What is the most obvious statement about the impact of technology on your business? That it is proving massively disruptive. But for the corporate board members of companies today, this tech disruption seems limited to hardware, marketing, and maybe business models. Lately, you’ve become all-too aware that cybersecurity is another field where tech is shaking up how business must operate (and how you must monitor it).
The cybersecurity element is disrupting all elements of your businesses. Like a chain reaction, the basic issue of cybersecurity has exploded to upend many of your board’s basic assumptions on the value of risk, technology, and liability protections. Now, even the concepts of cybersecurity and risk management are moving so fast that much of what you know is wrong, many of your protections won’t protect, and many of the resources you depend on are a day late and a dollar short.
Your IT and risk support
Cybersecurity has grown beyond the oversight of your traditional IT staff. With tighter regulation, new SEC oversight, the pervasiveness of digital assets and access, and much heavier liabilities, cybersecurity is now “everyone’s business.” This includes the CIO, CISO, risk management, compliance staff, and legal.
But each still has only a part of the story. Your risk managers and IT people may be talking past each other in vulnerabilities and coverage. For example, when buying liability insurance coverage for cyber risks, we see the company’s general counsel, the corporate secretary, or CFO’s office handling negotiations -- but never anyone from IT. The result will be dangerous gaps.
Your liability insurance
Don’t be so sure your coverage is protecting you from cyberliability. With cybercrime one of the world’s great sources of technical innovation, and so much of your data out there on the cloud and mobile devices, objective measures of “risk” and liability” are eroding. Even if your policy covers a particular loss, you may have been required to have the latest security software updates in place (which probably weren’t).
Not only aren’t your policies keeping up with cyber changes, the insurance itself isn’t either. Underwriters and actuaries are still in the dark on how to calculate the risks involved. How do you put numbers on a vague, shifting cloud of threats facing off against a vague, shifting cloud of digital assets? How do you buy coverage in 2016 for a cyber attack that won’t be invented until 2017? And will your coverage include threats like “cyber-extortion,” or the costs of forensic investigation for an incident… or whatever loss comes tomorrow and is now unimagined? Not only do you need smart IT people negotiating coverage on your side, reach out to staff at your insurance broker who are savvy on cyber.
Your current IT technology
Cyber risk is evolving and diversifying at scary speed, and may be the ultimate disruptor for your tech protections. So many big hardware solutions still in place at corporations date from the last millennium, and are hopelessly outpaced by today’s fluid world of cloud and distributed data. Thinking your data is safe behind a hardware Maginot Line works no better today than it did for France in 1940.
It’s likely even your CISO doesn’t know all the latest nuances and threats. Next generation security companies like vArmour see many cases where the IT protections and policies that are in place are ignored, subverted, or worked around just through convenience or sloth. For example, I saw one company where customer PCI (Payment Card Industry data -- essentially charge card info) and non-PCI data were intermingled -- a ticking IT breach time bomb.
If sound protections aren’t in place, if they’re ineffectively guarding the wrong data in the wrong place, if your liability coverage is outmoded… how would your board know? Even savvy, committed board members are not up on the latest products and technologies for cyber defense. More likely, what you do know is outdated brands -- Symantec, MacAfee. The old saying “No one ever got fired for buying IBM” has been updated for products that are zombies in today’s data security world.
However, your board is in the unique position of having the authority to put your company’s cybersecurity back on track. Seek independent review of your data security from proven cyber consultants. Review liability insurance policies with company counsel… and ask your head of IT or CISO to join in the review. Best of all, ask both IT and risk management leaders how your overall cybersecurity strategy is keeping up with virtualized, cloud-based and mobile data. Your security solutions must now be comprehensive enough to protect throughout this new data spectrum.
As a board, you can either passively wait for a cybersecurity attack to disrupt your entire business -- or you can be the “disrupter” yourselves.