This is the twelfth in our series of cybersecurity predictions for 2016. Stay tuned for more through the end of the year.
After yet another year of significant breaches of major organizations, senior executives have finally woken up to the threat of cyberattacks and are searching for answers to how to make the proper investments in people, process, and technology to develop a prevention mindset. To me, this will manifest itself in several ways in 2016:
It has been a tough few years for companies and organizations seeking to avoid the headlines after suffering a major data breach, as hundreds of millions of records have been stolen from organizations, compromising sensitive intellectual property, credit card numbers, and even personal health information. In turn, corporate executives and boards of directors have realized that cybersecurity represents a significant enterprise risk and have shifted to risk management approaches in order to better fulfill their fiduciary obligations to protect the assets of their organizations.
In 2015 we witnessed a definitive shift in the way that senior corporate leadership and boards view cybersecurity; the needle has moved. Indeed, the 2015 Governance of Cybersecurity report from Georgia Tech and Palo Alto Networks found that 63 percent of boards are actively addressing and governing computer and information security – nearly a two-fold increase from the 2012 report.
In 2016 we will continue to see this upward trend of active, board-level governance of cybersecurity activities, as cyber becomes more relevant to most, if not all, lines of business operations. Because of the rapid growth in threats to physical infrastructure, in particular, we predict, and trends support, that boards in the industrial and energy/utility industries will continue to raise their levels of involvement and governance to those of the financial services and IT/telecom industries.
With the entrenchment of cybersecurity as a senior executive and board-level issue, awareness campaigns will become less pertinent and there will be an increased focus on practical business-level cybersecurity discussions aimed at helping boards and executives better protect their businesses. In 2016, boards and executives will “get it,” and will, consequently, need better advice on “what to do about it.”
While, as mentioned above, two-thirds of boards are actively addressing and governing cybersecurity, another 2015 survey conducted by the New York Stock Exchange and Veracode found that only a third of boards have some degree of confidence that their companies are properly secured against cyberattacks. The same survey also found that boards are most likely to hold the CEO and the entire executive team accountable for a major incident.
With executives and boards more focused on CEOs, and executive teams clearly identified as accountable for managing cybersecurity risk, we believe that 2016 will see increasing interest in business-level frameworks to assist in related decision-making. While there are many technical security models, executives and boards lack similar models to evaluate the essential productivity-versus-risk question of cybersecurity. Moreover, unlike other functions of a business, cybersecurity does not yet have well-established and rigorous analytical tools to inform decision-making. Nevertheless, there are several efforts underway to address this gap.
Expect to see increasing attention paid to the work of organizations like the World Economic Forum, which this year debuted a “cyber value-at-risk” framework at its Annual Summit in Davos, Switzerland that attempts to capture existing vulnerabilities, value of assets, and profile of attackers with the ultimate goal of modeling potential losses related to cybersecurity incidents over a given period of time at a high confidence level.
Following the landmark move of Institutional Shareholder Services (ISS) to advise against the re-election of seven of Target’s ten board members in the wake of that company’s major 2014 breach, expect to see more cybersecurity-related shareholder action in 2016’s proxy season, particularly for companies that have experienced incidents to date.
Finally, we predict that 2016 will bring a major shift in that more CISOs will report directly to the CEO, putting those individuals on par with other senior officers. The CEO is ultimately responsible for the risk of a business, a responsibility he or she cannot delegate to any subordinate. As companies continue to shift toward a risk management approach to cybersecurity, the CISO and CIO must be peers to allow for a healthy and balanced productivity-versus-risk discussion that informs decision-making. This represents a significant departure from the status quo of CISO reporting, and this shift will take time, but we believe it will begin in earnest next year.
Want to explore more of our top 2016 cybersecurity predictions? Register now for Ignite 2016.