19400

Guest post by Gerard Verweij, US Advisory Technology Consulting Leader at PwC

When you hear a lot of doom and gloom you have a tendency to go numb after a while. But, then something happens so alarming that reminds you of the urgency of the situation and instills in you a renewed commitment to the cause. In the last few months researchers and security experts have pulled off a series of technology demonstrations that should send a chill down the spines of senior executives and push cybersecurity up the list of priorities.

Up until now, management hasn’t considered cyber attacks as a matter of life and death, but that’s about to change. As technology powers every aspect of our lives, hackers will have an open field to exploit our relentless reliance on technology. Defacing websites, stealing customer data and holding information hostage will look like child’s play in comparison to recent bone-chilling demonstrations in the domain of the Internet of Things.

Not only could hackers steal cars, they could halt them at high speeds, as demonstrated by security researchers. University students used a test dummy to speed up and slow down a pacemaker. And a security expert showed how to manipulate a patient’s drug injection pump. Imagine the havoc terrorists could wreak with these technology vessels and others such as planes, power plants, water management, communications and trains. Even our food supply is on the table.

Even though these demonstrations were simply that, the results prompted recalls and re-architectures. These costly do-overs could have been avoided if management considered cybersecurity at the inception of the initiatives. But most executives don’t, based on my personal experience.

Considering the questions I get from senior executives I find it hard to believe that they have considered the new threat landscape. They ask questions such as: How do we transfer cybersecurity risk to our insurance provider?; How does our cybersecurity program compare to the competition? How much should we spend on cybersecurity? What senior executives should be asking: How are cyber threats going to cut to the core of our business?

Making a Cultural Course Correction

Every company is becoming a software company. That means technology is pervasive, lives everywhere and is increasingly embedded directly into products and services. Hackers will increasingly have the power to take a company to its knees, rather than temporarily knock it off balance.

On the surface, it seems like companies are beginning to understand the seriousness of the new threat landscape. According to The Global State of Information Security® Survey 2016, the vast majority of companies either have a Chief Information Security Officer or a Chief Security Officer. In addition, 46% of survey respondents said their Board participates in information security budgets, which may have contributed to this year’s 24% boost in security spending.

But hiring a senior executive to focus on security and throwing money at the problem is not enough. Gone are the days when management had the luxury of seeing cybersecurity as IT’s responsibility and perimeter security as the primary defense. The core business is at stake and management must be intimately involved in making cybersecurity a business imperative throughout the C-suite and beyond. Management must be trained in how to consider and counter threats and cybersecurity should be a standing agenda item that is considered in every single thing a company does, including buying a new business, developing a new product or service, entering an emerging market, etc.

The good news is that the examples discussed in this blog remain in the realm of the hypothetical. But make no mistake about it. The new threat landscape is taking shape before our eyes and now is the time for senior executives to sharpen their focus on cybersecurity.

Follow @Gverweij on Twitter.

Image shared by the European Southern Observatory

19400