Why Cybersecurity Leapt From the Basement to the Board Room
Over the last five years, there has been a marked shift in how businesses view cybersecurity. As evidence, cybersecurity spending has soared. By year’s end, Gartner predicts worldwide information security spending will reach $81.6 billion (7.9 percent over the record-breaking 2015 figure), and Cybersecurity Ventures projects $1 trillion will be spent globally on cybersecurity between 2017 and 2021.
Embarrassing and costly data breaches have been a hazard of business since the rise of the internet, and many government and industry regulations have carried fees for non-compliance since their inception.
So what’s changed? Why has cybersecurity suddenly leapt out of the basement and into the board room?
Cybersecurity Impacts Stocks, Mergers and Acquisitions
Two recent incidents have taken cybersecurity into new territory and illuminate the shift in business perception of cybersecurity.
In August, the cybersecurity firm MedSec used its knowledge of an undisclosed vulnerability in a medical device to short sell the stock of its manufacturer, St. Jude Medical. On August 25, 2016, MedSec’s investment firm released the report on the attack risks to the medical device, resulting in a five-percent drop in St. Jude’s stock. The loss — combined with the revelation of the dangerous device vulnerability — threatened to put the manufacturer’s $25 billion sale to Abbott Laboratories in jeopardy.
While St. Jude’s stock has rebounded, it is still below pre-August 25 levels.
Similarly, when news broke September 23 that (at least) 500 million Yahoo user credentials were stolen in a breach that went undetected since 2014, Yahoo’s sale to Verizon Communications came into question. The $4.8 billion cash sale of Yahoo’s core business is still in early stages, and Verizon could use the largest hack of a single company as leverage.
According to a “New York Times” interview, Boston College Law School Professor Brian Quinn said Verizon could call off the deal entirely by contending “certain high-level Yahoo employees were aware of the severity of the hack before the deal was agreed upon, and intentionally withheld information,” thus violating the merger agreement. Quinn argues it’s more likely, though, that Verizon will use the incident to renegotiate terms more favorable to them.
Yahoo’s alleged secret scanning of customer email data for U.S. intelligence could be another cybersecurity issue used to stir the pot of the merger.
Regulations Get Teeth--and Executives Don't Want to Get Bitten
The European Union’s General Data Protection Act (GDPR) should be on the minds of everyone doing business in the E.U. The legislation will give citizens more confidence over their personal information and make companies responsible for keeping their data secure. It lays out mandatory and timely data breach reporting, extends the definition of personal data and enshrines the “right to be forgotten” in law.
GDPR won’t be in effect until May of 2018, but organizations are already scrambling to understand and implement changes that will make them compliant with the new regulations. One reason for this: it’s got teeth. GDPR will dramatically increase penalties for non-compliance, with fines of up to €20 million (or four percent of turnover) – significantly higher than the €750,000 penalty under the current Data Protection Directive.
Closer to home, New York State has proposed cybersecurity regulations aimed at guarding consumer data and financial systems from cyberattacks. The regulations would require all banks and insurance companies operating in the state to designate a CISO, adopt written cybersecurity policies and implement annual penetration tests, among other seemingly basic requirements.
Notably, under the proposed regulations, board or senior compliance officers would need to certify that their organization’s security controls are meeting requirements. This could potentially expose such individuals up to criminal liability if the claim is found fraudulent.
Your Have My Attention (and Budgetary Carte Blanche)
Executives and board members pay attention when their jobs, companies and tens of billions of dollars are at stake.
While overall cybersecurity spending is on the rise, certain organizations aren’t putting a cap on how far. This year, Bank of America has implemented a “whatever it takes” approach to thwarting attacks, giving unlimited budget to its cybersecurity business unit.
While there will surely be scrutiny to the effectiveness and ROI of how such (non) budgets are spent, it’s obvious that the C-suite has gotten the message. Lax security practices don’t just mean embarrassing headlines and lost customer confidence. The consequences have become much more tangible and outlined in terms non-security professionals can understand – usually with a dollar sign in front of it.
About Gidi Cohen
Gidi Cohen co-founded Skybox in 2002 and has guided the company’s vision and development as the leader in cybersecurity analytics. A respected innovator in the security analytics space, he is a popular speaker at industry conferences worldwide, demonstrating how sophisticated analytics, modeling and simulation, as well as unprecedented network visibility, are used to reduce an enterprise’s attack surface. For more than 10 years he has been committed to empowering security leaders to quickly and accurately prioritize and address vulnerabilities and threats with cutting-edge Skybox solutions.