MY TAKE: Poll shows senior execs, board members grasp strategic importance of cybersecurity

By Byron V. Acohido

A singular topic has risen to the top of the agenda in executive suites and board rooms all across the planet: cybersecurity.

Related: Security, privacy fallout of IoT

A recent survey by Infosys, a tech consulting and IT services giant based in Bangalore, India, quantifies the degree to which the spotlight has landed on cybersecurity in large organizations.

Infosys polled 867 senior officials from 847 firms in a dozen industries, each with at least $500 million in annual revenue; the companies are based in the US, Europe, Australia or New Zealand. Some 83% of respondents said they viewed cybersecurity as critical to their organization, while 66% of the companies reported having implemented a well-defined cybersecurity strategy.

What jumped out at me was that 60% of C-level executives and 48% of board members indicated they actively participated in formulating cybersecurity strategy. Just five years ago a participation level like this was more of an optimistic hope, than anything else. At least that’s what I took away from a memorable fireside chat I had, back then, with the late Howard Schmidt, former White House Cybersecurity Advisor under Presidents Bush and Obama.

Last week, I had the chance to sit down with Vishal Salvi, Infosys’ chief information security officer. We met at the Infosys Americas Confluence conference in Scottsdale, AZ, and had a well-rounded discussion about the drivers behind this new board-level awareness – and the going forward implications. For a full drill down, please give a listen to the accompanying podcast. Here are a few key takeaways:

Time to execute

Salvi walked me through other survey findings illustrating how pervasively a cybersecurity consciousness has taken hold in the upper echelons of the corporate sector. According to the Infosys poll, these items are on the front burner:

•The top concerns faced by enterprises are hackers and hacktivist (84 percent), low awareness among employees (76 percent), insider threats (75 percent), and corporate espionage (75 percent)

•Challenges in building a security aware culture combined with embedding security into design affects nearly two thirds of enterprises

•Across industries, cybersecurity is consistently viewed as critical in an enterprise’s digital transformation journey. Manufacturing emerged at the top (87 percent), followed by energy and utilities (85 percent), and banking, financial services and insurance (83 percent.)

“The spotlight is on the CISOs to perform and execute,” Salvi told me. “We, as CISOs, do have the attention of the board now. And with the rapidly changing, agile technology landscape, we need to find ways to make sure that cybersecurity gets embedded into the IT fabric of organizations.”

Accepting accountability

It’s been about two years now, Salvi says, since top-tier management has come to understand and accept that mitigating cyber risks has become as critical as making strategic decisions about any core financial or operational competencies.

“A couple of things changed. One is that the boards have been made more accountable. And so therefore there is heightened interest to make sure that that accountability translates into a visibility, as to how they get assurance that cybersecurity is going in the right direction for the organization,” Salvi says.

Without effective oversight and accountability — at the highest levels — it is all too easy for governance of cybersecurity policies, processes and technologies to go off the rails, leaving be the organization vulnerable to attack.

The external pressures are unrelenting. Network incursions haven’t slowed down one iota. Just ask Capital One, Marriott, Facebook, Yahoo, HBO, Equifax, Uber and countless other marquee organizations that continue to lose troves and information in massive data breaches.

“The high profile breaches that we’ve seen highlight the role of the board and the supervision required for making sure that there is the right investment and the right strategy being followed by organizations when looking at cybersecurity,” Salvi says.

Necks on the line

Senior management now understands that it is their necks on the line. Shareholders and regulators are now quick to demand hard evidence of adequate director attentiveness to mitigating cyber risks. It took less than 24 hours for Keven Zosiak, a Stamford, Connecticut resident and Capital One credit card holder, to file a lawsuit against Capital One for its failure to protect sensitive customer data.

Capital One lost personal data for 100 million bank patrons to a laid off Amazon IT staffer who allegedly exploited a misconfigured firewall to steal the data from where it sat on an Amazon Web Services server rented by the bank.

Ironically, just a few days before Capital One’s disclosure, Equifax rather quietly agreed to pay up to $700 million to settle consumer claims and federal and state investigations into its 2017 data breach.

Equifax lost data for 148 million consumers to hackers who tapped a vulnerability in something called Apache Struts, an open-source application framework that supports the credit bureau’s web portal; the hackers merrily exfiltrated the data between May 13 and July 30, 2017.

Salvi

“The challenge for CISOs has been the rapid pace of innovation,” Salvi observed. “Innovation focuses on business value, and only when the business value gets recognized does one start looking at, ‘OK so how can I secure it.’ Security has always been an afterthought as we wait for the innovation to be successful.”

Three pillared approach

A paradigm shift clearly is long overdue, Salvi told me. He’s right. Should senior officials need any added incentive they should consider how the outcry from shareholders and consumers has not been lost on regulators.

New regulations, such as Europe’s General Data Protection Regulation, the New York State Department of Financial Services cybersecurity certification rules and the newly minted California Consumer Privacy Act now carry the possibility of heavy sanctions for poor security practices while handling sensitive data.

Meanwhile, advancing cloud and Internet of Things technologies, along with tech breakthroughs on the horizon, like 5G networks and driverless cars, portend ever more fresh attack vectors for threat actors to leverage, Salvi pointed out. For its part, Infosys is looking to expand its cybersecurity consulting services by championing a three-pronged approach. Here’s how he described it:

“First, we want to embed security-by-design into IT security architecture, while also building a culture of security within organizations. Secondly, we want to help automate and optimize security at scale, which is really what our customers are looking for. And number three is securing the future, to really address these trends, not just for today, but for the future, by building solutions that can help future-proof your business. These are the three pillars of our strategy for solving these complex problems: secure by design, secure by scale and secure for the future.”

That approach seems sound, and it should resonate. Cybersecurity is now top-of-mind with top-level company decision makers. Let’s see where that takes us. I’ll keep watch.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone