For Execs and Boards, Cybersecurity Can No Longer Be Ignored – Source: securityboulevard.com

Very few events can impact a business on so many levels as a cybersecurity incident. Disruption and downtime can cost millions in missed revenue, while fines, remediation, and reputational damage can rack up millions more in associated costs. 

Even after years of headline-grabbing cyber incidents, leadership at the executive and board levels still has trouble picturing cybersecurity as a business-critical function. 

New surveys conducted by Delinea show a stark disconnect between security experts and leaders. 

• Only 39% of security experts believe their company’s top decision-makers have a solid understanding of cybersecurity’s role in enabling the business to flourish.
• 36% of business leaders feel that cybersecurity is merely a compliance function.
• 17% of business leaders don’t consider cybersecurity a business priority at all. 
• 31% of security experts believed that making the business case for better security was a gap in their own skill set.

Around the world, governments are formulating strategies for building cyber-resilience and protecting critical infrastructure.

• In 2020, the European Union Agency for Cybersecurity (ENISA) released its cybersecurity strategy, which outlines the key technologies necessary for establishing resilience.
• In 2023, the Biden Administration released a high-level cybersecurity strategy that demonstrates the gravity of cybersecurity as a matter of national importance. 
• In 2022, Vietnam launched a strategy for improving its standing in the global cybersecurity index. The plan raises public awareness around cybersecurity and establishes incident response teams for designated sectors. 
• India plans to release a cybersecurity strategy this year that will outline ways it can grow and upskill its cybersecurity labor pool, as well as protect critical infrastructure. 

There are many others. Across the board, requirements for federal agencies are often harbingers of future regulations that will emerge in the commercial sector. For example, the SEC’s proposed rule changes for reporting cyber risk will impact the boards of public companies or the boards of those companies planning to become public.

What’s more, these strategies call for sustained collaboration between public and private entities in a bid to raise the bar for cybersecurity. This includes sharing information about threats and experiences and adopting practices that enable security by design in the development of new products. 

Leaders and cybersecurity teams must work together to anticipate these changes and maintain the agility they need to adapt.

The number of machine identities and IoT devices involved in daily business operations is exploding, and this gives rise to many unique security issues.

The average number of certificates used in a given organization is over a quarter million. Merely gaining visibility into all of the organization’s machine identities poses a huge challenge to most teams. 

Without the ability to see who owns a certificate, where it lives, and when it expires, businesses become vulnerable to outages, disruption, and downtime. 

In Keyfactor’s 2023 State of Machine Identity Management Report, the research shows how common and severe a certificate expiration can be. 

• The average organization experiences three certificate-related outages per 24 months.
• 55% said the outages severely disrupted customer-facing operations. 
• On average, it takes over four hours to remediate a certificate-related outage, and it takes between 11 and 20 staff members to do it. 

The insurance rates for policies protecting against cyberattacks are skyrocketing (up 20%), but in many cases, they either cover less in damages than they did previously or cap the total payout amount. This means boards will need to make risk assessments around paying for damages that are not covered by insurance.

Insurance providers are holding organizations more accountable for covering the security basics. Most cyber insurance policies now require companies to prove they took “reasonable” steps to mitigate the damage before paying out for an incident. Establishing this type of best practices and documentation will take collaboration among several departments and leadership.

As software has become more business-relevant, so has security. Traditionally, security has posed a speed bump to agility and productivity — which may be why security has so often been left out of innovative initiatives. 

This dichotomy is shifting, too. With the rise of automation, DevSecOps, and other practices that bake security into the core of the process, security can now contribute and accelerate key functions and return real value to the business.

Fully 83% of U.S. consumers claim they will stop spending with a business for several months once a breach has taken place, and 21% said they would never return to a business post-breach. 

As the public has grown more aware of cyber attacks, identity theft, and social engineering tactics, security is poised to become a factor differentiating competitors in the marketplace. Even where this isn’t the case, it’s worth avoiding the reputational damage of a headline-grabbing breach, which can take years to recover from. 

Visibility into the IT network is a key component of cybersecurity. Security teams have insight into the behavior of business users and the performance of assets and infrastructure. 

This visibility can help boost productivity in a few ways. First, when an organization has more insight into how employees do their jobs, it becomes possible to use this information to craft more effective workflows. What’s more, it can also be leveraged to reduce the complexity of IT systems (and thus the total cost of ownership) of IT.

Mergers and acquisitions tend to be cybersecurity nightmares. 

• 62% of organizations say cyber risk is their biggest concern post-acquisition.
• Over 50% have had a deal threatened by a cybersecurity issue during M&A.
• 65% experienced regrets in making a deal due to cybersecurity problems.

Cybersecurity has gone mainstream. For consumers, the security of their data and identities has become a tangible value. As more machines and software integrate into global supply chains, security will be key to stabilizing the basic functions of day-to-day life.

The tide of cybersecurity has risen to the very top of the business. Leaders and boards who fail to embrace cybersecurity as an integral function of operations will pay higher and higher prices, both literally and figuratively. 

But those who accept digital trust as foundational to the business’s future stand to innovate without sacrificing speed, quality, or security. These organizations will widen the gap between themselves and the competition, and be first to whatever opportunity comes next.