Despite the endless clamoring of cybersecurity professionals, cybersecurity remains relatively unimportant to the business world’s top decision-makers.
Here are just a few facts that prove this is the case:
C-level executives have proven willing to accept a 17% annual increase in financial damages inflicted on their organizations by cyberattackers—which is projected to grow from $8.5T in 2023 to $10T in 2024.
Less than 20% of CFOs actively collaborate with their IT departments to mitigate the financial risks associated with inadequate cybersecurity.
Only about 12% of organizations subject their cyberdefenses to independent penetration testing more than once a year—despite the fact that independent pentesting is a core compliance requirement.
Plus, while many companies are incrementally increasing their investments in cybersecurity, few are doing so at a pace commensurate with the intensifying cyberthreats they face. And even fewer are making the fundamental changes in their cybersecurity strategies that would make if they truly took the threat cyberattacks seriously.
Exceptions to the rule
Of course, there are organizations where cybersecurity is taken seriously. And while those organizations clearly represent a relatively small minority, they typically share the following three characteristics:
Executive-level leadership. It’s hard to claim that cybersecurity is a true priority for an organization if it remains relegated to middle management alone. Sales, marketing, product development, finance, HR, and other business functions are all typically led by C-, SVP-, or VP-level executives. So organizations that take cybersecurity seriously will invariably have a Chief Security Officer—even if that CSO function is performed on a virtual or “flex” basis.
Fact-based management. Companies that are serious about marketing constantly track the performance of their marketing programs to see what works and what doesn’t Companies that are serious about software development constantly track their development metrics to monitor KPIs like release cadence and defect rates. Companies that are serious about security take the same approach—regularly assessing their vulnerabilities to determine exactly where they’ve achieved their goals and exactly where they may be falling short.
Aspiration for excellence. You can tell when a company truly values its people, because its HR team works as hard as it can to make that company a truly great place to work. You can also tell when a company is truly committed to sales growth, because its salespeople are equipped and incentivized to blow way past their minimum quotas.
Cybersecurity is exactly the same. Companies that truly understand the importance of cybersecurity don’t just meet standards for regulatory compliance—or squeak by the underwriting requirements of their chosen cyberinsurance carrier. They instead significantly out-perform those baselines in order to achieve a higher goal: optimally minimizing their exposure to the business risks associated with cybercrime.
One other characteristic distinguishes organizations that take cybersecurity seriously: They don’t suffer disastrous consequences from cyberattacks. That’s because they don’t get hacked as much. And even if they do get hacked in some way, they are able to minimize the short- and long-term impacts of those hacks on their business performance.
Choosing to win
If you’d like your company to join the ranks of those where cybersecurity is taken seriously, there’s good news. Because, while cybersecurity and cybercompliance are certainly challenging business disciplines requiring significant effort and investment, success in those disciplines ultimately starts with a simple choice.
You either decide security is important to you—or you don’t.
Your company’s exposure to cyberrisk ultimately hinges on that one decision. If you decide the latter, not much will change. You’ll maintain the status quo. And you’ll enjoy the comfort of being in the company of most of your peers—which is, after all, how many of us make many of our business decisions.
Unfortunately, you’ll also be putting your company into the same risk pool as your peers. So, while you may not ever suffer a single adverse financial consequence as a result of your decision, there’s a nontrivial statistical probability that you will.
If on the other hand you decide that, yes, cybersecurity is going to be very important to you and your company, congratulations. You’ve just taken the first and most important step out of the mass statistical pool and into the company of those who are as much as 84% less likely to suffer a business-debilitating cyberattack. Now it’s time to take Step Two.
To learn what Step Two in your cybersecurity journey might entail, reach out to me at scott@csoscott.com today
Comments