A CEO Cheat Sheet For The Cybersecurity Big One
Originally published in Forbes by Bob Zukis – March 5, 2019
In Warren Buffett’s 2019 shareholder letter, he called out the “Big One” alongside natural disasters as the key risks to his insurance portfolio. The “Big One” he is referring to is a cyber attack he describes as “…having disastrous consequences beyond anything insurers now contemplate.”
Here’s a CEO cheat sheet to help understand the cybersecurity “Big One”.
Every CEO sees the frequent data breach headlines and reads about the fines that are starting to be levied by regulators globally. The economic cost of cybersecurity is increasing at an alarming rate with estimates indicating it cost global economies US$600 billion in 2017, or 1% of global GDP, to one estimate putting the global cost at US$6 trillion by 2021.
Breaches have become so commonplace they feel like they’ve become an accepted part of business as usual, but complacency is a mistake. In the Conference Board’s 2019 C-Suite survey, America’s CEOs call out cybersecurity as the #1 external issue requiring their attention. That’s a good thing, as American businesses remain the favorite target of hackers everywhere.
The “Big One” Buffett refers to will change the game, possibly by stopping a business or key infrastructure cold. It could be a material business interruption that impairs society or an organizations ability to transact. A systemic failure, or information warfare that cascades from company to company, bringing an industry or an economy to its knees. There’s a reason why the WEF has listed cyber attacks as an existential threat in their 2019 Global Risk Report.
Cybersecurity risk is also an enterprise risk, unlike other enterprise risks. ISO defines risk as “the effect of uncertainty on objectives.” The wildly unpredictable nature of cybersecurity risk makes it very difficult, if not impossible to assess both the likelihood of an incident and its impact.
It also involves an active adversary who will always be better and more innovative than you are. Hackers are well organized, well-financed, creative, patient and persistent. This presents a constantly changing risk landscape. No other risk is as elusive or determined to exploit your weaknesses.
Cybersecurity risk also has an increasingly systemic aspect to it, extending its attack surface across and even beyond your direct supply chain. The speed that risk can propagate globally is also unique. The actions that you take as an organization may be doing little to actually lower your real cybersecurity risk profile. You are only as strong as the weakest link in your defenses, whether that vulnerability is within your own organization, a supplier or other business partner.
Cybersecurity is also one risk area where you must continually increase your spending to just maintain an acceptable risk level, given that risks are continually increasing. When risks go up, premiums go up. That includes the actual premium you may be paying an insurer to transfer some of your risk along with the “premium” you are paying to mount your own cybersecurity defenses.
Accepting cybersecurity risk by doing nothing is negligent and cybersecurity risk can’t be eliminated, so your only options are to transfer the risk and/or to reduce it. Your costs are only going to go up, but they may not be keeping pace with mitigating your risk.
Also, new risk environments often don’t work well with old approaches. Is it time to rethink the cybersecurity risk management services model? Many organizations have realized that cloud computing offers some very real advantages in addition to avoiding the large capital investments that captive data centers require.
Kazu Yozawa, CTO of NTT Security thinks cybersecurity risk management is on a similar path:
Enterprises do not have to build security operations centers any more than they need to build data centers. Cybersecurity risk management is getting very difficult to do cost effectively for many companies, and they aren’t necessarily improving their risk profiles.
Finally, America’s regulators have woken up. This environment is ripe for a Sarbanes-Oxley style regulatory response given ongoing corporate failings and the public interest. America’s regulators have made one thing perfectly clear, they aren’t there to help, they are there to hold you accountable.
From the SEC to Senator Ron Wyden’s discussion draft of the FTC’s Consumer Data Protection Act that could impose cyber-related civil and criminal penalties on the CEO, direct CEO accountability is coming. Disney is also addressing a shareholder proposal this week to tie cybersecurity and data privacy to CEO pay. The wagons are circling the CEO.
Here’s the CEO cheat sheet to deal with the cybersecurity “Big One:”
Complacency is the enemy. Proactively involve and engage your board and management teams and plan and practice for the worst.
You’re fighting a losing war. Consider alternative approaches to cyber risk management, including outsourcing it to be more cost and risk effective long term.
Regulators are here to punish. Much more regulation/activism is coming and it looks to hold the CEO directly accountable.
CEOs need to be actively engaged in cybersecurity risk oversight to reduce the organization’s risk profile along with their own risk profile on this issue. Pay a lot of attention to this issue, it’s paying attention to you.