Managing Director & Partner
Cyberattacks occur so often these days that they may seem impossible to prevent. But CEOs are by no means powerless to protect their customers’ personal information and their company’s most valuable data assets. BCG managing director and partner Paul O’Rourke, who leads the firm’s work in cyber and digital risk, explains how executives in every industry can manage this intricate mission.
BCG: How can businesses treat cyber risks with confidence?
Paul O’Rourke: For the last 15 years or so, cybersecurity has tried to protect everything—and failed. So it comes down to one word: inevitability.
You must stratify your assets and work out what would cause the most risk if you were compromised. These assets are the crown jewels and need to be overprotected, compared to other assets. If customer data is a crown jewel, for instance, the business should commit their investment, controls, reporting, and governance to overprotection of those assets.
Customer data has been in the news quite a bit recently.
As we move into 2023, we’re seeing a much greater focus on privacy and protecting consumer data—particularly on the back of recent breaches that have involved personal information.
What stood out to you about these attacks? Australian lawmakers were quick to propose ransomware-oriented legislation in the wake of breaches there.
Ransomware has leveled the market. Years ago, attackers would primarily have gone after a financial services organization. Today they can go after any type of organization, of any size, in any sector, in any geography. We’re seeing attacks on non-financial organizations—hospitals, retailers, SMEs—because they are often perceived as being less secure. Compared with financial services organizations, companies in other industries haven’t invested at the same level to protect themselves, over an extended period of time.
This is creating concerns over reputational risk, disclosure of data, financial risk, and regulatory sanctions. Regulators—and consumers, for that matter—are pushing for businesses everywhere to take privacy and personal data much more seriously.
How does cybersecurity fit in the CEO agenda?
The feedback we get from the C-suite is that cybersecurity is the risk they feel least comfortable managing and governing, in part because it changes so frequently. And the impact of a breach is often material on an organization.
Over the last 12 to 18 months, a skepticism has formed at the highest level around just how well protected a business is. Boards and executives hear internal teams say, “We’ve invested a lot of money, we have a good security posture, and we’re well protected.” But leaders see these breaches and question if they are being told the whole story.
What’s adding to this skepticism?
A lot of reporting to boards is merely a justification of the money spent on security. It doesn’t really give context around risk. And one of the biggest problems is that security reporting is very technical. Board and C-suite members often just do not understand it. There’s no translation from technical language to what the information means for the risk to the organization.
Avoiding communication breakdowns in any business is delicate work.
The C-suite is increasingly challenging security teams to report cyber issues in risk language. But the global shortage of cybersecurity talent means there are few people who can do this translation effectively.
There are two options. You can train risk people on cyber. This is difficult because risk people don’t come from technical backgrounds. Or you can take cyber-technical people and train them on risk.
Then you have a niche capability, in very high demand, of knowing cyber in terms of risk and placing security reporting into a risk context.
Who has these skills?
We’re seeing the Chief Information Security Officer role begin to divide into two positions.
The role we often think of as the traditional CISO is becoming a Technology Information Security Officer (TISO). Then there is the business-oriented person who understands risk and, in the event of a breach, can handle regulatory, media, and investor relations. This role sits higher in the organization, often with the title of Chief Security Officer. More and more, this role also oversees physical security, intelligence, and fraud, in addition to the cyber function. These leaders can effectively engage with the C-suite and regulators, and they are adept at connecting the risk narrative and alignment to the business strategy.
What should leaders do as we move ahead to face economic challenges and ongoing cybersecurity risk?
The harder the economy gets, the worse cyber will inevitably get. In past downturns, cyber breaches have gone up. What we’re seeing now is a linear tracking of breaches going up on an annualized basis. The trend will likely continue upwards.
To manage this complicated risk, a CEO should be able to answer three questions: Are we spending the right amount of money on cybersecurity? Are we spending in the right areas? Is our investment reducing risk?
If you can’t answer those questions, you need to focus on those areas. Align the answers to your risk posture, and you’ll do a much better job protecting the organization.