Involving Head Honchos in Data Breach Response

Published: February 9, 2016 by Michael Bruemmer

Shouldn’t it be easy to convince your senior executives of the importance of cyber security? High-profile data breaches make the news, and your top decision-makers surely read the same headlines you do. Those reports — and numerous studies — make it clear that cyber security incidents continue to grow in volume, frequency and impact.

Yet while 79 percent of cyber security and IT professionals say their board of directors is concerned with cyber security, just 11 percent report to the board and only 20 percent report to the CEO, according to a global study by ISACA. What’s more, nearly half of those surveyed said their companies don’t have a chief information security officer.

A data breach or other cyber security incident can have devastating impact, and having an informed, involved board and C-suite can help a company mitigate damages. It’s vital that you find ways to communicate the importance of their involvement in data breach preparedness and the data breach response plan.

Explaining the risks

Chances are, your board and C-suiters are already at least peripherally aware of data breach risks. Numbers are the language of the boardroom, and executives who spend their days crunching data to help them make decisions gravitate to a message illustrated with data. Here are some convincing numbers to share to flush out the risks:

  • As of mid-October 2015, 606 data breaches have exposed more than 175 million records, according to the Identity Theft Resource Center.
  • Companies pay an average cost of $154 per lost or stolen record that contains sensitive and confidential information, an increase of $9 per record over last year, according to the Ponemon Institute’s 2015 Cost of a Data Breach report.
  • Five out of every six companies with 2,500-plus employees were targeted by a spear-phishing attack in 2014, according to Symantec’s Internet Security Threat Report.
  • The average cost of lost business is $1.57 million, including abnormal customer turnover, increased customer acquisition costs, reputational losses and diminished goodwill, according to Ponemon.

An involved board and C-suite make a difference

Boards and C-suiters can no longer remain on the sidelines of cyber security protocols; the stakes are simply too high. Additionally, involvement from those groups has a significant impact on reducing the costs and damages associated with a data breach. Ponemon Institute found:

  • Board involvement reduces the per-record cost of a data breach by $5.50 per record — a significant sum when you consider that multi-million record breaches are becoming the norm.
  • The appointment of a CISO also reduces the per-record cost — by $5.60.

What your board and C-suite need to be doing

Companies rely on officers and senior executives to guide and protect the company, securing its future against a variety of business risks. A data breach’s sheer potential to devastate a company requires a protection strategy, and establishing a data breach response plan becomes key to a company’s overall longevity.

Senior executive and board member roles in managing cyber risks should include:

  • Participating in the formulation of a data breach response plan.
  • Treating cyber security as a top organizational priority for all employees, rather than a responsibility of only the IT team.
  • Receiving and reacting to regular updates on data breach preparedness and cyber security, including data breach response audits.
  • Assessing, understanding and mitigating regulatory compliance concerns when hiring outside parties to support cyber security management and data breach response.
  • Champion the establishment of the role of CISO if one does not already exist.
  • Auditing budgetary needs for cyber security and data breach preparedness and response, and ensuring that departments have the funds necessary to secure the company from hackers.

Cybercrime is one of the greatest threats to business continuity in the modern business world, and it’s a threat shared by every industry and companies of all sizes. If they’re serious about protecting the business and its assets, board members and C-suite executives can’t afford to sit on the sidelines when it comes to this vital aspect of information security and threat defense.