berndtson explains that “information security is moving from the boardroom to the bedroom. In Canada we keep hearing about situations where people have their personal information hacked and are asked to pay a ransom.” Batchelor says that many of these incidents go unreported for a long time, as individuals are too scared or embarrassed to approach the necessary authorities. Any organization that holds data about its clients has an obligation to keep that information safe, to protect their customers and their reputation.
Risks have risen exponentially
Technology has facilitated giant leaps in innovation, akin to the industrial revolution, and trends in software as a service and cloud computing have enabled organizations to cut costs and drive efficiency. But the price we pay for this more interconnected world is greater instability, as Graham Willis, managing partner at Watermark Search International, explains. “The growth of big data sets and the technologies to interrogate this data means that the risks associated with third party illegal access have risen exponentially.” During the AESC’s recent Global Conference, panelist Stephen Ward, chief information security officer at TIAA-CREF, explained that the role of a CISO has changed dramatically in recent years, to handle the greater data insecurity and the growing corporate concern. “Five years ago we were scrapping for a $5 million budget. Now we’re given hundreds of millions,” he said.
Cybersecurity is no longer just about compliance with regulators, although in heavily-regulated sectors like Financial Services this is still a factor. “We’re seeing a tremendous amount of variation from company to company,” says Matt Aiello, partner at Heidrick & Struggles. The requirements of the role depend on an organization’s products – a consumer technology brand may search for a CISO with a software engineering background to shore up customer-facing products, a financial services firm may look for someone with a government security background in the NSA, CIA, or GCHQ, while healthcare organizations may search for white collar “ethical” hackers to build defenses.
“This is such a fast moving topic that I don’t think we’ve landed on what the perfect CISO looks like,” Batchelor says. “That’s why creating this function hasn’t taken off in companies as quickly as people thought it would. The smarter companies will look at the composition of their board and have an information security board member who will interact with the CISO. You need someone waking up and thinking about information security from a strategic level, as well as someone from a tactical level.” This can be seen in the cases of Kris Lovejoy at IBM and Pat Reidy at CSC, both of whom have made the step up from CISOs to a more strategic cybersecurity position that is further embedded with the rest of the business. By adding a layer of cybersecurity expertise above the CISO – either at the board level or overseeing a function that encompasses physical security, risk and compliance, for example – there will be greater consistency between organizations, greater professionalism from the cybersecurity experts, and more strategic thinking around the trade-offs of security and enterprise.