Top business leaders are starting to realise the widespread impact a cyberattack can have on a business. Unfortunately, according to a study by Forrester Consulting commissioned by Tenable, some of the damaging effects include financial loss or theft (39%), loss of customer data (39%) and employee data (36%). The potential for cyber threats to cost organisations in Australia millions of dollars overwrites an outdated belief that cybersecurity is merely an IT issue. With so much at stake, business leaders are in the front lines and require insight into cyber risk in the same manner as other risks.
Incoming regulation aimed at business leaders of critical infrastructure and systems of national importance, as part of the federal government’s Cyber Security Strategy 2020, further iterates the importance of leadership involvement in cyber issues. Therefore, it’s unsurprising that the same Forrester study shows that Australian business leaders are demanding greater visibility, as 94% of Australian security leaders have been asked to report on their level of exposure to a specific threat or publicised vulnerability. What’s worrying, however, is that 67% of business leaders report that their security counterparts are, at best, only “somewhat effective” in communicating threats that pose the greatest risk to the organisation. This disconnect shows that cybersecurity is broken and the key missing piece of information is - business context.
Business context is everything
When an organisation is at risk of a cyber threat, the first thing business leaders want to know is if they will still be able to deliver on their core business objective. Instead, more often than not, they get data about how many systems are affected and how quickly it can be remediated - demonstrating a clear disconnect in the way both groups understand and communicate risk.
This is by no means any fault of security leaders. Their technical training puts them in a position to report on the many vulnerabilities, patches deployed and recite information of the latest threats. What they struggle with is delivering the information in a non-technical manner that relates to the business because they are hamstrung by a lack of data, technology and processes.
The same research highlighted three key areas of improvement in order for security teams to effectively communicate risk.
Firstly, security leaders need to have holistic visibility of business-critical assets. Only six in ten Australian security leaders reported that they have ‘high or complete’ visibility into their organisations’ IoT and operational technology (OT), according to the Forrester study. In addition, less than half are highly or fully aware of the risk posed to employees working remotely and only 30% have high or complete visibility over third-party vendors. All of this combined means that few security leaders have a holistic understanding of their organisations’ attack surface and, as a result, are unable to communicate the risk to the business effectively.
Secondly, security and business performance aren’t aligned, with just four in ten security leaders saying they work with business stakeholders to align cost, performance and risk reduction objectives with business needs. While having the right tools in place to measure risk is key, so too is reducing the gap between security and the rest of the business. Business and security leaders need to work together to integrate with one another and develop security metrics that speak to business risk.
The final area of improvement is the use of technology to better predict business risk context for incoming threats. The Forrester study showed that 40% of Australian security leaders aren’t confident that they have the technology, processes or data to predict cybersecurity threats. This could be, in part, due to a lack of automation technologies - three out of ten security leaders say their organisations still manually review spreadsheets to track cybersecurity performance. Business leaders need to ensure that they’re making long-term investments in the technology used to monitor, manage and report on cybersecurity.
The road ahead
While business leaders are starting to recognise the importance of cybersecurity, it’s clear that a gap still exists and there’s more work to be done. Security leaders must turn qualitative recognition of cyber risks into quantitative business-aligned metrics, and business leaders must equip them with the tools and processes to do so.
With new regulations like Australia’s mandatory data breach notification laws already in place and more likely to come in with the 2020 Cyber Security Strategy, failure for security and business leaders to align will surely result in further business-impacting attacks with the regulatory penalties a clear reality.