Insights from Chris Dimitriadis, Chief Global Strategy Officer, ISACA.
Cybersecurity is no longer a novel concept in the boardroom. There have been enough years’ worth of headlines detailing cybersecurity breaches—and the resulting financial and reputational damage—to elevate cyber risk as a board-level issue. However, significant gaps remain in enterprises’ preparedness.
For the fifth year in a row, cyber incidents ranked as the top global risk, according to the Allianz Commercial Risk Barometer. A disconnect exists between how prepared boards think their organizations are when it comes to cyber risk and the reality.
Why Boards Struggle To Prioritize Cybersecurity Investment
Much of this can be attributed to organizations struggling to clearly establish their return on investment from cybersecurity. Board directors are unlikely to push their leadership to make substantial investments in mitigating cyber risk without understanding how those investments materially influence the organization’s financial health.
For many organizations, this is tricky because of the variable nature of cyber risks and the hard-to-quantify aspect of factors such as reputational damage and loss of customer trust. Further complicating matters, many organizations lack sufficient internal expertise to authoritatively understand their cyber risk preparedness and existing gaps. Security and risk leadership need to be mindful of these potential hurdles and proactively educate board directors about the multifaceted benefits of cyber risk.
Measuring Cybersecurity ROI More Effectively
To support these efforts, organizations should explore methodologies that provide tangible metrics and frameworks for evaluating cybersecurity investments with a direct correlation to both potential financial impacts and gains—impacts in terms of calculating contractual breaches, legal breaches, business disruption cost and customer loss, and gains in terms of being able to retain and acquire more customers, be more successful in bidding processes and overall by differentiating from competition.
Calculating cybersecurity ROI also should factor in the value of business continuity, as disrupted operations caused by cybersecurity incidents can lead to major financial losses in the short-term and the even more concerning loss of customers over the longer term. There are few scenarios more chilling to boards of directors and enterprise leaders than their business being put out of commission for days due to a major cyber incident.
Effective cyber risk management leads to improved business continuity by enhancing the organization’s ability to respond to and recover from incidents swiftly, minimizing downtime and maintaining operational integrity. Integrating business continuity planning with cybersecurity risk planning helps organizations create a resilient infrastructure capable of withstanding and quickly recovering from attacks, safeguarding both short-term financial performance and long-term reputation with customers and key stakeholders.
Cybersecurity As A Competitive Advantage
The potential to develop a significant competitive advantage is another element that should incentivize board directors. Sharpening cyber risk posture can lead to major competitive advantages for organizations, primarily as a key driver of customer trust and loyalty. By communicating to customers the steps that have been taken to protect their data, companies can turn their investments in mitigating cyber risk into a meaningful marketplace differentiator, particularly in sensitive industries like banking, healthcare and throughout the defense industrial base.
As noted by Forbes author Jeffrey Bartel, “Organizations can use their cybersecurity position to gain market advantage through the inclusion of cybersecurity information in investor materials and ESG reports and competitive proposal submissions.”
What Boards Should Do Next
On top of calculating ROI so investments can be made in a more informed manner, boards should increase their readiness by:
• Upgrading cyber risk to a board-level category rather than a technical issue, which may require training for improving the digital savviness of the board
• Establishing clear governance and cyber risk ownership
• Requesting metrics on top of the ROI that are quantified as part of the enterprise risk management program, delivered in board language rather than technical jargon
• Requesting cybersecurity maturity and capability assessments that produce quantified results within the context of board-set priorities
• Integrating cybersecurity in strategic and M&A discussions
• Achieving third-party assurance
• Focusing on talent, ensuring that the organization is holistically trained, including in key emerging technologies and challenges, so decisions are made based on the realities of the present
Cyber Resilience Must Become A Core Enterprise Capability
A disciplined and proactive approach to addressing cyber risk must become a core enterprise capability, and that starts with enterprise boards making cyber risk a focal point. As artificial intelligence and the proliferation of data make the threat landscape increasingly difficult to combat, the ability to swiftly respond to incidents and maintain operational integrity will set successful organizations apart.
By prioritizing the mitigation of cyber risk as a fundamental measure of their organization’s long-term viability, boards can ensure that their companies are not only protected but are also positioned as leaders in their industries. Equipping board members with relevant data on the ROI of cyber risk investment and how mitigating risk can become a competitive advantage can turn the board into a powerful ally on the path to becoming a cyber-resilient organization.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
