Effective cyber risk management starts with the C-suite and belongs in the boardroom
Wow, this last Friday and over the weekend we have heard about the massive cyber attack infecting thousands of organizations with ransomware in over 75 countries. In Britain, dozens of hospitals and National Health Service providers were crippled. While the ransomware was only demanding $300 worth of bitcoin the impact of the attack saw thousands of appointments canceled, phone lines down and patients turned away.
Today, a brand new Ponemon study, sponsored by Centrify, was released and examines the impact of data breaches on reputation and share value. The study concludes that cyber security and data breaches are clearly now a board and C-suite challenge, not just an IT issue.
We saw an example of this shift in thinking last week with the release of the “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” This order puts responsibility directly on each agency director to preempt finger pointing at the IT staff regarding breaches. According to the order,
"Risk management decisions made by agency heads can affect the risk to the executive branch as a whole... Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy and human resources.”
The groundbreaking Ponemon study surveyed hundreds of IT leaders, CMOs and marketing leaders, and consumers across the US, UK and Germany. Among the results, the study details:
- The common miscalculation of security risk on shareholder value stating that ‘companies experienced an average stock price decline of 5 percent immediately following the disclosure of their breach.’
- Shockingly, 30%+ of impacted consumers discontinued their relationship with breached organization.
- Finally, more than half of IT practitioners do not believe their companies have a high level of ability to prevent breaches.
Clearly this should serve as a wake-up call to every organization that security isn’t just about protecting data, it’s about protecting the business. It is no longer just an IT problem -- it must be elevated to the C-suite and boardroom because it requires a holistic and strategic approach to protecting the whole organization.
Learn more about the "Impact of Data Breaches on Reputation & Share Value" report here.