Editor’s note: This is the first article in a two-part series about cybersecurity preparedness. Read part II, “What Makes a Good CISO?”
Cyber-attacks are becoming increasingly common, and they pose a major threat to companies across industries. With mounting pressure from shareholders and regulators as well as the growing adoption of digital and cloud-based technologies, protecting sensitive data and operating systems have become a top priority for organizations. But our work with numerous clients has uncovered a concerning trend: Many organizations lack the expertise and resources to effectively address cybersecurity, despite recognizing the urgency of the issue.
However, inaction is no longer an option. By 2024, cyberattacks are projected to cost businesses of every industry $5 trillion globally, with far-reaching consequences, including financial and reputational damages that affect the company, its customers, and the entire ecosystem.
The question on every leader’s mind now is, what is the best way to prepare? Should businesses hire a Chief Information Security Officer (CISO), or incorporate an advisor to the organization’s board? Based on our work, we have several recommendations to navigate the best option for your organization:
Each business context requires a different cybersecurity strategy. Factoring in the types of threats faced and their level of criticality is also key in the decision-making process. The different types of threats may include manufacturing facilities, high value IP (next generation tech, in particular if related to communications or weapons), infrastructure (e.g., energy generation or distribution), ransomware targets (pretty much anyone), and exploitation opportunities (financial institutions, sensitive customer information).
Being open to exploring hybrid models can be a way to avoid missteps. What level of sophistication does your organization need in a CISO or advisor? Companies with low threat levels (are there any left?) or limited resources may want to rely on external vendors and advisors at early stages on their cybersecurity journey, rather than hiring a CISO immediately.
For example, with your Security Operations Center (SOC), no one will know your business as well as you do, so having at least part of the SOC internal may be ideal. However, you can rely on an external provider for the larger portion of your needs, which also enables rapid team and resources escalation when required. Another aspect to consider is the organizational structure. Many times CISOs report to the CIO, as a strong collaboration with tech teams is critical; in other instances, particularly when critical enough, it will be a C-level role in itself.
Once you have defined the capabilities you need, it will be easier to define the required structure, team size and seniority of your Information Security Officer. Unfortunately, there is mounting pressure on compensation; looking for seasoned executives who have grown within a company for some time and might have an opportunity to boost their compensation to market levels might be a smart strategy. In addition, ensure you are developing your tech teams, exposing them to trainings, networking events and empowering them to grow in their roles. Finally, it is never early to define a succession plan.
Enhancing cybersecurity is not an easy journey, and it can be filled with anxiety. Bear in mind, no company is ever fully ready. The key to success is to view it as a cybersecurity journey, and continuously develop your capabilities.
Learn more about Egon Zehnder’s Cybersecurity work.