By Thomas Lyden, SSIC Managing Director
The world is changing swiftly. We’ve watched social media and smart phones explode. Shortly we may see drone deliveries and self-driving cars, to name a few. According to a new study by Grand View Research, Inc. the global digital transformation market is expected to reach $798.44 billion by 2025. Larger firms are offering digital transformation services left and right. Companies pushing into digital may see it as required for their continued existence; however, it will be very costly to organizations that don’t fully understand the risk.
The cybersecurity industry has struggled to keep up with digital transformation. While security budgets have grown over the last five years, they haven’t grown in parallel to the risks associated with digital transformation.
With this rapid push into “digital” and efforts to “monetize the data,” one might wonder how many of these organizations can quantify the risk to their business of doing so. Without a clear understanding of the magnitude of the risk your organization faces, how can you possibly set your security strategy and assign budget to reduce, accept, or transfer those risks? Corporate leaders have an imperative to ask the tough question first: how big is our cyber risk?
The size, frequency, and impact of being the next data breach edge case (Equifax) will only increase as the digital economy grows. What happens to the next organization that becomes a data breach edge case? Sure, the organization may get away with firing the CISO in the short term. In the long term, however, leaders and boards have a fiduciary responsibility to understand cyber risk before a security event occurs.
Leaders should be prepared to answer the following questions (and on the flip side, boards should demand sound answers):
- Can you quantify cyber risk?
- Can you measure the amount of cyber risk accepted, mitigated, or transferred (via cyber insurance)?
- Are you aligning security spend with digital investment?
- Do you know what the top controls are to mitigate risk? And how effective are those controls in reducing risk?
- Is your internal audit or Governance, Risk and Compliance (GRC) solution helping you quantify this? How?
Cybersecurity is simply another business risk, even when it comes to digital transformation. The challenge is that most entities are way behind the curve in understanding, measuring, and managing cyber risk. Where does your organization stand? Can you address each of the questions above? And if not, are you prepared to sit in the cross hairs and become the next edge case?