The Cybersecurity Imperative: Because What You Don’t Know Can Hurt You

White Papers | August, 2015

By Peter T. Metzger

U.S. government officials have now publically stated that during 2013, federal agents notified more than 3,000 U.S. companies that they were the victims of cyberattack. That’s a stunning statistic. Chillingly, in most of those cases, the companies themselves were unaware of any actual attack prior to the notification. More troubling still is the fact that those data breaches represent just a portion of the cyberthreats now coursing through our digital world.

Clearly, far too many companies remain behind the curve when it comes to their cybersecurity strategies and their focus on building the kind of information security talent team that is capable of addressing this critical business priority.

There is no doubt that the digital world can be a dangerous place. While advances in digital technology enhance productivity, expand business opportunity, improve lifestyles, and generate a host of other benefits, those same advances also can unleash attendant risks, including those related to information security. As companies work across multiple management platforms and add in cloud computing, social media, and a bring-your-own device approach to mobile technology, for instance, new threat possibilities are introduced and the need for advanced cybersecurity continuously accelerates.

Today’s threats cross industry sectors and global regions. The 3,000 companies that were notified by the U.S. government include major media companies, retailers, a bank, a software provider, and defense contractors, among others. While the goal of hackers is sometimes only disruption, more often, malicious cyber acts involve the theft of intellectual property, confidential financial records, or other valuable assets. A 2013 report from McAfee puts the annual cost of cybertheft and disruption at $300 billion globally, with $100 billion within the U.S. alone.

Recognizing the tremendous business need, consulting firms and others are rapidly expanding their cybersecurity services, building out both product lines and talent teams in their effort to respond to the corporate and personal risks. According to CB Insights, by mid-2013, venture capital, angel, and private equity investors had committed some $1.4 billion to 239 security company deals during the prior 12 months. Interestingly, a significant portion of this deal activity is taking place outside of the U.S., with Israel, Canada, and the U.K. figuring as important hubs. Meanwhile, corporate cybersecurity IT budgets are also expanding, from some $65 billion in 2013 to $93 billion by 2016, according to informed estimates.

Of course, what is needed most by both the corporations across all industries that must respond to the cybersecurity threat, and by the consulting firms that seek to serve them, is the talent that lives on the forefront of this technology, equipped with the information security know- how to effectively lead these initiatives.

One of the best sources of talent with that type of highly sophisticated information security background is the U.S. government defense and intelligence establishment. As someone with a deep background in this area, including experience at the CIA and a role as the Marine Military Assistant to President Ronald Reagan, I appreciate firsthand how valuable knowledge of and access to some of the most highly qualified cybersecurity executives can be within this complex environment. I have the privilege of being the only consultant in the executive search industry who is currently serving as a director for a company operating under a Department of Defense proxy agreement. This insider’s perspective helps me appreciate both the imperative of addressing cybersecurity threats and the unique skillsets that best prepare seasoned professionals to meet these challenges.

For most companies, keeping pace with the rapidly changing tactics and technology of cyberthreats requires a relationship with information security specialists, thereby combining internal and external resources. And companies are increasingly adding the Chief Information Security Officer role to their leadership teams, as distinct from the CIO. A CISO will ideally combine both physical security and information security capability, while also possessing significant management experience. These leaders often will liaise with external security specialists, and they must possess the gravitas to interact with the board and to lead corporate policy decisions regarding information security.

As the number and financial impact of cyberthreats continues to escalate, companies must take a hard look at their readiness for this threat and align the best talent for this business priority. In today’s world, the cost of preparedness is likely to be far less than the cost of cyberattack.