Security & IT Leaders Can Use These 8 Stats to Improve Board Conversations

Click here to listen to this article via the BreachRx Blogcast

Boards are getting increasingly savvy in areas like cybersecurity and privacy, particularly given their increasing importance of technology as a part of businesses delivering to their customers. Chief information security officers (CISOs) and chief information officers (CIOs) are, in tandem, being frequently asked to present cybersecurity risks and their relationships to potential impacts to their businesses.

The good news is CISOs and CIOs are innately aware of the importance of incidents to their organizations and careers. Unfortunately, many of these leaders are far more versed in technology than in business impacts and have struggled to present the value of their investments in terms of risk reduction and mitigation. CISOs and CIOs also face business partners and executives unfamiliar with the technologies and threats and who struggle to understand if their business will be resilient during an attack.

The eight stats below come from the 2022 round of security and privacy reports published annually around this time each year. Each statistic demonstrates why today’s top leaders can no longer wait to react to incidents and data breaches. Instead, the best are proactively leaning in to shore up their defenses and leverage stats like these to educate their leadership along the way. 

1. 83% of companies have experienced more than one data breach

Although it may be appealing to presume a security or privacy incident won’t have an impact on your business, the chances are about even that it will. Smaller incidents occur much more frequently than the massive breaches that show up in the news all too often. What’s worse, however, are the number of companies experiencing more than one breach – more than three-quarters according to the Ponemon Cost of a Data Breach report.

Creating a single, traditional written incident response plan that is dozens of pages long shouldn’t be considered the core of your incident response. Your team will not have enough time or mental bandwidth to read it when an incident occurs, and will just take away brain space from responders trying to comprehend it. Put together playbooks and scenarios tailored to your business, industry, geographies, and threats, and regularly report on threats and incidents faced by companies that look like yours. 

2. The cost per incident averaged $4.35 million for those involving just 2,000 to 102,000 records

The cost of data breaches continues to rise. While the average cost of a breach worldwide is $4.35 million, if the organization doesn’t have tailored playbooks and hasn’t exercised a team, that estimate rises to $5.92 million—36% more than the average and a whopping 58% above businesses with incident response capabilities and training.

Most people don’t recognize these and related statistics cited by Ponemon exclude mega-breaches. The average cost of mega breaches with 50 to 60 million records continues to be astounding—$387M. The average cost for those with 20 to 30 million records increased nearly 5% to $241M.

Given the mega-breaches are more typically in the news, it’s easy for company leaders and board members to believe they can waive off investments in security and privacy because they’re so big they can’t relate. However, the Verizon DBIR identified the average number of records in a single incident was 80,000 records. 

Leverage all these statistics to help leaders connect these costs with the number of customer records your business operates on and the likely impact of common incidents–think as simple as lost laptop or third-party vendor compromise–on your company’s ability to operate.

3. If your business is in the United States or the Middle East, and/or in Health Care or Financial Services, expect incidents to cost up to double the average.

The average incident cost in the United States was $9.44M and in the Middle East was $7.46M, both substantially more than the average costs globally, per Ponemon. Similarly, Health Care companies now face an average of $10.1M, an increase of 41.6% in just two years, and Financial Services companies paid a nearly $6M average cost.

Companies in the United States and Health Care have led for their respective categories for 12 years. Look for examples of incidents from similar companies in similar geographies and play those out for your leadership, in exercises or in presentations. Leverage these in demonstrating how you’re prioritizing the investments in your defenses and your team.

4. Almost a quarter of mid-sized to small companies and over a third of EMEA companies also face this pain.

According to the Thales EMEA report, 37% of those responding to its survey had a data breach of some kind in the last 12 months, and 52% noting they’ve had at least one in their company history. Similarly, RSM notes 22% of middle market companies had a breach in the last year.

Threat actors target companies where they can make the most money. A few years ago that meant large enterprises in wealthy regions and industries with significant revenues. No longer. Adversaries are now more frequently targeting smaller companies and less-developed regions that typically have less investments in security defenses and data protection. And as Palo Alto Unit 42 notes, “difficult economic times could lead more people to leverage cybercrime,” a trend seen in the past.

Given budgets may be tighter here, the bar for executives of these companies is even higher to demonstrate prioritized investments in their (likely existing) staff, training and exercises, and technology automation to supercharge their efforts.

5. There are cybersecurity, privacy, and breach notification laws in 128 countries covering two-thirds of the world, with more coming quickly.

According to Cisco, there are 128 countries with laws and directives related to these areas. And in some countries, there are many separate laws that stack together in complicated ways. For example, in the US there are breach notification laws for each of the 50 states, with state privacy and cybersecurity laws layered on top, and myriad and increasing federal emerging continuously.

Given that not just new regulations but also changes to existing regulations are on the rise, cybersecurity, data privacy, and breach notification laws and directives are now making their way into the news and the hands of company leaders. Metrics like the number of regulations examined, documented, and tested by internal teams are a starting point for C-level executives to track and report to their leadership and board.

6. Security leaders are increasingly being asked to own privacy, with 32% reporting it a primary area of responsibility

Who’s being asked to own all this new work? Security leaders, of course, who are well funded in the eyes of many company leaders. Per Cisco, security leaders are being compelled to own privacy. This has led many into a forced crash course on data protection, including the aforementioned global laws and regulations, without additional investment or staff.

Given the diversity in responsibilities security executives now face, they need to ensure they present a variety of security and privacy metrics to their leaders. According to Cisco, both data breaches and incident response are 2 of the top 5 of those they surveyed, reflecting their importance. Executives need to make sure they’re focusing on personnel readiness and operational resilience, and not just reactive technology defenses.

7. Legal leaders name cybersecurity and data protection, regulations including privacy laws, and compliance, as their top priorities for 2022.

The three most important challenges for business were cybersecurity, regulations, and compliance in the latest Association of Corporate Counsel (ACC) Chief Legal Officers survey, with all three scoring higher than last year. In addition, two-thirds of CLOs expect that the intense regulatory environment will require organizations to improve their compliance programs, with about six in ten expecting regulators to increase their scrutiny and enforcement of privacy regulations in particular.

Only about half of CLOs believe their organization is adequately prepared to deal with incidents, with those legal leaders that actually own incident response coming in lower than the rest, given they, as ACC noted, “may be better aware of the challenges and complexities posed by cyber attacks.”

Security, privacy, and legal leaders would be wise to partner up to champion the need for focus and investments across all three teams in their respective areas. In addition to the security priorities noted above, most privacy teams are still understaffed and need to grow, and most legal teams are approaching these areas without the kind of technology that will provide the only successful means to respond to many of their challenges. With a nearly 2x return where organizations had a privacy contact, Cisco rightly notes that “there is business value with having privacy and security work hand in hand.”

8. You can demonstrate a $2.66M savings to your leaders easily with this one step.

Incidents are inevitable. And one quarter of companies didn’t have even a single incident response plan and less than two-thirds of companies saying they regularly tested the plans they did have, per Ponemon.

With 60% of breaches leading to price increases being passed on to customers, make sure your leadership is aware of the value of investing time in building out an incident response team, constructing tailored playbooks for different types of incidents, and running through exercises regularly. As Ponemon noted, taking this step saved organizations $2.66M when they had a single incident, a massive savings that will be amplified given that so many organizations have faced multiple significant incidents in their history.

Following data breaches, many firms cease to exist. The individuals in charge of managing privacy incidents are forced to move on.

Don’t wait. Put plans in place now rather than wait for a data breach. Exercise your team and practice the plans. You will respond better and more quickly if you are prepared.