Many CEOs and boards of directors are failing their companies by not truly understanding their cybersecurity risks, says Steve Durbin, managing director of the Information Security Forum, a global not-for-profit organization focused on cybersecurity and information risk.
Senior leaders must ensure their organizations provide adequate funding to manage all those risks, he says in an interview with Information Security Media Group at the recent Fraud Summit in London.
"We've tended to view security as being a technical issue - something that probably fits under the CIO, perhaps, in a lot of organizations," Durbin says. "What we are seeing now is that cybersecurity clearly is a business-related issue. It does have the ability to impact, significantly, some of the core business measures, in terms of things like brand, reputation, stock value and customer perception, and therefore the ability of an organization to compete effectively."
CEOs need to focus on making investments that can ensure cyber-resilience, rather than simply focusing on regulatory compliance, he stresses.
"For me, compliance is all about driving the car looking in the review mirror," Durbin says. "Compliance will make sure that you are in line with what regulators or legislators understand today. The challenge we face with cybersecurity is that what is happening we've never seen before. And so if you have only a compliance-focused approach, you will not be mindful of some of these other things that could hit your organization. For me, it's about resilience. It's about understanding better how to equip the organization to deal with a fast-moving environment, where things happen that you've never seen before. You can't possibly expect compliance to cover all of those areas."
Senior leaders need to truly understand the organization's risk profile, Durbin says. "From a C-suite perspective, it's about managing risk across the enterprise and then putting aside the appropriate amount of funding to deal with those risks. ... The most important piece is to conduct the risk assessments to understand your risk."
During this interview (see link to audio below photo), Durbin also discusses:
- Why appropriate cybersecurity budgets vary widely in size;
- Why cross-border collaboration is key to understanding emerging cyber risks; and
- How the public and private sectors can work together to strengthen the cybersecurity workforce.
At the Information Security Forum, Durbin's main areas of focus include strategy, information technology, cybersecurity and the emerging security threat landscape across both the corporate and personal environments. He is a frequent speaker and commentator about technology and security issues, and has considerable experience working in the technology and telecommunication markets. He previously served as senior vice president at consultancy Gartner Research. Durbin also has served on the boards of public companies in the United Kingdom and Asia, in both technology consultancy and software application development.