Square-Off: Are Corporate Cyber Defenses Adequate?

It's not just about the technology, stupid. That's the collective message of the four expert commentators in this CFO Square-Off opinion forum, which addresses the issue of how CFOs and their corporations should be addressing cybersecurity in the face of rapid advances on the hacking front. Instead, finance chiefs should be focusing on their companies' systemic risks rather than just software. However, many companies are failing to address cybersecurity adequately because they tend to underva ..

Like the way in which the Enron fraud scandal led to the development of the Sarbanes-Oxley Act, recent cyber scandals (e.g., Target, Sony, Home Depot), which resulted in huge financial losses, may motivate the development of a new cybersecurity-focused corporate accountability movement and/or consumer protection laws.

In short, it’s time to provide financial benchmarks to cybersecurity.  Securing corporate America is not a technology problem. Shareholders need to value cybersecurity and begin to punish poor performance in this area.

Until the economic incentives driving behavior related to cybersecurity change, very little else will. Take, for example, the truism that stock prices get hammered and CEOs get fired when they consistently miss their revenue or profitability targets. Why do they then get a pass when it comes to losing millions of dollars as a result of negligence in addressing cybersecurity concerns?

Unfortunately, there’s little market incentive for executives to take their focus off of growth and profits to worry about breaches. That’s true because, even though hundreds of millions or billions of customers may be affected, their companies’ stock prices during and after the disclosure of high profile-data breaches may decrease only slightly and often a quickly recover.

Indeed, a company’s data assets may be hard for investors to find. Today, it’s likely that some of a company’s most valuable and vulnerable assets don’t even appear on the balance sheet. How much is your email database really worth? Probably not much in conventional accounting terms. But consider what its value might represent if it were completely locked down and made inaccessible by ransomware or hacked and placed on Pastebin for anyone in the world to download and peruse?

What’s in your email system anyway? Personal emails between family members, performance reviews, contract negotiations, details on an upcoming merger? Who knows. Is there a way to value this digital asset in the same manner that you value a building or a fleet of vehicles?

To even begin to place a proper value on cybersecurity, CFOs need to start asking some hard questions:

  • What are the company’s most valuable digital assets?
  • Where are they are physically located, and who owns the hardware they’re stored on?
  • Do you have a means of understanding and communicating what they are actually worth?
  • Who has access to them and how is access controlled?
  • How financially damaging would it be if they were hijacked or stolen or if the company was completely denied access to them?
  • If your company was hit with a catastrophic attack that shut down its most vital operations down for a few weeks, perhaps a month, how would you recover?
  • Would your company even continue to exist?

The Government’s Role

The federal government seems to have been similarly ignorant about the value of cybersecurity. A report by the Atlantic Council and Zurich Insurance Group estimated that by 2030, an insecure Internet would reduce global economic net benefit by $90 trillion. In contrast, a completely secure Internet would result in a global net gain of $190 trillion. That’s a lot of money at stake for governments, corporations, shareholders and consumers.

The government has repeatedly used tax incentives to encourage the private sector to make investments that are in the best interest of the nation and sometimes even the planet. Take, for example, the incentives that have been provided to both corporations and consumers to invest in clean energy, wind farms, and eclectic cars.

Yet for all the political rhetoric about securing the nation from cyber threats, there has been no dedicated federal tax incentives to actually encourage and support corporations and consumers to do so. In fact, the Treasury Department has even made recommendations against them.

That is short-term thinking when it comes to government revenue. It does not address the negative effects of breaches on consumers, who are also voters and taxpayers, or the windfall of economic growth that could be gained by investing in proper security for all.

Further, when it comes to cybersecurity, being a good corporate citizen just doesn’t seem to be enough of an incentive to engage in sharing information. There is however, significant evidence to show that organizations that do share cyber threat information can improve their own security postures as well as those of other organizations.

So why don’t more organizations do it?

Determining goals for information sharing as well as a means of evaluating a return on investment is the key. Setting goals that advance the organization’s overall security posture, reduce costs, and close talent and information gaps are great incentives for considering information and resource sharing.

Finding and communicating the value to the business is what works best to jumpstart a sharing program, and then consistently reporting on the value attained from doing so is the best way to ensure continued internal support.

Kevin Magee is a global security strategist at Gigamon, a publicly traded network-visibility and traffic-monitoring technology vendor.

, , , ,

One response to “Why Cybersecurity Is Financially Undervalued”

  1. Many organisations have the ‘it can’t happen here’ attitude at the C suite because they have hired a CISO and anyway its the CIO’s problem. While they can tell you to the dollar, what shutting the production line down will cost, they can’t tell you the cost of having emails hijacked that talk about a MandA activity. This must start at the definition of Risk and an equation based around the likelihood of it happening, and the cost. At that point, an organisation can start to assess the cost of remediation. Nothing in this approach is new – I’ve been doing this with clients for more than 10 years. What has been missing in some cases is the recognition of the types of data held, the location, the access. Its when Risk works closely with the Information Architect. I’ve been advocating for the role of Information Architect since about 2003, because of this and many more implications. It’s not that we don’t know what to do, its that its hard, complicated and doesn’t show a financial return within 12 months or less – unless, to your point, we change the way we think about assessing financial ROI.

Leave a Reply

Your email address will not be published. Required fields are marked *