A decade ago, corporations viewed cybersecurity as a niche. It was — and, to a certain extent, still is — a micro-focused initiative best left to the IT department or chief information security officer.
However, high-profile security breaches at Uber and Equifax — just to name a couple — show that this bottom-up management approach should be revisited. According to a joint report by McAfee and the Center for Strategic and International Studies, security breaches cost companies between $445 billion and $608 billion in 2017, while Gartner predicts that companies will pour $96.3 billion into cybersecurity in 2018, up 8% from last year.
These figures show that enterprise executives need to understand cybersecurity's macroeconomic implications and not treat it with microeconomic solutions. My 10-plus years as an institutional investor exposed me to shareholders and high-profile board members failing to prioritize cybersecurity as a seriously viable threat to shareholder value. It is increasingly imperative for C-suite members to regard cybersecurity as a macro-level issue that must be monitored for the sake of the entire enterprise.
A Refocused Perspective
The initial step to solving this problem is to recognize its origins. Big companies are investing in protection for themselves while neglecting the security of the mid-sized companies to which they increasingly outsource millions of dollars in operations overhead.
The lack of protection these smaller entities maintain heightens the overall risk carried by larger companies, especially as the pace of outsourcing increases. This trend results in a structural lack of stability within the interdependent system of corporate data networks. In a sense, despite the increased annual spending on cybersecurity by large corporations, we have an overall collective network that is fairly brittle due to the exposure of large hubs serviced by hundreds of mid-sized companies.
The problem, then, is that large companies are unable to determine whether their cybersecurity spending actually accomplishes what they pay for. How could it, when mid-sized companies continue to take on the critical functions for large corporations while lacking adequate network security protection?
Protection from cyber risks is far from a micro issue. It's a structural problem, increasingly at odds with companies' strategies of boosting profitability from outsourcing.
Changing the Scope
Board members need to create a dialogue around cybersecurity that leads senior leadership to change. They should consider implementing the following three strategies to make cybersecurity a top priority within the C-suite:
1. Demand proof of network security in monetary terms. Are you making money from outsourcing's network effect? Members need to discuss productivity gains from outsourcing against all the risks involved. There seems to be a major disconnect between productivity and the financial impact of network vulnerability it can create.
Companies need to weigh the total profits they gain from outsourcing against the ability to protect their digital assets and intellectual property. Theoretically, if companies are making larger gains from outsourcing, wouldn’t it make sense to invest in more money to protect the network? This is the very thing that enables companies to make more money, and it needs to be appropriately protected and verified.
Using financial metrics — as you would with any other macro risk — to measure network security provides C-suite members with tangible proof that a top-down cybersecurity approach benefits the bottom line.
2. Focus on structure instead of technology. In addition to proper protection for outsourcing, companies should pay more attention to addressing structural challenges. Professionals are constantly implementing new technology because, for the most part, it makes the tedious more convenient. As the use of more convenient — and often easy-to-exploit — technologies continues to exponentially grow, so will the cybersecurity problems.
In the early 2000s, security professionals worked with intrusion detection prior to what we now know as firewall development and implementation. Now, we focus on botnets, network analysis, and alerts, but we're still not catching up to the problem.
Security measures are truly lacking compared to the growth of networks. Adding more technology is not the answer to this problem. In some cases throughout the years, the false sense of safety from a new security technology has made the situation worse. Focusing on structural solutions allows cybersecurity to scale with a company and be factored into any changes a company must endure.
3. Emphasize network collaboration. Evolutions within industries are nothing new. For instance, when merchant ships went down 400 years ago, single-family fortunes were lost in an instant. Over time, parties interested in expanding a network of trade communication across seas realized that they must spread the risk among the multiple parties in order to encourage more productive risk-taking. We saw this collaborative risk approach in sea navigation, and in other major forces of productivity: petroleum exploration, electric power, and now with interconnected IT networks.
Each case presents advantages and obstacles while having one key component in common. No matter how complex the system, it is crucial to have participants in your networks collaborate in order to determine the risks and to address them fully. Spreading the risk among a large number of participants is an effective, trustworthy way to move forward.
The bottom line is that cyber risk is a macro risk and we need to address it in a manner that reflects its serious financial impact on companies. We need to focus on structural issues rather than technology issues, to invest in protective measures that work, and to measure it in financial terms in order to help open communication about the impact of cyber risk on the entire business structure.
We can’t pin this as a mid-market problem when we all share the same risks from vulnerabilities across an interdependent marketplace. Whether you are a large or a mid-sized company, these issues will affect you, and they need to be addressed strategically from the top down, not the bottom up.