For Execs and Boards, Cybersecurity Can No Longer Be Ignored

September 20, 2023

Very few events can impact a business on so many levels as a cybersecurity incident. Disruption and downtime can cost millions in missed revenue, while fines, remediation and reputational damage can rack up millions more in associated costs. Even after years of headline-grabbing cyber incidents, leadership at the executive and board levels still has trouble picturing cybersecurity as a business-critical function.

 

New surveys conducted by Delinea show a stark disconnect between security experts and leaders.

 

  • Only 39% of security experts believe their company’s top decision-makers have a solid understanding of cybersecurity’s role in enabling the business to flourish
  • 36% of business leaders feel that cybersecurity is merely a compliance function
  • 17% of business leaders don’t consider cybersecurity a business priority
  • 31% of security experts believe that making the business case for better security was a gap in their skill set

 

C-suite leaders must know enough about cybersecurity to weave it into the greater vision of the business, while security experts must have enough business acumen to further their enterprise’s goals in the most efficient and effective ways.

 

 

The cybersecurity stakes are rising

Security has always been important for businesses, and that’s only become truer in our increasingly digital world. But the shape of the problem has also changed, and today the stakes around cybersecurity are higher than ever.

 

Government Cybersecurity Strategies
Around the world, governments are formulating strategies for building cyber-resilience and protecting critical infrastructure.

 

  • In 2020, the European Union Agency for Cybersecurity (ENISA) released its cybersecurity strategy, which outlines the key technologies necessary for establishing resilience
  • In 2023, the Biden Administration released a high-level cybersecurity strategy that demonstrates the gravity of cybersecurity as a matter of national importance
  • In 2022, Vietnam launched a strategy for improving its standing in the global cybersecurity index, raising public awareness around cybersecurity and establishing incident response teams
  • India plans to release a cybersecurity strategy this year that will outline ways it can grow and upskill its cybersecurity labor pool, as well as protect critical infrastructure

 

Across the board, requirements for federal agencies are often harbingers of future regulations that will emerge in the commercial sector. For example, the SEC’s proposed rule changes for reporting cyber risk will impact the boards of public companies or the boards of those companies planning to become public. These strategies call for sustained collaboration between public and private entities in a bid to raise the bar for cybersecurity. This includes sharing information about threats and adopting practices that enable security by design in the development of new products. Leaders and cybersecurity teams must work together to anticipate these changes and maintain the agility they need to adapt.

 

Machine Identities and IoT
The number of machine identities and IoT devices involved in daily business operations is surging, giving rise to many unique security issues. The average number of certificates used in each organization is over a quarter million. Merely gaining visibility into all the organization’s machine identities poses a huge challenge to most teams.

 

Without the ability to see who owns a certificate, where it lives, and when it expires, businesses become vulnerable to outages, disruption and downtime.

 

In Keyfactor’s 2023 State of Machine Identity Management Report, the research shows how common and severe a certificate expiration can be.

 

  • The average organization experiences three certificate-related outages per 24 months
  • 55% said the outages severely disrupted customer-facing operations
  • On average, it takes over four hours to remediate a certificate-related outage, and it takes between 11 and 20 staff members to do it

 

More than half of respondents said they needed more staff to properly manage certificates, which is made even more challenging by the cybersecurity labor shortage.

 

Cyber Insurance
The insurance rates for policies protecting against cyberattacks are skyrocketing (up 20%), but in many cases, they either cover less in damages than they did previously or cap the total payout amount. This means boards will need to make risk assessments around paying for damages that are not covered by insurance.

 

Insurance providers are holding organizations more accountable for covering the security basics. Most cyber insurance policies now require companies to prove they took “reasonable” steps to mitigate the damage before paying out for an incident. Establishing this type of best practices and documentation will take collaboration among several departments and leadership.

 

 

The opportunity for security

As software has become more business-relevant, so has security. Traditionally, security has posed a speed bump to agility and productivity — which may be why security has often been left out of innovative initiatives.

 

This dichotomy is shifting, too. With the rise of automation, DevSecOps, and other practices that bake security into the core of the process, security can now contribute and accelerate key functions and return real value to the business.

 

Maintain Trust and Loyalty
Eighty-three percent of U.S. consumers claim they will stop spending with a business for several months once a breach has occurred, and 21% said they would never return to a business post-breach. As the public has grown more aware of cyberattacks, identity theft and social engineering tactics, security is poised to differentiate market competitors. Even where this isn’t the case, it’s worth avoiding the reputational damage, which can take years to recover from.

 

Leverage Security Data
Visibility into the IT network is a key component of cybersecurity. Security teams have insight into the behavior of business users and the performance of assets and infrastructure. This visibility can help boost productivity in a few ways. First, when an organization has more insight into how employees do their jobs, it becomes possible to use this information to craft more effective workflows. It can also be leveraged to reduce the complexity of IT systems (and thus the total cost of ownership) of IT.

 

Contribute to innovation
By implementing security into the development and product design processes at the earliest stage, innovation teams can spend less time backtracking to meet security requirements and unlock faster release cycles. Security teams can also collaborate with other departments to meet compliance demands more easily.

 

Improve ROI on mergers and acquisitions
Mergers and acquisitions tend to be cybersecurity nightmares.

 

  • 62% of organizations say cyber risk is their biggest concern post-acquisition
  • Over 50% have had a deal threatened by a cybersecurity issue during M&A
  • 65% experienced regrets in making a deal due to cybersecurity problems

 

Cybersecurity snags shouldn’t hamper acquisition-led growth strategies. The right cybersecurity investments can improve ROI and time-to-value on M&A efforts by streamlining integration and ramping acquired employees quicker.

 

 

Getting ahead of the cybersecurity game

For consumers, the security of their data and identities has become a tangible value. As more machines and software integrate into global supply chains, security will be key to stabilizing the basic functions of day-to-day life. The tide of cybersecurity has risen to the very top of the business. Leaders and boards who fail to embrace cybersecurity as an integral function of operations will pay higher prices, literally and figuratively. But those who accept digital trust as foundational to the business’s future stand to innovate without sacrificing speed, quality or security.

Chief Security Officer | Keyfactor
Chris Hickman is the chief security officer at Keyfactor. Chris is responsible for establishing and maintaining Keyfactor’s leadership position as a world-class technical organization with deep security industry expertise. He leads client success initiatives and helps integrate the voice of the customer directly into Keyfactor’s platform and capability set.

Chris has worked on PKI projects for organizations and firms, including NATO, both the U.S. and Canadian Departments of Defense, Fortune 100 banks and financial institutions, and more. He remains a trusted resource for enterprises looking to leverage digital certificates within existing portfolios and new product development.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Would you like to speak to an advisor?

How can we help you today?

Image
field-guide-cloud-list-image@2x.jpg
Cybersecurity Field Guide #13: A Practical Approach to Securing Your Cloud Transformation
Image
OptivCon
Register for an Upcoming OptivCon

Ready to speak to an Optiv expert to discuss your security needs?