Security: From the Back Room to the Boardroom
By Bret Arsenault, VP & CISO, Microsoft Corporation
The world has become increasingly digitally interconnected, with a growing reliance on technology in all aspects of our personal and professional lives. This connectedness represents an immense opportunity for companies to drive competitive business value, leveraging the digital transformation that is happening across mobile, social and cloud technologies.
However, there is a corresponding growth in cybersecurity risk that potentially undermines the value of the state of connectedness. With each new device, online account or application, people are increasing the complexity and scope of their digital footprint and potential exposure. Navigating today’s technology landscape successfully requires more rigorous security controls and policies within the enterprise, to manage the vulnerabilities that this complexity creates. The new value generated in today’s digital world can be quickly diminished as a result of a single, cybersecurity incident – whether malicious or unintentional.
The business-level implications that can threaten a company’s position in the market include loss in customer loyalty, brand reputation, intellectual property (IP), market share, profits, and revenue. As technology continues to evolve as a core part of business, cybersecurity needs to be embedded in an enterprise’s strategy and culture. Consider the following:
• 243 is the median number of days attackers are present on a victim network before detection.
• $3.5M is the average cost of a data breach to a company - up 15 percent from 2013.
• The global impact of cyber-attacks could be as much as $3 trillion in lost productivity and growth.
With cybersecurity making headline news more frequently, it is clear to see how any disruption has broad impact both for the affected businesses and their customers. These current events have also raised awareness for companies and individuals about the vulnerability of their data. As a result, customers have a new level of expectation about the security and privacy of the products and services they use. Security executives have an obligation to help their companies meet or exceed these customer expectations, elevating the cyber security discussion to the corporate boardroom.
While executive leaders and board members increasingly have cybersecurity on their radars, there is still a general lack of awareness about a need, at the most basic level, for an overarching security strategy and operating model within the enterprise. Aligning security assets not only drives more comprehensive protection across a company, but enables cost savings that drive better stakeholder value.
Without a clear understanding of your security business and how it relates to the rest of your company, there is a risk of resource overcompensation in trying to mitigate cyber security threats
As a first step, work with your leadership to establish clear protection principles that define the most valuable assets within your company. This creates a “north star” for you security strategy and program, and importantly, creates a common vernacular as you assess priorities for your business. Within Microsoft, we have defined our core protection principles as follows:
1. Protect customer data
2. Ensure device integrity
3. Protect the supply chain
4. Protect our intellectual property
As CIOs and CISOs are increasingly asked to provide reports to the Board, this kind of framework can help to structure discussions in ways that resonate strongly and clearly for these influential stakeholders. Board members are looking to come up-to-speed quickly on the topic of cybersecurity and looking for security leadership to help them understand the risk profiles of their companies. As security leaders, we must succeed in presenting an accurate snapshot of the security business without using fear as a driving motivator. Security decisions should be presented and made within a solid business case.
Without a clear understanding of your security business and how it relates to the rest of your company, there is a risk that board members will overcompensate in trying to mitigate cybersecurity threats - at the cost of innovation for your company, your partners and your customers. While building and maintaining a comprehensive security program is a fluid and ongoing process, it must be balanced with how you operate your business, and the degree of flexibility, agility and progress that you want to allow for your company to thrive.
Digestible metrics are key to selling your vision and program to the Board. Be able to demonstrate progress and return on investment for these stakeholders, to reinforce the value of having a sustainable and comprehensive security program. We can no longer talk about security in the confines of IT, but need to up-level the conversation and relate it to the broader business. Board members want you to highlight key strengths and weaknesses, so that they can immediately grasp the current state of the business’ security posture. Identifying the top risk indicators and measuring performance against these metrics can provide the right level of assurance. At the same time, this exercise can be used to identify known gaps in the security program and open the door for resource requests that you need to make.
As we look at today’s current security landscape, where brand-name companies are being compromised on an increasingly frequent basis, you have the board’s attention. It is no longer a matter of “if” your company will be compromised by bad actors, but rather “when” and “how.” Use this opportunity to reinforce the work that you are driving to protect your company’s assets and to secure staffing, budget and the other support you need to minimize identified risks. Importantly, also ensure that you aim high when forecasting for resources. In today’s environment, the unexpected is the new norm, and as security leaders we need to be arming our companies to detect, protect and respond more aggressively and with more sophistication than ever before.
We have the opportunity to leverage this new, high-level and pointed interest in cybersecurity, and we should be grabbing hold of it with both arms. We have been offered a window to drive security forward in leaps and bounds. Priorities that haven’t made it “above the line” for budgeting or other reasons should now be accelerated to strengthen the security of our companies in new and exciting ways. This will oftentimes require you to shift employee mindset or change established behaviors, but these are challenges that are well worth the effort if we are to keep pace – or stay ahead – of the current threat landscape. With security in the spotlight, we need to use this time to innovate and share best practices across our industry. As John F. Kennedy said, “A rising tide lifts all boats,” and this is our time to advance the state of security, together.”