The importance of cybersecurity in businesses has grown exponentially over the years, and any company that fails to give it the attention it deserves is setting itself up for failure. The Security and Exchange Commission (SEC) has demonstrated the importance of cybersecurity by issuing new regulations on how boards of directors should approach it. The regulations, yet to be finalized, require companies to disclose any serious cybersecurity attacks and explain who on their board is responsible for handling them. In addition, the regulations call for businesses to include the cybersecurity credentials and experience of their board members as part of public disclosure.
The growing threat landscape, combined with new SEC regulatory frameworks, means that cybersecurity can no longer be an afterthought or a bolt-on. It must be at the core of business operations, and that means it needs a seat at the boardroom table. However, according to a recent analysis of data by the CAP Group, 90% of boards are not yet ready for the new SEC cyber regulations.
The effects of cyber attacks are costly, not only in ransom payments but also in the downtime and disruptions that targeted businesses endure. According to a survey by Sophos, 66% of businesses were hit by a ransomware attack in 2021, a 78% increase from the previous year. The damages totaled around $20 billion. The Hourly Cost of Downtime Survey by the Information Technology Industry Council reveals that more than 40% of companies reported having hourly downtime costs ranging from $1 million to $5 million USD, not including any legal fees, fines, or penalties, which publicly traded companies that fall short of cybersecurity standards can be subject to.
The cybersecurity ecosystem has advanced in recent years, transforming from a siloed function of business, using reactionary tactics to isolate threats, to a proactive, network-wide presence that leverages threat intelligence, penetration testing, and AI to boost cyber resilience. Most cybersecurity teams are still heavily focused on addressing technical-level threats, which are then used to inform security policy and mitigate risk. However, this often leaves a gap of understanding between security teams and those authoring policies and making decisions higher up the chain.
This gap is a vulnerability; most cybersecurity teams lack the tools or functionality required to contextualize threats in a way that other business, operational, and financial personnel can act upon. If this “disconnect” between business objectives and cyber resiliency continues, businesses will leave themselves exposed regardless of how thorough their cybersecurity initiatives are.
To mitigate this risk, CISOs must communicate threats and their potential impact to other C-suite executives in a way that is easy to interpret and understand. Achieving this requires CISOs to step out of their technical jargon comfort zone and evolve security initiatives into broader risk mitigation initiatives. Machine learning-powered risk mitigation can also play a significant role in helping businesses contextualize cyber threats.
By analyzing large volumes of data and detecting patterns that may not be immediately visible to human analysts, machine learning algorithms can identify potential security threats, allowing businesses to take proactive measures to deal with them. For instance, these algorithms can analyze user behavior data to identify deviations from normal usage patterns, such as repeated failed login attempts or access attempts from unusual locations or devices. Likewise, the algorithm can predict the likelihood of future attacks by analyzing historical attack data and identifying common characteristics of successful attacks. This can then be used to develop predictive models, allowing businesses to anticipate future threats and take proactive measures to mitigate them.
Publicly traded companies bear the responsibility of understanding their risk posture and vulnerability. With directors now being held accountable for their companies’ cybersecurity infrastructure, it is even more vital that director-level teams can quickly and easily understand their vulnerability and any potential breaches. Achieving this requires a combination of new, machine learning-powered solutions, advisory hires that can “translate” and parse the potential fallout of threats, and CISOs taking a more consultative and advisory approach to cyber threat resilience.
In conclusion, cybersecurity is no longer a fringe issue. It has become an integral part of modern business operations. Any business still treating its cybersecurity initiatives as a side project is setting itself up for failure. The new regulations from the SEC demonstrate how important cybersecurity has become and that it needs a seat at the boardroom table. Companies must fill this seat with well-informed cybersecurity professionals or ensure that the person seated there is as well-informed as possible. Failure to prepare for cybersecurity is preparing to fail.