Kimberly Whitler reports in Forbes:
Information is one of the most valuable assets of an organization. Global card fraud losses have reached over $16.3 Billion and will exceed $35 Billion by 2020. The most prepared firms are those who have already experienced some kind of a breach. They don’t just attempt to prevent attackers from getting in, they know that eventually they will, and take the next steps. They also understand that it isn’t a security technology issue, it’s a business issue.
Since the Target and Sony hacks, I have been interested in marketing’s role (or lack thereof) in preparing for and managing the consequences of data breaches. As part of a series exploring the topic in detail (see article #1 here), I talked with Holly Rollo, the CMO of RSA, a Dell Technologies business. RSA solutions enable customers worldwide to deliver business-driven security strategies. The following focuses on why business leaders in general—and CMOs in particular—need to pay attention. Of note, RSA hosts the largest cybersecurity conference in the nation, which begins on February 13.
Kimberly Whitler: How prevalent are cybersecurity attacks? How important is data security today?
Holly Rollo: According to RSA’s Annual Cybersecurity Poverty Index, 70% of organizations report that they’ve had a security incident that negatively affected their business operations in the past 12 months.
Information is one of the most valuable assets of an organization – whether it’s intellectual property, customer or personnel data, or sensitive, private correspondence or pictures. Most organizations have something that is valuable to someone else. This is the reason every organization is a potential target. A data breach has immediate costs (clean-up, investigation, etc.) but also long-term costs (regulatory audits, loss of IP, impact to customer perception, brand reputation, falling revenue, public safety, etc.). I’ve also been hearing more about the human cost after a large scale breach in the form of post-traumatic stress believe it or not.
It’s sometimes hard for organizations to think of themselves as a target, it just seems like a problem that affects critical infrastructure, so let me give a very simple anecdote to demonstrate the scope of the problem. Much (but not all) of nefarious online activity happens underground, in what is referred to by some as the Darknet. It’s basically a hidden network where illicit goods and services are bought and sold using untraceable internet currencies or barter – and it’s completely anonymous. It’s estimated to be 500 times bigger than the Internet that you and I interact with every day. 500 times! If you’ve been on Craigslist you know that one person’s junk is another person’s treasure – there’s a market for everything. If you are collecting personal shoe sizes for customers in Iceland, it’s likely there’s a buyer for that.
Whitler: Are firm leaders aware of the magnitude of the challenge and prepared?
Rollo: Between the regulatory scrutiny and the news headlines, executive management and board members have become more aware of the immediate and long-term impact of a breach. According to IDG’s 2016 State of the CIO study, cybersecurity is one of the top three business initiatives for CEOs. More and more, Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) are being asked to speak directly to CEOs and boards to help explain the risks to the business resulting from the daily deluge of technical attacks that occur across the infrastructure. There has also been a rising trend in many large enterprises to hire Chief Risk Officers (CROs), who focus on mitigating business risk end to end within a firm. As a result, they have become much more attuned to new sources of IT / cyber risk.
Unfortunately, not all businesses or organizations have the ability to add these senior level roles, so the responsibility can fall on others in the organization that may or may not understand the nature of attacks and the most up-to-date best practices around the ever changing world of cybersecurity. The RSA Cybersecurity Poverty Index survey provides some insight into the end result; it found that 75% of respondents believed their organizations had significant cybersecurity risk exposure. This number is staggering and brings into focus why so many organizations are experiencing damaging incidents.
Whitler: Is it fair to say that most companies are not fully prepared?
Rollo: Yes. Unfortunately, the most prepared firms are those who have already experienced some kind of a breach. Those firms look at the issue differently, they don’t just attempt to prevent attackers from getting in, they know that eventually they will, and take the next steps. They also understand that it isn’t a security technology issue, it’s a business issue. They know you need to have visibility across the whole environment to spot attacks and connect activity that might be the next attack in progress. They put security events into business context to help prioritize and understand the risk to the business. And they are able to quickly respond and remediate a situation when it happens.
Whitler: Are there certain industries/segments where there is more of a concern? Why?
Rollo: Absolutely, critical infrastructure, industries that are essential for the functioning or safety of a society and its economic viability, are the most at risk as the impact of a breach can have the most severe consequences. The US has had a longstanding critical infrastructure program in place that started in 1996 which established 16 critical infrastructure sectors. These include industries that seem to be common attack targets like financial services, healthcare, information technology, and government facilities but also targets that we most fear, such as communications infrastructure, emergency services, energy, transportation, and defense.
Whitler: How about the big B2C industries that have consumer-facing operations?
Rollo: We have all seen the damage to retail, consumer and online businesses from high-profile breaches. In fact, according to The Nielson Report, global card fraud losses have reached over $16.3 Billion and will exceed $35 Billion by 2020 . Companies rely on electronic payment data to conduct business, and often deal with a massive amount of highly sensitive personal information. They have regulatory mandates to protect that data, and face major reputational risks if it’s disclosed. These companies can also be highly decentralized in how they go-to-market to enable greater speed and agility. While this enables them to communicate efficiently and bring new products or promotions to market quickly, they may not be operationally able to secure the information, or their security strategy is disconnected from their go-to-market strategy, and issues arise. An example might be a consumer beverage company who has a sophisticated program to protect information related to formulas, manufacturing and its distribution network, but completely overlooks securing online marketing programs that capture sensitive personal information from children under 18.