The role of the C-Suite in security and risk management

The COVID-19 pandemic has unquestionably accelerated – some say to an exponential level − the need for digital business transformation. Just over a year ago, the World Health Organisation declared COVID to be a global pandemic.

The subsequent scramble to get staff off-site to remote locations while digitally and securely supporting their ability to continue with business as usual has been demanding.

Chief information officers (CIOs) and chief information security officers (CISOs) are usually deemed security and risk leaders in 2021 corporations, but they face critical challenges.

Some of these include complex geopolitical issues, with increasing global regulations and compliance demands. This includes the migration of workspaces plus workloads off traditional networks, accompanied by an explosion in endpoint diversity and locations. Add to the forgoing a shifting attack environment and specifically the challenges of ransomware and business e-mail compromise, and you are left with both a logistics and security nightmare.

The 2021 Gartner CIO Agenda Survey revealed that 64% of employees can now work from home. The research also indicates that at least 30-40% will continue to work from home post-COVID-19.

The research company notes this shift requires a total reboot of policies and security tools suitable for the modern remote workspace for many businesses. Gartner stresses that security and risk management leaders are faced with managing emerging trends to securely enable rapid reinvention in their organisations, as COVID-19 accelerates digital business transformation and challenges traditional cyber security practices.

However, broad are the shoulders that carry such a heavy burden, as it is increasingly apparent that if businesses are to overcome these hurdles, these responsibilities cannot be the sole responsibility of CIOs/CISOs but must instead be shared throughout the C-Suite leadership.

Besides the IT team, the C-Suite is one of the first responders when an attack occurs, and as such, it should be their top priority.

When it comes to cyber crime and cyber security awareness, the entire organisation must be on board with programmes introduced to address this growing menace.

Financial impact of cyber crime in 2021

Let’s put an economic perspective on this issue. According to Cybersecurity Ventures, cyber crime is expected to inflict damages in the region of $6 trillion globally in 2021. The report states that if cyber crime were to be measured as a country, it would be the world’s third-largest economy after the US and China.

Cybersecurity Ventures expects global cyber crime costs to grow by 15% per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015. It adds this represents the most significant transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined.

The same research notes that within months of the first lockdown due to the pandemic, more than 4 000 malicious COVID-related sites popped up across the Internet. This report also predicts that a cyber attack incident will occur every 11 seconds in 2021. That is nearly twice the rate in 2019 (every 19 seconds) and four times what it was in 2016 (every 40 seconds).

Ransomware is recognised as the most rapidly growing type of cyber crime and is predicted, at $20 billion, to cost 57 times more than it did in 2015 ($325 million). Moreover, research indicates that 91% of cyber attacks are launched through spear-phishing e-mails, which infect businesses with ransomware.

All the preceding reflects the global impact, but if we take it down to the organisation level, as threats become increasingly sophisticated and data breaches negatively impact the bottom line, company reputations flounder, customer loyalty is lost, and investment outlooks damaged – sometimes irreparably.

Where does the buck stop?

The answer to this is with leadership – the C-Suite. Customers unquestionably hold firms and their management responsible whenever there is a data breach that compromises their personal information; for example, credit card details, etc.

The Protection of Personal Information Act, enacted in 2013 but only coming into effect on 1 July this year, will establish the minimum requirements with which South African companies must comply when processing personal information. It also requires that third-parties be notified as soon as possible in the event of a breach so that they can take necessary precautions.

Therefore, increasingly investors / customers / suppliers all question the C-Suite whenever an attack devalues a business with ensuing public scrutiny of its leadership failings. Besides the IT team, the C-Suite is one of the first responders when an attack occurs, and as such, it should be their top priority.

In Gartner’s 2021 Board of Directors Survey, directors rated cyber security the second-highest source of risk for the enterprise after regulatory compliance.

Large enterprises are now beginning to create a dedicated cyber security committee at the board level, led by a board member with security expertise, or a third-party consultant.

Gartner further predicts that by 2025, 40% of boards of directors will have a dedicated cyber security committee overseen by a qualified board member, up from less than 10% today.

In my next article in this series, I will outline the steps that C-Suite executives can take to protect their organisations and reduce the risk of cyber attacks.

Link to original article.