Cyber insurance changes pushing IT security to the top of management priorities

Most organisations are happy to invest in information technology that can support their staff and day-to-day activities, Julian Critchlow of Extreme Networks writes.

For many years, investments in IT security have been tempered with the additional protection of cyber insurance. However, what with recent global tensions, cyber insurance business models are fast evolving, and many organisations will need to rethink both their cyber security posture and their insurance and risk management strategy. The Lloyd’s Market Association’s Bulletin* guidance on cyber insurance exclusions means an immediate need to reflect and revaluate.

Up until recently, security has often been seen as a cost centre rather than a source of potential profits. It is also not a trivial task to put in place what is required to minimise an organisation’s risk profile. However, while this spend encompasses far beyond product solutions and can be transformational across all aspects of a company, the weakest link continues to be human error.

Also, there are other issues that are occupying the minds of senior managers, including supply-chain problems and economic downturns. Many fall into the trap of thinking it’s better to focus on existing challenges and wait to address potential ones.

============

No matter the opinion of management, security threats are increasing in number and sophistication. Unfortunately, it’s not a matter of if an organisation will suffer an attack but when.

There are three ways a corporate security team can capture the attention of senior management and convince them of the necessity to invest in cyber security tools and processes. These ways are:

Outline the issue in business terms: in many cases, IT departments and managers present their cases for spending based on very technical concerns that can be confusing to non-technical people. This then makes them easy to reject.

A better approach is to focus on the implications from a business perspective. Clearly explain the damage that a successful breach would have on the organisation and the costs that would be incurred. Cite examples of recent breaches within other companies and the fallout that occurred as a result.

IT teams also need to highlight the impact that a security breach could have on the organisation’s reputation in the wider market. Explain that this could result in long-term losses of customer confidence and reduced spending. The more real-world context that can be provided to senior management, the greater the chance they will sign off on security budgets.
Present as a team: rather than just having the IT or security team present to senior management, involve representatives from other areas. For example, the head of the manufacturing department could outline the implications that a data breach would have on the ability to fulfil customer orders.
The research and development team could explain the long-term implications of sensitive corporate data being leaked or locked up as the result of a ransomware attack. Such an event could have a devastating financial impact on the firm.

Also, the finance team could explain the monetary fallout that disruptions would have to the company. As well as short term profits, it could have a negative and long-term impact on the share price. By coming together to demonstrate the wide-reaching effects of a potential security breach, teams can help company leaders understand that it is more than an IT issue and needs to be prioritised accordingly.
Become a management priority: Maintain consistent communication with senior management to ensure that IT security remains among the top priorities for the organisation. Managers are constantly dealing with multiple issues and so being high on the list is vital.

Instead of only reporting when there is a problem, provide regular reports on any attacks that have been prevented and the measure that ensured critical resources remained protected. Also, provide clear explanations of security breaches that take place in other organisations and the shortfalls that allowed those breaches to occur.

A good way to achieve priority status is to arrange for regular board-level updates. This will allow teams to highlight important issues and address any questions from management directly.

The task of ensuring that security becomes and remains a management priority is an ongoing one. However, through regular and consistent communications, the message will get through. The result will be approved budgets that will allow the IT team to put in place the measures required to ensure the risk of future attacks and disruptions can be mitigated.

Julian Critchlow is the ANZ general manager at Extreme Networks.