Last Updated on July 1, 2019
In recent client engagements I’m seeing more and more consistently the path that information security will take for the foreseeable future. Just as companies have focused on financial and legal risk management for perhaps hundreds of years, it’s clear the C-level view is rapidly maturing and senior executives are increasingly looking at security from the perspective of cyber risk management. I refer to this as security “moving from the server room to the board room.”
Today’s emerging view in stark contrast to what we saw not that long ago, when information security was seen as purely an IT issue that business leaders didn’t want to deal with directly. Back then, security was understood and discussed mostly on a technical level, not a business level, and few senior executives were concerned about technology per se. But now executives realize they can’t avoid security issues any more than they can avoid financial or legal issues. Cyber risk has become a primary boardroom focal point.
To address cyber risk, I see executives focusing on four core concerns. Why these four issues among so many? Because if your business doesn’t have these bases covered, you’re not going to get very far. They are:
- Advanced Persistent Threats (APTs). Whether sponsored by nation-states or organized crime, the end goal of APTs is the same: advancing financial advantage and/or a political or social power play. As APTs have ramped up, smaller businesses have come well within their scope. Any adversary can easily find out about your company’s financial status and probable security posture, and target you at will. That is the harsh reality of today’s business landscape.
- Moving to cloud solutions. Seeking to decisively enhance their security postures to manage the risk of APTs and other threats (among other drivers), more and more clients are asking us: “How do we address security in the context of moving to the cloud? Because we no longer want to buy, maintain and secure all that infrastructure ourselves.” Security and cloud are now part of the same conversation, versus moving to the cloud now and worrying about security later.
- Finding security leadership. Having moved from the server room to the board room, security is no longer just an IT management issue. Analogous to the roles of the CFO and the General Counsel, today’s CISO must rise to a similar level of responsibility for the organization’s ongoing viability. Further, the move to cloud requires expertise around security architecture, auditing, maintenance, etc. that is different from “traditional” IT security roles. Attracting effective security leaders in these emerging areas given today’s leadership shortage is a major CxO concern.
- Compliance with privacy mandates. With the emergence of GDPR and CCPA, many of our customers are worried about compliance with privacy regulations. They realize that security and privacy domains are similar in many ways, but privacy brings its own, unique challenges—and now is the time to meet them.
Yes, there are many other vitally important focus areas within information security, such as third-party risk management (TPRM) and IoT-related risks. But the above are the top risks that I consistently discuss with business leaders.
If your organization faces technology, architecture and leadership challenges around managing cyber risk, contact Pivot Point Security. We have the depth and breadth of expertise it takes to support your “server room to board room” evolution.
ISO 27001 is manageable and not out of reach for anyone!
It’s a process made up of things you already know – and things you may already be doing.
Get your ISO 27001 Roadmap – Downloaded over 4,000 times