Cybersecurity concerns becoming a boardroom issue

The increasing frequency, sophistication, and business impact of cyber-attacks have pushed cybersecurity planning and protection from an operational concern of IT departments to a key theme on the strategic agenda of boards and CEOs.

Senior levels of the business still face an information gap that makes it difficult for them to align investments in risk protection to the true strategic value of an organization’s digital assets; this, according to a report by global business consulting firm Bain & Company.

Statistics show that:

• The median cost of cybercrimes jumped 56 percent to $5.9 million per organization in 2011 over 2010, the most recent data available
• Web-based attacks during the same period increased to 4,500 per day, a 36 percent rise
• Mobile malware quadrupled in 2013, with Android attacks increasing by an astounding 26 times
• DDoS attacks increased 27 percent in the same period
• Financial motives now drive nearly 95 percent of cyber-attacks, placing the target squarely on strategic assets that can be monetized after a breach.

Every organization that has suffered a recent security breach, the report notes, has also already had some form of cybersecurity in place. Beyond that, too many organizations fail to align IT security capabilities with larger goals and overall risk appetite.

The report points to disconnects between an organization’s risk-management efforts and the development of necessary cybersecurity capabilities as a hidden cause behind the material causes of individual incidents, because business groups and IT often fail to discuss emerging threats or the relative importance of different kinds of digital assets.

Instead, according to the Bain report, compliance obligations, not strategy implications, are the greatest driver for cybersecurity considerations for three-in-four CIOs. The finding demonstrates the over-reliance placed on operational approaches to security.