As the number of regulations related to IT security continues to increase, the board of directors of most organizations has taken note of the fact that there’s significantly more financial liability pertaining to IT security.
In fact, a new survey 126 such boards conducted by Osterman Research on behalf of Bay Dynamics, a provider of cyber risk analytics tools, finds that 60 percent of the respondents say that cybersecurity mandates have become somewhat or very difficult to satisfy.
The survey also finds that cyber security is now a top priority in the boardroom, surpassing other operational risks. The report reveals that in the past two years there has been an 11-fold increase in the number of organizations citing increased regulation from the government as an issue. There’s also been a 10-fold increase in fear of lawsuits and regulatory penalties.
Just this week Trump Hotels disclosed that it has settled a lawsuit brought by the New York Attorney General after more than 70,000 credit card numbers were exposed to cyber criminals. Not only was the hotel chain fined $50,000, it is also being required to upgrade its security systems.
Of course, boards are concerned about more than the fines. Damage to the corporate brand as well as the cost of fighting any lawsuits that result from the breach can easily wind up being much greater costs than any fine.
Overcoming a lack of understanding
The challenge most board members have with cyber security is that they don’t have a real sense of the risks their organization faces. Very few of them are conversant in IT security issues or technologies. They understand the fundamentals of risk management, but translating cybersecurity issues into a risk management conversation board members can understand is difficult for IT leaders who often have a vested interest in the board viewing the IT organization in a positive light. Far too many business and IT leaders are still overconfident in their organization’s IT security capabilities.
One thing that is apparent is that more boards are anxious to have a conversation about cyber security. As part of their fiduciary responsibility, many of them are obligated to seek out external advice. Because of that requirement, IT services firms that specialize in IT security should be making a concerted effort to educate boards of directors. The challenge those IT service providers will face is explaining cybersecurity risks in plain business language a board member can understand. The average member of a board of directors has no knowledge of cybersecurity issues and usually only passing familiarity with IT.
As politicians and judges continue to realize that cybercrime has as much to do with lax security as it does with individuals breaking the law, fines and penalties are only going to increase. Governments everywhere are soon going to want to set some cautionary examples of what can happen to an organization that doesn’t put the appropriate level of IT security in place. As a result, board members are now much more eager to learn about cyber security than ever before.
Searching for security expertise
Naturally, one of the best ways to mitigate cyber security risks is to contract a third-party provider that specializes in IT security. That won’t guarantee there will never be another security breach, but it will demonstrate that the board of directors took the issue seriously. In the minds of many regulators, hiring external IT expertise is often going to be the difference between a slap on the wrist and a stiff penalty for reckless disregard of the inherent requirements attached to collecting customer data.
IT services firms that have IT security expertise are in a unique position to deliver some much needed IT security education. It could even be argued that making that education widely available is now as much a matter of public interest as it is a business opportunity. Regardless of how that education is delivered, the one thing that is certain is that IT services firms should be putting more focus on boards of directors that are just now waking up to the scope of the risk the business actually faces.
Photo by Samuel Zeller