According to a recent study by the Ponemon Institute, the average cost of a successful cyberattack is over $5 million, or $301 per employee. This figure is large, but it doesn’t yet tell the full story, as the reputational damage that can occur from a cyber-breach can and often will far exceed the direct impact on revenue. Consider that Equifax’s recent breach cut $4 billion off its stock market value. Such catastrophic blows to stock value and revenue are even more alarming when viewed in light of another Ponemon study finding that over 54% of organizations had experienced one or more successful cyberattacks in 2017.
Today’s common wisdom when it comes to cybersecurity is that it’s not if but when your organization will be infiltrated. We might assume, then, that cybersecurity would be a top concern for all C-level execs in major organizations today.
However, this is not the case. In our recent report here at Cognizant’s Center for the Future of Work, “Securing the Digital Future,” we found that for 45% of senior execs, cybersecurity is purely an IT initiative and that only 9% view it as a top priority of the board. This is staggering considering the cost and reputational consequences of a cyber-breach.
A recent study by Harvard Business School provides insight into why this is the case. Typically, most corporate boards lack the processes and expertise required to adequately deal with, evaluate and remediate cyber-threats. They suffer from:
- Inadequate process: The majority of boards are well equipped to deal with financial planning, compliance and growth strategy. Cybersecurity, on the other hand, is lower down in the pecking order. According to the study, directors ranked the effectiveness of their cybersecurity-related processes dead last out of 23 processes surveyed.
- Lack of expertise: The reason boards do not make cybersecurity a priority and fail to instill processes around the issue comes down to a lack of expertise, which is directly related to the increased complexity in the industry, subject matter, attack vectors and types of adversaries. A large proportion of boards at companies in the Financial Times Stock Exchange (FTSE) 100, for example, consist of financially trained members who are not skilled in dealing with and installing cybersecurity processes.
In our study, an alarming 58% of respondents stated that their IT infrastructure and IT security strategies were not integrated. Given that these two should go hand-in-hand, this is a noteworthy result. Boards, therefore, need to address the current cybersecurity knowledge gap by procuring adequate expertise. Board involvement in ensuring IT and cybersecurity integration needs to be step one for organizations in their efforts to build appropriate cyber-defenses.
In addition to upskilling board members, organizations also need to prioritize an executive-sponsored security objective. In one large organization, the CEO highlighted the issue of cybersecurity by getting involved directly with senior security executives in making decisions, while other organizations have placed divisional chief information security officers (CISO) in business units, pairing them with senior executives in these roles. By making cybersecurity a core value proposition of the organization, it becomes a key component of all board-level decision making and, therefore, automatically filters into other board objectives. For companies that do this, cybersecurity will become a business opportunity by creating end-to-end customer experiences that are both convenient and secure.
Boards of directors, therefore, must step forward to take a full leadership position on cybersecurity; this will require board members to more fully immerse themselves in the business and technology issues at stake to ask tougher questions of senior executive leadership teams. Equifax’s multibillion loss of market capitalization should be all the evidence needed for board members to realize that their fiduciary responsibility very much includes ensuring that every possible step – and then some – is taken to maintain a best-in-class security posture.