How Can Your Company Avoid a $23MM Mistake?

Ignorance is not bliss in the world of cybersecurity. Chief Information Security Officers (CISOs) Anthony Johnson of Delve Risk and Rohit Parchuri at Yext have a candid discussion on IT Visionaries on how the number-one cause of most companies’ downfall in security is negligence.

“There’s really four reasons why a company gets hacked,” said Johnson. “They want some money; they want to see the world burn; some intellectual property; or are there some sort of social reasons?” Either way, he said, “What I really care about is the level of sophistication.”

Cybersecurity attacks are ever-present possibilities

Motives don’t matter so much as methods to attack. A complex breach is preventable, but you’ve got to start with the systems in place that can help secure any business. CISOs are responsible for aligning security goals with what is realistic and in line with the company’s values.

“Setting that mission and vision from a cyber standpoint,” said IT Visionaries host Albert Chou, “it’s certainly the first step.” From there, companies can take a more tailored approach depending on what kind of threats they are exposed to.

“Cyber can be fully catastrophic to a company. A big enough cyber event could delete the backups, could delete the ability of the company to operate, and just completely wipe the organization,” said Johnson. In 2020 alone, the cost of data breaches averaged $3.86 million in the United States. “There is not another threat that can be as macro systemic to any one organization.”

CISOs need a seat at the table

We invest in security for a mall, a physical building, a bank. These are preemptive measures to prevent theft and fraud. But when it comes to cybersecurity, it is often seen as an afterthought: put in place only after a large breach happens, only after there is trouble to pay for or pieces to pick up.

Johnson compared it to how people would rather pay a $500 parking violation fine for parking illegally in a handicap spot than park where they are allowed from the onset. Similarly, if company leaders do not invite CISOs to initial strategic discussions, that shows the company values security as a “cost” rather than an investment. “You have a totally different mindset,” he said. It’s about paying the fee if the person (or company) “got caught,” versus treating the vehicle of your company properly in the first place.

Fines for GDPR can begin at $23 million for serious infringements, but some companies would still rather face the fee.

“The role of the CISO fundamentally is to be able to articulate the value prop of cybersecurity,” said Johnson.

Parchuri agreed. “When we say company, we really are talking about the leaders and the board. Do they understand what exactly is at risk? … What exactly does the management look like?”

“Where do we draw risk tolerance?” said Johnson. “We haven’t really had meaningful conversations about what’s acceptable.”

Even with more conversations and more investment, there always is an ongoing threat. “You could probably spend to infinity and still not actually be secured,” Chou acknowledged. “Someone will always find a way to penetrate your systems and architecture.”

The best way, Parchuri says, is to address the most important thing first: compliance. From there, he suggests building different risk models depending on each company’s needs.

“Are you focused on a specific element within the industry at large? Or are you tackling a number of different things where you might be exposed? That plays a huge role.”

Parchuri said that once you have your goals aligned with that of the business, the next step is to formulate a set of risk models to best determine where the company has vulnerabilities. “We should have automated detection built into the security tools so that you don’t have analysts trying to research those things.”

Regardless of whether the hacker is a twelve-year-old or forty-year-old, business models must first begin with compliance, then have durable systems in place that guard their progress, values, and future.