In March, the U.S. Securities and Exchange Commission (SEC) proposed amendments to its rules that are designed to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by publicly traded companies. However, a historic disconnect between IT and business leaders could make them difficult to implement.
If adopted, the rules would help inform investors about a company’s risk management, strategy, governance and would require timely notification to investors of substantial cybersecurity incidents. In addition, the rules would require companies to report about the cybersecurity expertise of board members and executives, if any.
Mark Brown, global managing director of digital trust consulting at BSI, says cybersecurity risk has existed as long as the internet has, but it is now at “such a system level” that the SEC has taken it upon themselves to formalize it and introduce corporate reporting requirements.
“What does that mean for businesses? It means a lot more rigor, a lot more focus, it means a lot for business understanding has to be applied,” Brown says. “Cybersecurity has often been seen as a technical topic, and this will transcend that belief and migrate it to where people many have believed it should be for a number of years.”
Executives need to rethink IT, cybersecurity
For the last two or three decades, organizations have largely seen IT and cybersecurity as cost centers to a business rather than a strategic asset, resulting in a culture that does not value technology and the highly skilled technologists that manage it.
Because of that view of IT, leadership often thinks it can be outsourced to save money and provide the same benefits as an internal IT department closely aligned with leadership. However, Brown says when that happens it create a disconnect between the business and IT, as technologists are simply viewed as workers that deliver technical solutions to the business without truly having to understand how those solutions can help the business.
On the flipside, IT operates in a world of processes that don’t necessarily mean anything to business executives and board members.
“In the real world, there is no such as thing as an IT process or a cybersecurity process,” Brown says. “There is only a business process that requires IT or cybersecurity enablement.”
For example, new employees need access to their organization’s data, and when they are elevated to high positions or leave the company, their level of access needs to reflect those changes. However, that doesn’t happen without IT.
“That is enabled through the use of Active Directory at the highest levels within an organization,” Brown says. “
A lack of business leadership skills in IT
Another factor leading to the disconnect between IT and business leadership is the lack of business leadership skills among IT professionals, Brown says, noting that few IT leaders truly understand how their business operates.
Many IT leaders don’t have a seat at the table, and thus aren’t tuned into the organization’s business model, how it operates and why it operates that way.
“That concentration of technical skills, rather than business understanding, has further perpetuated that gap,” Brown says. “You’ve seen continued outsourcing of IT to external companies, because it’s felt that they just don’t need to understand.”
That IT outsourcing is coming at a bad time, as the COVID-19 pandemic and the need for more cloud computing to support distributed work has accelerated an organization’s digital transformation goals by several years.
“We are seeing a situation where that absence of understanding and that disconnect between IT and the businesses is becoming really harmful,” Brown says.
If that IT and business disconnect persists, organizations could fall behind their competitors and struggle to comply with the proposed SEC regulations and other rules that will likely come down as malicious actors continue their endless barrage of cyberattacks.
Put it into dollars and cents
Ransomware has emerged over the last several years as the dominant cybersecurity threat, and news of massive ransoms being paid to cybercriminals and companies forced to shut down as they recover their systems have made global headlines. For example, Colonial Pipeline, a major supplier of refined oil products to the East Coast, was hit with ransomware in May 2021 and forced to shut down for five days, leading to fuel shortages across the area.
To resume operations, the organization paid a reported ransom of $5 million. Elsewhere, companies involved in major data breaches have had to spend millions to recover, with costs going to incident responders, legal costs and public relations. That mainstream media coverage of cyberattacks could be moving the needle and forcing business leaders to invest in cyber solutions, Brown says, but that alone isn’t an effective strategy.
Those headlines aside, Brown suggests IT use this simple equation: take 24 hours a day and multiply it by 365, which comes out to 8,760. Then, take the company’s annual revenue and divide it by 8,760, and that number gives you the cost of one hour of downtime to a business.
If business leaders can stomach losing that revenue during downtime, then maybe it’s not right to invest in those solutions, but that would not be a smart decision, Brown says.
“When you look at the cost of the solution and map it against the cost of that one hour of downtime, it would be very unusual for you to come to a perspective when you can say that is an acceptable risk,” Brown says.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply