Cyber Perspective – Executive, Board Accountability and Credit Rating

As cyber incidents and breaches becoming a routine activity, it has become a significant public interest issue and is now getting established as a mandate focus area on the sustenance of the business.

In matured enterprises, security function is driving differentiation on privacy, security, and assurance to its stakeholders, which is an enabler to their overall growth. Here CISO is in control of security and a key enabler to business.

In enterprises which are yet to mature on accountability and commitments, security function is considered as a mere compliance function on record with limited resources and lacks management commitment. Here CISO is a low-level manager at the risk of being ‘chief scapegoat officer’ surviving at the mercy of IT Manager or the best CIO or COO.

Cyberworld, business model and its threats have changed in recent years, new IT architectures, security controls, approaches required in this heterogeneous cloud environment to sustain effectively. Executives somehow seem to be missing to understand these changes and their impact on cybersecurity.

While CISO’s has the right intent to make things better, many a time a potential cyber incident is the trigger for attention from management, at least for the patch works to save the situation.

Few recent interventions from regulators and agencies may force right attention from the executives on adequate, effective cybersecurity and privacy in the enterprise in fulfilling their commitments to stakeholders on security, privacy and assurance.

Recently proposed “Corporate Executive Accountability Act” having Executives of large enterprises liable.

The Bills stated purpose is "...to establish criminal liability for negligent executive officers of major corporations...that affects the health, safety, finances or personal data... " of a significant number (not less than 1%) of individuals in the United States.

https://www.forbes.com/sites/bobzukis/2019/04/10/regulators-want-ceos-to-go-to-jail-for-cyber-failings-should-you/#71a547a219fa

Stakeholders expect, Board’s responsibility, accountability, and oversight on potential Cyber and Privacy risk by having proper governance, policy and systems to ensure information and systems safeguarded at all time through its lifecycle

Now the recent intervention, Credit agencies. 

"warns that cyber defenses as well as breach detection, prevention and response will be higher priorities in its analysis of the creditworthiness of companies across all sectors, including healthcare and financial services".

https://www.bankinfosecurity.com/moodys-warns-cyber-risks-could-impact-credit-ratings-a-8702

https://www.cnbc.com/2019/05/22/moodys-downgrades-equifax-outlook-to-negative-cites-cybersecurity.html

Cost saving by reducing security and privacy spent is not the right approach since the cost and impact of a breach or incident is multifold and everlasting. 

Cyber risk and events are real and can happen to anyone at any time if required importance and priority is not given on a continues basis. CISO's are fighting a battle internally to get attention, resources, support, authority, changes, investments, executive support...

Right executive intervention and prioritization is the need of the hour!