At Symantec, we are fortunate to be able to engage closely with many different types of organisations across all stakeholders – from board members to end users, CISOs, to administrators, as well as the many roles in between. This affords us a whole spectrum of insights on the most pressing topics within cyber security today, embracing a diverse set of perspectives.
Within the security strategist community at Symantec, a key question we are often asked is how board members see cyber security and how other organisations are dealing with the cyber security challenge – particularly when engaging with the board. This got us thinking and encouraged us to share some of the feedback from our conversations with the many organisations with which Symantec interacts from across Europe and indeed the rest of the world.
So where exactly do we start? We know that security (or, as we now call it, cyber security) has been through a transformation over the last few years. Once something that was considered to be a ‘weight or anchor’ on the business it has now captured the interest and visibility of the board itself.
You only need to look at the results of the UK Cyber Governance Health Check of FTSE 350 companies to see to what degree that transformation has happened, with 89% of board members surveyed saying that they “see cyber risks as either moderately or extremely important for the business”. But what does this translate into from a board level perspective?
As most board members do not have security or technical backgrounds, cyber security risks often translate into impacts that specifically affect the bottom line, such as brand damage or loss of intellectual property, breach costs, share price slumps, and the impact of cyber-attacks on regulatory compliance and mandates. A current and reoccurring conversation we are having at Symantec is around the future state of data protection and privacy regulation as boards begin to think about what the proposed General Data Protection Regulation (GDPR) will mean for businesses and particularly for those who sit on the board.
We are also seeing the emergence of new trends at board level, such as the growing realisation that cyber security can be used as a vehicle of competitive advantage. Some of the more mature organisations are recognising that their future market place differentiation may well be defined by the degree to which they can promote confidence by demonstrating secure engagement with their customers and consumers. For those enterprises, this is driving a positive alignment of business planning and cyber security..
However, this growing awareness of the importance of cyber security is a double-edged sword. On the one hand, better board awareness is allowing CISOs to unlock additional funding for cyber security-related projects – but it is also creating some very difficult conversations for the CISOs themselves. Board level questions such as “Are we secure from cyber-attacks?”, “Do we know if we are being targeted?” and “What are we getting for our cyber security investment?”, whilst seemingly straightforward – even ‘simple’ – from a board member’s perspective, are actually very difficult to answer from the CISO's vantage point.
Why? Because anyone in the security industry knows that we live in a rapidly evolving and increasingly digitised world – one where we need to provide security across legacy systems and data, while trying to secure evolving and increasingly digitised business models enabled by the use of new innovations in cloud and mobile technology. More simply put: the perimeter security model we have clung too for the last decade is rapidly decaying and security is racing to catch up.
Fundamentally, today’s CISOs suffer from:
- A lack of visibility across their domains
- An absence of integrated security tools with holistic investigative reporting
- And a low level of user cyber awareness within their fast-moving business environments.
Exacerbated by highly targeted and complex cyber-attacks, this is why these so-called ‘simple’” board questions are, in fact, very hard to answer with any level of confidence.
In my next blog I will go into more detail about trending security investments and more cyber security issues at the board level. In the meantime I’d be interested to hear your thoughts. What are you hearing from your clients? Are you seeing similar issues when it comes to board level engagements?