Elevating Data Risk Management to the Board Level

Patrick Dennis


April 12, 2017

data risk management board of directors

For years, the security industry has worked to promote cybersecurity as a critical topic for the most senior corporate decision-makers: the c-suite and board of directors. Work remains, but most organizations now realize that data risk management and data-centric security must have board-level priority.

That said, for many, data risk management and cybersecurity is something like climate change—the facts are widely accepted, but the solution is much more elusive.

In 2015, the global estimated cost of cybercrime was $3 trillion in lost economic value each year, and Cybersecurity Ventures expects that cost to double by 2021. This includes literal theft (money, IP, data), damaged and destroyed data, lost productivity, embezzlement, fraud, business disruption, investigation, restoration and remediation, and finally, reputational harm.

In response, Gartner predicts almost 11% annual growth for the cybersecurity market over the same five-year period ending in 2021.  Unfortunately, corporations cannot buy their way out of this problem. Organizations need to match increased spending with a shift in priorities and a new way of thinking about data-centric security and risk management.

Traditional Approaches Are Not Working

Despite growing security investments, the Ponemon Institute’s Cost of a Data Breach Study shows cyberattacks were more expensive and more frequent in 2016 than ever before. What’s more, it takes companies weeks or even months to detect a successful breach. When we compare the time to detect a breach to the average response time for physical robberies, the problem becomes clear. On average, police across the country respond to a robbery in less than 10 minutes, meaning that a criminal robbing a jewelry store has a strong incentive to be in and out in less time than that. How much can be stolen in under 10 minutes? The average breach, on the other hand, lasts more than 100 days. One hundred days is a long time for digital thieves to operate unnoticed within a system, and the potential magnitude of loss is massive.

Traditional perimeter security vendors, and even so called “next-gen” solutions like endpoint protection platforms (EPP), promise to stop something like 99% of all threats. But remember, that 1% that remains represents all the breaches that make headlines.

Today’s threat landscape requires a new, layered approach that includes tools for prevention, detection, investigation, remediation and coordination, as well as a new way of thinking about how sensitive information is managed and stored. The shift to detection and response is underway. Gartner predicts that, by 2020, rapid detection and response solutions will make up the majority (60%) of cybersecurity budgets, up from only 10% in 2014. To accompany this shift, organizations also need to change how they think about and plan security at the highest levels.

Finding a Context for Data

The truth about cybersecurity is that security teams rarely know where the valuable data they protect is actually located. Worse yet, many organizations are unable to answer basic questions about what sensitive data they have and where it actually resides, or what sensitive data would do the most harm if lost or stolen.

Without this information, information security teams are unable to prioritize data protection. As a result, everything must be given equal weight, leaving them to adopt a boil-the-ocean approach to security that is inefficient and will become even more challenging with the proliferation of other challenges like shadow IT, data sprawl, the internet of things, and bring your own device policies. Organizations need to provide cybersecurity teams with context and insight into their sensitive data so they can understand what they are protecting and apply the strongest protection to the most valuable information.

Getting the Board Involved

In 2017, the C-suite and members of the board can no longer leave basic questions about sensitive data unanswered. By elevating the discussion of information security and governance to the board level, organizations can start to develop a data-centric protection strategy focused on proactive measures to reduce exposure to digital risk enterprise-wide.

The first step is to ensure C-level accountability over an information governance committee, ideally via a chief information security officer (CISO), CIO or CSO who also manages cybersecurity. Although cyberrisk management is often spread across many departments and stakeholders, a clear organizational structure is important so decisions can be made authoritatively and in a timely fashion.

After establishing accountability, ongoing education is imperative. Most corporate boards lack direct cybersecurity or digital risk management experience. Bring senior business leaders together at regular intervals for education sessions and risk-mapping to build shared understanding. When mapping digital risk, evaluate exposure and potential business impacts. Tying digital risks to business risks creates a common ground and shared vocabulary.

If unclear on where to start, consult with the audit committee. They are most likely already discussing cybersecurity risks with the auditors. This can be a great place to get involved if there is no cybersecurity- or technology-related subcommittee.

Testing Processes and Solutions

Testing of both technology and processes is an excellent way to take senior leadership one step further. Many organizations conduct simulations to test incident response plans and engage all stakeholders more closely with cyberrisk programs. New technology is also continually evolving, as is the area of proactive data management and information governance. Organizations should regularly review spending priorities, existing solutions and new entries to the market.
Patrick Dennis is the president and CEO of Guidance Software.