Kara Nortman
More posts from Kara Nortman
When you think of the core members of the C-suite, you probably think of the usual characters: CEO, CFO, COO and maybe a CMO. Each of these roles is fairly well defined: The CEO controls strategy and ultimately answers to the board; the CFO manages budgets; the CMO gets people to buy more, more often; the COO keeps everything running smoothly. Regardless of the role, all share the same objective: maximize shareholder value.
But the information age is shaking up the C-suite’s composition. The cyber market is exploding in an attempt to secure the modern enterprise: multicloud environments, data generated and stored faster than anyone can keep up with and SaaS applications powering virtually every function across the org, in addition to new types of security postures that coincide with that trend. Whatever the driver, though, this all adds up to the fact that cyber strategy and company strategy are inextricably linked. Consequently, chief information security officers (CISOs) in the C-Suite will be just as common and influential as CFOs in maximizing shareholder value.
It’s the early ’90s. A bank heist. A hacker. St. Petersburg and New York City. Offshore bank accounts. Though it sounds like the synopsis of the latest psychological thriller, this is the context for the appointment of the first CISO in 1994.
A hacker in Russia stole $10 million from Citi clients’ accounts by typing away at a keyboard in a dimly lit apartment across the Atlantic. Steve Katz, a security executive, was poached from JP Morgan to join Citi as part of the C-suite to respond to the crisis. His title? CISO.
After he joined, he was told two critical things: First, he would have a blank check to set up a security program to prevent this from happening again, and second, Citi would publicize the hack one month after he started. Katz flew over 200,000 miles during the next few months, visiting corporate treasurers and heads of finance to reassure them their funds were secure. While the impetus for the first CISO was a literal bank heist, the $10 million stolen pales in comparison to what CISOs are responsible for protecting today.
Take the recent SolarWinds breach. SolarWinds stock closed December 10, 2020, at a price of $23.55. As news of the supply chain attack broke over the next week, the share price plummeted 40% in seven days and approximately $3 billion in market cap was wiped out.
Today, more than three months after news of the hack first broke, prices have only climbed back to $17.24, still a $2 billion blow. The financial impact is material, but consider the data exposure as well. When Equifax suffered a data breach in 2017, 143 million records were exposed. It took nearly two years for stock prices to return to pre-breach levels. These breaches can erode consumer and Wall Street confidence with a lasting impact.
More recently, the pandemic and the rapid move to remote work shoved CISOs into the spotlight. CISOs were part of the core executive team responsible for crisis response and interacted with CEOs and boards during this time more than ever before. The migration to remote work required security solutions: increasing patch management hygiene of known vulnerabilities, tracking endpoints that are part of bring your own device (BYOD) programs, and securing overloaded VPNs or standardizing the security posture of zero trust.
Getting an organization set up for remote work is just the beginning. The untested attack surfaces in the WFH world resulted in 90% of organizations seeing an increase in the number of cybersecurity attacks amid the pandemic. During this same time, there was a 72% increase in the creation of new ransomware. Hackers came out in droves to take advantage of weaknesses.
Similar to Katz at Citi, budgets will grow and CISOs will receive blank checks to build security practices to support the new ways of working brought on by the pandemic, as well as the multicloud migration, data proliferation and SaaS-powering functions across the organization.
Bringing the CISO into the C-suite and into company strategy makes us better and more resilient across all parts of an organization, from developers and API hygiene to adding hybrid roles that sit between IT infrastructure, development, cyber and the business side of the house, as well as updated board audit committee best practices. Like financial and DEI audit committees, security audits are becoming another core component of board oversight, making CISOs that much more central in the C-suite.
As investors seek outsized returns, they need to be more engaged with the CISO beyond the traditional security topics. If you have been reluctant to invest in security, now is the time.
We are no longer just growth investors, brand investors and people investors; we are also security investors, because the lines will continue to blur between cyber and adjacent spaces. Grabbing this identity as your own, even just a toe in the water, has the potential to make you a better investor even if you never directly invest in cybersecurity solutions. Plus, the industry needs diversity of thought. As we collectively define the “new normal,” CISOs must have a seat at the table to establish cyber strategy that is company strategy.
Why ‘blaming the intern’ won’t save startups from cybersecurity liability
Comment