In its 2018 Global Risks report, the World Economic Forum listed cyberattacks as one of the future’s biggest threats. The risk is particularly real for businesses, which represent the vast majority of the data stored on private servers around the world. It’s no overstatement that the world needs businesses with strong cybersecurity now more than ever.
But we still have a long way to go. While cybersecurity breaches are nothing new for companies, what’s changing is the scope of their impact. According to Accenture’s 2017 Cost of Cybercrime study, the average annual cost of cybersecurity breaches for organizations is now at $11.7 million, and the average annual number of breaches increased 27.4% from 2016 to 2017. Several high-profile breaches of major companies have made the news over the past few years, exposing how even the biggest organizations are ill-prepared to deal with threats.
Cybersecurity breaches are often caused by individual employee errors or technical failures. But each one also points to larger, more systemic issues within organizations. This is why guarding against cybersecurity breaches is also the responsibility of corporate executives and boards, not just individuals.
Still, not all corporate leadership is equipped to understand their organizations’ vulnerability to cybersecurity breaches. This is true even in firms that have dedicated cybersecurity teams led by chief information security officers (CISOs). While these leaders deal with the daily operational realities of cybersecurity, they struggle to rally other executives around their cause. But that situation is untenable. CISOs and their teams cannot work in isolation; they need strategic backing from the rest of their organizations. Here’s how CISOs can ensure their buy-in.
Clear communication is key to helping management get serious about cybersecurity
Executives often struggle to understand cybersecurity concerns because those concerns aren’t communicated to them in a way they can easily understand. This is in part because CISOs rely on data and technical jargon that non-technical executives often struggle to parse. One way to address this disconnect is to present cybersecurity in the context of the larger risk management picture, which is already a key part of CEOs’ jobs.
CISOs can present technical information to CEOs by asking, and answering, questions such as:
- What are the threats to our most important lines of business and how are they changing?
- What are we doing and how effective is it?
- What are we doing to manage the risks of our business initiatives?
Why every cybersecurity chief should speak the language of business
CISOs can take this a step further and frame their communication about cybersecurity threats in the context of their potential business impact. This can go a long way toward demystifying cybersecurity operations for management and the board. CISOs can explain the business value of cybersecurity initiatives by:
- Drawing a clearer connection between cybersecurity metrics and their business impact: For example, replace “metrics of encryption” with “metrics of protecting customer data.”
- Explaining what those metrics reveal in financial terms: Answer questions such as “can the business protect online customers?” and “can we safeguard our most important assets?”
Every organization needs a defined, practiced response to security breaches
CISOs have many tools and tactics at their disposal to help their organizations hone their ability to respond to cybersecurity threats. These include crisis drills and simulations, but also less formal tabletop exercises. Accenture’s research shows that only one third of organizations practice cyberattack scenarios. Even among organizations that do conduct these drills, top executives and boards of directors are usually exempt from them.
Threat response exercises, when done well, can effectively convey the consequences of being unprepared and help all stakeholders understand a crisis scenario in a controlled environment. CISOs can achieve this by:
- Involving the board, executive, and management levels in extensive crisis drills, simulations, and tabletop exercises.
- Creating crisis management playbooks that can help contain chaos in the wake of a crisis.
- Promoting “cyber literacy” at the highest levels by educating the CEO and board on cybersecurity basics, technology, and legal risks.
Once CEOs are properly educated, they can extend their understanding to their organizations by implementing cybersecurity training programs for new and existing employees. A risk-aware environment will facilitate the early detection and reporting of threats. CEOs need to create a work culture in which every employee is sensitive to the cybersecurity implications of their actions.
Having a CEO and board that are well-educated on cybersecurity threats is essential to creating businesses equipped to fight them. Accenture helps companies understand and manage their cybersecurity risks via a dynamic cybersecurity scenario with perspectives from thought leaders and cybersecurity experts.
To continue reading about Accenture’s insights on cyber-resilient businesses, click here.
This article was produced for Accenture by Quartz Creative and not by the Quartz editorial staff.