A Forrester report of mid-to-large size companies taken in April 2020 illustrates that C-suites continue to grapple with cyber security, both the threat environment as well as how to properly measure and align their cyber security strategies with business risk. Key findings include:
- 94% of firms surveyed experienced a business impacting cyberattack within the last 12 months
- 65% of these attacks involved operational technology (OT) assets
- Only 51% say their security organizations work with business stakeholders to align cost, performance and risk reduction objectives with business needs
- Customer attrition occurred in 31% of attacks on US companies, and in 34% of attacks on UK companies
The study found that when organization’s security and business leaders are aligned on agreed upon contextual data, they have a much greater understanding of how to address these threats. For example: “85% of business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just 25% of their more reactive and siloed peers”, and “72% of business aligned security leaders are very or completely confident in their ability to report on their organizations’ level of risk versus just 9% of their more siloed peers.” However, only half of organizations have business aligned security leaders. Only 54% of security leaders and 42% of business executives report that their cybersecurity strategies are completely or closely aligned with business goals, and 40% of business executives report they rarely—if ever—consult with security leaders when developing their organizations business strategies.
The stark differences revealed by this survey between companies with business aligned security leaders and those without illustrate that many companies are still struggling to value and manage their cyber governance appropriately. IT has traditionally been seen as a business support area. But with the acceleration of digital transformation strategies as the key for future business success for companies across all industries, the need to secure these digital assets is critical. It is essential that security leaders within companies be involved in business decisions at a strategic level. And it is important to recognize that their involvement in these business decisions is not just a matter of lobbying for more money to be spent on cyber security. More important is to make sure that resources are allocated smartly and that cyber analysis and planning is part of new business initiatives that require new or overhauled IT and/or OT. As the survey reveals, “85% of business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just 25% of their more reactive and siloed peers”.
Another critical data point from the report is the high ‘customer attrition’ following an attack. Most statistics on the cost of a breach do not take this into account, and only measure direct costs such as repairing systems, the immediate lost revenue during downtime, and fines for loss of customer data. But the full financial impact on organizations is much greater.
For example, Cyberhedge analysis indicates that there is an average 20% drop in operating margins for companies experiencing a cyber-related operational disruption like ransomware. Due to the high customer acquisition costs faced by most firms, the loss of customers impacts company financials for an extended period of time. These are all reasons why companies that manage their technology poorly also underperform peers in the market. Including these costs will give C-suites and boards a better understanding of the true cost of a breach (and risk of poorly managed technology) when making cost benefit analyses of the appropriate level of resources to devote to cyber governance.