It is a much-trumpeted business axiom that where many see only a problem, a few high performers see an opportunity. In the corporate world, being able to seize such opportunities often comes down, quite simply, to understanding what the board needs and going the extra mile to deliver it.
For CIOs, it is clearly a huge concern that cybercrime is becoming so prevalent — not least because it puts their jobs on the line if they fail to do enough to mitigate it. But at the same time, those who can translate a set of vague cyber risks into plain business and economic terms will be viewed rather differently around the boardroom table.
In our latest Global Information Security Survey, we found that more organizations are paying greater attention to the issue of cybersecurity. However, few of them understand the impact of cybercrime on the bottom line, and the financial benefits for the cybercriminals who are launching these cyber attacks. With this in mind, here are a few simple pointers on how to assess the scale of this risk:
- Don’t focus on the IT costs alone. CIOs often underestimate the costs of cyber attacks by simply focusing on their own functional P&L: how much it costs IT to upgrade or replace vulnerable servers, or implement new defenses. This narrow cost, however, greatly underestimates the wider impact, which might affect your overall business revenues or profitability.
- Consider how an attack might affect your share price or market valuation. The share price of a financial services provider was hit when news broke that it had sustained a cyber attack. The breach affected several million of the company’s private and business clients, and stripped several billion dollars from its market capitalization. This kind of effect can put the relatively low IT costs of added protection in proper context when discussing implications with the board.
- Consider whether you are protecting the most vital information in your organization. Where does all the data sit that holds the findings of years of research into your new products and that supports your IP? Theft or corruption of this information could destroy future revenue streams and competitive advantage. This information is highly valuable, so cybercriminals would be prepared to mount a sophisticated and persistent attack to steal it and sell it.
- Think about the impact on customers — and, in turn, on your brand or reputation. Imagine a company suffers from a cyber attack, and millions of credit card details and other customer data are stolen. The actual direct losses to the company are far less significant than the damage to its reputation and customer loyalty. The cost of restoring trust among customers would be significant.
As we outlined in a previous post, cyber risk is becoming a career issue for CIOs. This applies not just in terms of identifying and preventing cyber threats, but also educating the board about the financial cost to the wider organization. So, when you’re the person quantifying cyber risks, you’ll not only raise a few executive eyebrows, you’ll also find yourself at the heart of the board-level debate on cybercrime.