In response to this week’s downgrade by Moody’s of Equifax as a result of its 2017 massive breach of consumer data, six cybersecurity and risk experts offer perspective on this ongoing issue.
Laurence Pitt, Strategic Security Director at Juniper Networks:
“A stock downgrade following cyber-attack is not a surprise, in fact it cements what we have been saying for a long time: Cybersecurity is a boardroom issue. Think about it – everyone is in business with a single goal which is to make money, this includes the bad-guys except that they want to make their money by preventing someone else from doing the same. When calculating cyber-risk for insurance or investment reasons a modern enterprise needs to consider brand, reputation and fiscal impact as highly as the cost incurred in the mitigation of an attack. Unless they give equal view to all areas, then cyber could finish up under invested which equals risk.”
“For the cybersecurity industry this signals the need for a chance in conversation – many of us, Juniper included, have made this change, but the bottom line is that it’s no longer enough to talk about product, software, function, speeds and feeds. Now that investment conversations are occurring at board-level we need to arm the security team with data that they can use to provide security insight to the board – not data about what something does for them, but information on how it will ensure their business remains protected against unknown future threats.”
Byron Rashed, VP of Marketing at Centripetal:
“Cybersecurity is now part of the business process and that includes cybersecurity posture as an asset and/or liability where the BOD/investors will take into account. Securing the network, and therefore securing client/IP/other PII or important data is crucial for the solvency of the company.
“This will become a growing part of business moving forward like GDPR, CA Privacy Act, etc. that has gained momentum in the recent past. PII is extremely valuable to threat actors and this is no exception as to the liability and lack of reputation from such a breach that affects the business as a whole from the BOD to the sales team.
“It’s really meant as a wake-up call to organizations, the cybersecurity industry is matured to deliver products, services and training, it’s up to businesses to take full advantage of this.”
Gary Roboff, Senior Advisor at Shared Assessments:
“This is a wake up call for the board, and that’s actually a good thing. Actions such as the one Moody has taken are designed to deliver a message, and we know that when boards are engaged in cybersecurity risk issues risk management practices improve, sometimes dramatically.
“We may see more of these actions because cyber hygiene expectations are rising. GDPR and other recent regulations have upped the stakes for firms that don’t understand the amount of effort it takes to to provide optimal cyber risk mitigation.”
George Wrenn, Founder and CEO at CyberSaint Security:
“Especially in recent years, Boards of Directors must understand their riskiest assets and business endeavors from a cybersecurity risk management perspective. The CEO needs to be able to effectively communicate with metrics that those at the Board level can understand, effectively coupling both quantitative and qualitative risk and compliance analysis facilitated by concise, data-driven, and clear reporting structures. Large organizations are beginning to come up the curve on these ideas, and Boards are beginning to hold CEOs responsible for cybersecurity risk levels within their business. This shift means that CISOs and CEOs must work more closely together, and CISOs need a reporting mechanism to the CEO that takes cybersecurity risk and translates it to business terms that both the CEO and the Board can get behind and act upon.
“This incident has forever changed how CISOs, CEOs, and Boards communicate on cybersecurity risk and compliance, and the means by which organizations will achieve this feedback loop. Organizations of all sizes, large enterprises especially, have to get up the curve today in order to future-proof themselves for the complexity of cybersecurity now and in the future. Not only do organizations need to comply to cybersecurity best practices, but they also need to be able to communicate their posture in risk terms to business leaders, and at a level of abstraction that the Board can understand, calling for a new type of integrated risk management and reporting solution to come support this shift.”
Catherine A. Allen, Chairman and CEO at The Santa-Fe Group:
“This is a wake up call, along with pending suits, that cyber governance and best practices are key. Boards should have robust discussion on cyber practices, appropriate spending, risk or security committees and appropriate oversight. The patching issue with Equifax is an example of a lack of oversight and discussion.”
