By Evan Sills – Director & Reda Baig – Associate at Good Harbor Security Risk Management
Cybersecurity professionals increasingly rely on data to make better decisions regarding prioritising risks and threats. In addition, directors have become accustomed to using metrics to evaluate business and unit performance and return on particular investments.
Despite these trends in using more data at the board level, directors could better enable their companies in deciding how to focus their cybersecurity priorities by better valuing corporate data. This article will review how companies find value in their own data, how that understanding does not always align with the IT security staff’s own data valuations and how a cybersecurity programme can be strengthened by better leveraging a sophisticated understanding about where business value lies within corporate data.
Every corporation uses data in myriad ways to enable their current business, assess how it is doing and prosper in the future. Increasingly, businesses are using data not only to improve their customers’ experience, but also share insights of how customers engage with third parties who can glean other information from the same dataset. Managing all of thisdata is no longer just an information technology or business requirement but a board concern as well.
There are two ways data can offer value to a business: through direct monetisation and through better insight on how the business is operating. With direct monetisation, companies can sell their data directly to third parties or provide third parties with insights from the data without selling it, for example, through targeted advertising. Data also provides businesses with the information needed to assess their operations and to determine if the policies implemented are bringing value to the company. Assigning exact value to data is challenging. One needs to determine how much value the data will bring to the company in the short-run and the long-run.
“Managing all of this data is no longer just an information technology or business requirement but a board concern as well”
Understanding the value of data within the enterprise is critical to deciding how to protect it. However, assigning value to particular types of data is a complex endeavour that changes rapidly and its value may depend on the time frame through which it is being viewed. Data classification is its own specialised field and data can be classified according to how it is created, what subject matter it contains and when it was created. Consider these examples. Board minutes, containing data relating to financial, legal and operational matters, may be highly valuable as they are being developed and before an earnings call, but the data will be of much lower value afterwards. Business performance data may be highly valuable internally to the company but of little value to outsiders. Research and development (R&D) data may be of relatively low value to the business in 2019 but it could be critical in 2021.
A recent study conducted by the Ponemon Institute revealed that organisations are struggling to assign value to data and that one business component is not likely to have a good understanding of the value of other data within the business. For instance, IT security rated R&D documents only half as valuable as the business unit who owned the documents. Alternatively, some businesses or functions may be highly sensitive to personally identifiable information (PII) being breached due to implications for compliance or reputation but may not understand the actual costs of that type of breach compared to, for example, the loss of intellectual property or a ransomware attack that shuts down operations.
A similar challenge currently exists in society today, as Facebook’s Cambridge Analytica relationship illuminated. Private information of citizens may be valued highly by them personally, even if they are willing to share it, but its value to a company and their ability to monetise it may be drastically different. This puts a strain on the business’s ability to adequately secure data when part of its value to the business is to share it with others who may treat the same data differently. It also throws out of balance the short-term value of collecting and monetising data as compared to maintaining the trust between a company and its customers.
The directors’ perspective
Directors play a key role in helping companies value, manage and protect the data they own. These assessments should play an active role in helping the business decide on its overall risk tolerance and business priorities. Raising cybersecurity to the board level has been a repeated mantra for several years. While directors have gotten more involved, their specific role continues to evolve. Boards increasingly ask sophisticated questions about the organisation’s cybersecurity posture and help set risk tolerance. However, directors should play a larger role in providing a top-level view of different risks and prioritising the protection of particular types of data.
Are we prioritising protection of the right data?
Business functions tend to view the company through their own lens. The counsel’s office will tend to prioritise its own documents and is unlikely to have a strong understanding of research data and business development data but may have a more intuitive understanding of human resources data because it relates to employment law and PII. Meanwhile, the finance office may associate value with how much particular vendors or operations cost. The board can play a key role in helping executives provide an enterprise lens through which to view all of the data in the company. Additionally, directors tend to have a more distilled view of short- and long-term goals and priorities.
Executives and directors are better prepared to evaluate how the company’s cybersecurity capabilities and strengths align with the most important data. Is encryption focussed only on PII because it provides legal benefits, but critical operational data is left less protected? For global companies, cybersecurity capabilities may not be uniform around the world, and gaps may exist in locations that are strategically important to the future growth of the company. Some companies have enterprise risk management programmes that may already be working on some of these issues, but directors sit in a prime position to be assessing the calibration of data assets to security and future growth of the corporation.
Questions to ask:
■ How do we as a company assign value to data?
■ Do our cybersecurity priorities align with the data that is most correlated to our business priorities?
■ How does compliance factor into our decisions regarding data protection prioritisation?
Does our cybersecurity plan align with our data value?
Directors are increasingly asked to weigh in on the information security programme within the company. Bringing information security to the boardroom was necessary to raise its profile, increase funding and obtain buy-in from the board on risk decisions being made by the company. While numerous articles have been written about why cybersecurity is important and how it should be treated like other areas of risk by directors, our focus here is on directors providing context and top-level alignment between a company’s data and its information security programme.
The automotive industry provides clear examples of some of the choices directors may face. It is clear that autonomous vehicles will play a critical role in the future of the auto industry. However, current operations still require securing vehicles and corporate operations as they exist today. Directors, with their wealth of experience and view atop the company, will have a better sense than a Chief Information Security Officer of how aggressively to pursue securing autonomous vehicles, and whether that must come at the cost of cybersecurity elsewhere in the corporation. For this industry, R&D data may be particularly vital. For any business, it is important to be aware of emerging technologies, and directors can help evaluate how quickly these technologies will cross into the mainstream.
Information security teams are tasked with securing current operations and ideally, are brought into future products and service offerings early in their development. However, they are ill-suited to balancing and prioritising operations, improvements, and upgrades that align with the company’s trajectory. Some of this will happen naturally, as budget requests for major improvements are more likely to be approved in areas where the business wants to grow. However, it is not always clear to business operators or Chief Financial Officers whether a new security technology is more suited to one product line versus another. One organisational solution to this challenge has been the rise of BISOs: Business Information Security Officers. These employees, due to their position inside a business unit, have greater insight into the use and value of data for that particular part of the business. However, while this role helps information security grow within the particular business unit, it still lacks the whole-of-company perspective that directors can provide.
Questions to ask:
■ How can the company leverage its cybersecurity strategy in a manner that will enable business growth in the future?
■ What emerging technologies may fundamentally change our business in the future and how do/will they change our risk profile today and in the future?
■ Does our cybersecurity leadership have the information it needs to understand which of our business operations are most critical and how to secure them?
Are we investing in cybersecurity technologies that align with our business data?
One of the challenges of cybersecurity for directors is that it does not succeed or fail independently. It is necessarily tied to the product, network or company it is attempting to protect. This can make it particularly difficult for directors to judge which security technologies are in need of upgrade and make them reliant on the IT security staff pushing for the upgrade.
For this reason, it is essential that directors receive information about the information security programme, including how individual technologies align to particular risks. In particular, directors should seek information regarding how different technologies work in combination to address risks such as unauthorised access. This can take cybersecurity out of the jargon of the cybersecurity industry and force IT security executives to articulate how the technologies work in the business context.
Some tools, such as firewalls, authentication and endpoint protection technologies are important for every company to possess. In addition, businesses should be looking at technologies that align with its data profile. Building familiarity with security tools and metrics is helpful not only to understand what they do and why, but also to understand how they may or may not complement future products and services, and the data they will generate.
One high-profile area that many companies are currently reviewing is moving data and applications to the Cloud. This is an opportunity for directors to ask about how that move would affect data the company currently stores, and how that will change in the future. Additionally, how your business uses Cloud services should influence the cybersecurity plan, as varying technologies may be needed.
Questions to ask:
■ Are we investing in cybersecurity technologies that we will continue to need in the future?
■ Are there new areas of cybersecurity that we should be investing in that align with our business plan?
■ How do geography and changing regulatory landscapes affect our investment decisions?
Directors can play a critical role in helping companies understand the data they possess, how it is used, and where the business is headed. They also can provide a necessary outsider’s perspective on how data is being used and raise privacy and societal concerns that may not be clearly visible in the day-to-day activities of the corporation. Most importantly, the boardroom is where issues that cut across many operational and corporate functions should be raised to ensure that they are properly calibrated to the overall direction of the company. As each corner of the company is busy creating, managing and sharing its own data, it falls to directors to oversee not only the cybersecurity programme, but also how it aligns with the activities taking place within the organisation.
About the Authors:
Evan Sills is a Director at Good Harbor Security Risk Management. Good Harbor Security Risk Management, LLC works with senior corporate executives, investment professionals, and government leaders to assess and develop strategic cybersecurity programs that mitigate organizational risk in the face of advanced cyber threats.
Reda Baig is a Cyber Risk Associate at Good Harbor Security Risk Management and a graduate student at the George Washington University
2.“Understanding the Value of Information Assets”, Ponemon Institute, November