Are you telling your board what they need to hear about security?

Are you telling your board what they need to hear about security?
Are you telling your board what they need to hear about security?

Johannesburg, 17 October 2022: Digital is risky. As companies digitise, they gain greater efficiency, flexibility and opportunity. But they add more risk. Digital systems are rewarding targets for criminals because they store vast amounts of valuable information and access to business processes, such as payments. More employees rely on and work through digital channels, increasing opportunities for criminals to strike. Overall, the digital era creates a new risk-reward type that business leaders must take seriously.

This change is not lost on them. Heavily regulated industries such as finance were the first to take cybercrime threats seriously. More companies have followed, realising that this risk category will not fade away or stay within the technology domain. A recent McKinsey survey reveals that boards of global companies rate cyber risks among their top four priorities (a welcome attitude because criminals are actively targeting executives). These are prime reasons why cybercrime should not only concern IT teams.

“Digital affects the entire business and you cannot expect technologists to make all the decisions that will ultimately impact business functions,” says Lior Arbel, Co-Founder of Security SaaS provider, Encore. “Those decisions require a balance between security controls and business processes – decisions that should sit with the executives. And if a breach occurs, you really need the business involved. IT and security teams are tasked to handle the immediate consequences of a cyber attack but the executives and board have to take charge of the wider consequences, such as brand damage, productivity losses, governance issues and legal challenges. Cybercrime is a business risk, not an IT risk,” says Arbel. An additional consideration that should be taken into account by the board is that when a cyber breach occurs, unplanned spending is guaranteed and usually it is done in haste without the regular governance and processes of procurement.

Fortunately, a growing number of companies understand this requirement. Unfortunately, they still end up with insufficient information. Boards, in particular, are still not getting the right insights to help them guide these decisions and support the executives’ cyber agenda. It becomes particularly messy when a breach occurs and the organisation enters crisis mode without sufficient preparation.

“A cyber attack will test a company’s capacity to manage a crisis, and you often see existing tensions go overboard during a breach. If a company does not adopt a systemic, cohesive and continual strategic approach for cyber risks, they come apart at the seams when something big goes wrong. You have to have board participation, or else there is no unity, just chaos,” says Arbel.

Even proactive boards often don’t know enough because they receive incomplete reports on cyber readiness. Instead of a single version of the truth based on precise data, they receive reports based on opinion or heavy extrapolation. When data is used, it’s often fractured, from multiple incoherent sources, flush with opinions of different parties, and takes too long to compile.

The complicated and fractured state of technology security is the leading cause of this situation. Security uses a multi-layered, multi-product approach to address many different cyber risks. But just like a choir that doesn’t sing the same song, these security layers project a lot of noise. The more noise there is, the more challenging it is to make sense of everything – and that’s on the security administrator’s level. The board and the rest of the executives end up with conflicting and watered-down information. Even if they make good security decisions, they are using bad information.

“The solution is straightforward,” says Arbel. “Companies need a single source of truth for their security, something they won’t get if they rely on multiple independent reporting systems. But if they use one platform that queries all their different security systems, they can quickly generate accurate data-based insights. With the right supporting processes and collaborative teams, that security data can supply risk-based contexts that help boards and executives make accurate security choices,” says Arbel.

A growing legion of organisations is seeing the light and tackling cybercrime as a business risk. But these intentions can become self-defeating exercises without proper context and information. Good cyber risk management requires a proactive leadership attitude and a single truth of information based on accurate and timely data. When companies put these two pieces together, they can potentially prevent the next cybercrime storm and enjoy the success of the digital era.

  •  

About Encore:

With more than 25 years’ experience providing professional services and cyber security consulting for the largest companies in the world, we brought this knowledge to Encore, leader in CAASM and EASM. Our team is comprised of offensive security experts and security engineers and consultants that know the mindset and tooling of the attackers, the internal operational obstacles, challenges faced by security management and how to get the most out of security tooling.

Encore visualises information that can be confusing and often overwhelming, providing accurate and action-based reporting and visibility across numerous security controls, through one secure portal.

For more information, or to get in touch, visit our website: https://www.encore.io

Press Contact:

Mantis Communications

Kerry Simpson

Tel: 079 438 3252

Email: [email protected]