In response to this week’s downgrade by Moody’s of Equifax as a result of its 2017 massive breach of consumer data, six cybersecurity and risk experts offer perspective on this ongoing issue.
Laurence Pitt, Strategic Security Director at Juniper Networks:
“For the cybersecurity industry this signals the need for a chance in conversation – many of us, Juniper included, have made this change, but the bottom line is that it’s no longer enough to talk about product, software, function, speeds and feeds. Now that investment conversations are occurring at board-level we need to arm the security team with data that they can use to provide security insight to the board – not data about what something does for them, but information on how it will ensure their business remains protected against unknown future threats.”
Byron Rashed, VP of Marketing at Centripetal:
“This will become a growing part of business moving forward like GDPR, CA Privacy Act, etc. that has gained momentum in the recent past. PII is extremely valuable to threat actors and this is no exception as to the liability and lack of reputation from such a breach that affects the business as a whole from the BOD to the sales team.
“It’s really meant as a wake-up call to organizations, the cybersecurity industry is matured to deliver products, services and training, it’s up to businesses to take full advantage of this.”
Gary Roboff, Senior Advisor at Shared Assessments:
“We may see more of these actions because cyber hygiene expectations are rising. GDPR and other recent regulations have upped the stakes for firms that don’t understand the amount of effort it takes to to provide optimal cyber risk mitigation.”
George Wrenn, Founder and CEO at CyberSaint Security:
“Especially in recent years, Boards of Directors must understand their riskiest assets and business endeavors from a cybersecurity risk management perspective. The CEO needs to be able to effectively communicate with metrics that those at the Board level can understand, effectively coupling both quantitative and qualitative risk and compliance analysis facilitated by concise, data-driven, and clear reporting structures. Large organizations are beginning to come up the curve on these ideas, and Boards are beginning to hold CEOs responsible for cybersecurity risk levels within their business. This shift means that CISOs and CEOs must work more closely together, and CISOs need a reporting mechanism to the CEO that takes cybersecurity risk and translates it to business terms that both the CEO and the Board can get behind and act upon.
“This incident has forever changed how CISOs, CEOs, and Boards communicate on cybersecurity risk and compliance, and the means by which organizations will achieve this feedback loop. Organizations of all sizes, large enterprises especially, have to get up the curve today in order to future-proof themselves for the complexity of cybersecurity now and in the future. Not only do organizations need to comply to cybersecurity best practices, but they also need to be able to communicate their posture in risk terms to business leaders, and at a level of abstraction that the Board can understand, calling for a new type of integrated risk management and reporting solution to come support this shift.”
Catherine A. Allen, Chairman and CEO at The Santa-Fe Group:
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.