Like it or not bad, news sells. And, when it comes to business headlines, a dominant theme has been cyber-based security breaches at major companies around the world. Reality is no company, or as we also know no government, is immune from being attacked by those will malicious intent.
That said, it used to be, and not that long ago, that the measures companies took regarding risk mitigation practices in general —but more specifically how threats from cyber attacks ranging from massive distributed denial of service (DDoS) attacks on websites to zero-day polymorphic Advanced Persistent Threats (APTs) from a variety of malware—were just a check box item that was part of a company’s operational expense. However, a new survey by HBGary says that investors in companies now want to know how well the companies they are investing in are investing in cyber protection along with demanding transparency as to the frequency and depth of breaches.
What the survey found is good news for security vendors who are no longer going to be seen as a necessary nuisance to deal with, but rather are central to companies’ economic viability. The more interesting aspect of the survey is in the questions it raises going forward in terms of what metrics will be used by as variety of stakeholders (customers, channel partners, ecosystem members, investors and others) in determining whom they can trust to do business with and bet their future on.
“The survey says!”
HBGary, a division of ManTech International (News - Alert) Corporation, is a leading provider of Enterprise Incident Response (EIR) solutions and services. Because of its role in helping enterprises and government agencies find, detect and mitigate cyber risks, HBGary asked noted market research firm Zogby Analytics to find out how the level of cyber security a company employs impacts how investors feel about that company. What the survey of U.S. investors showed is that cyber attacks, and more importantly how companies respond to them, is increasingly top of mind in investment decisions.
I will not spoil the delight or lack thereof to be gained from reading the entire survey results except to titillate you to click on the link to get the full copy with a few key data points gathered from over 400 respondents in the U.S. investment community:
“For some time, we have said that cybersecurity cannot be a “checkbox” item on a company’s operational to do list,” said Ken Silva, senior vice president of cyber strategy for ManTech’s Mission Cyber & Intelligence Solutions Group. “This survey proves that today’s investors are more educated about the damage cyberattacks can cause to a company’s brand and financial bottom line. The high cost of cyberattacks cannot be understated.”
What was interesting was that the investors are not only looking at the actual attacks but that last item about being concerned about how attacks are dealt with is likely one of the reasons the RSA (News - Alert) show I have been attending is not just packed with vendors with all kinds of new capabilities on a myriad of security fronts, but also had a very healthy (and what the organizers were delighted by) number of not just CSOs and CIOs but other C-levels.
Back to the survey, “This is good news,” said Jim Butterworth, chief security officer for HBGary. “Fortunately, corporations now have access to cutting-edge tools to conduct monitoring, incident validation, response and other key phases of incident response on their own – without need for expensive services.”
One other fact of note from the survey reveals investors are twice as concerned if a company had a breach of customer data (57 percent) versus theft of intellectual property (IP) (29 percent). Butterworth noted that, “Consumer data breaches grab the headlines and the large liability settlements. But the lack of concern for IP theft, underscores the need for broader education about the financial risk IP theft poses to a company…The pilfering of American company trade secrets and other sensitive data is happening every day –costing our corporations billions of dollars in lost revenue.”
At the end of the day what the survey highlighted was a theme I heard from several vendors at the RSA show over several days that organizations of all types need to take a holistic approach to risk mitigation, and particularly in regards to cybersecurity. This means having a strategy based on a layered approach as to what data is important and hence the level of protection needed when it is static (stored) as well as on the fly, and how much therefore needs to be invested in best practices to get peace of mind.
In the past while important, especially for IT professionals, such questions were as HBGary notes relegated to being check list items and an operational expense. With so much literally on the line/online, it is now true that the whole world is watching, and what they see and want to see going forward is something not just CSOs but all C-levels are going to have to take into serious consideration when evaluating their risk mitigation investments and corporate policies and rules. It will be interesting to see how far the needles move on this type of survey in the next year.