By Eve Fan
As the threat of cyber attacks escalate, it’s only a matter of time before companies start bringing chief security officers into the boardroom, according to a panel of experts speaking at a Chicago Council on Global Affairs event at tech startup incubator 1871.
“I think in a lot of cases, the chief information security officer was buried many levels below, so I think structure and where we report to is very important,” said Linsey Rubenstein, vice president of information technology at The Boeing Corp, at the Monday event, “Cybersecurity and the C-suite.”
Putting more top security executives in the same office suite as the CEO, known as the “C-suite,” and on the board of directors, would underscore that cybersecurity is not just an information technology matter but an enterprise-wide risk issue.
Among the list of companies hit by cyber attacks, Trump Hotel Collection said late last month that a data breach to its payment system from May 2014 to June of this year may have affected its customers at seven locations, including Trump International Chicago.
Last year, several serious data breaches hit companies, including JPMorgan Chase, with 83 million households influenced, Home Depot, with an estimated cost of $56 million, and Target, in 2013, with 70 million people’s personal information stolen.
Today’s top security officers should be expert in technology, risk management and communication, and “should be a general manager who has the same level of experience as C-suite officers,” according to the 2015 US Cybercrime Survey by PricewaterhouseCoopers.
Cybersecurity has been raised to a board-level discussion in recent years as top executives have increasingly recognized the threat from third-party information sharing. Cybersecurity risk was third on the list of concerns for businesses in 2015 behind regulation changes and scrutiny, and economic conditions, according to the Executive Perspectives on Top Risks for 2015 survey by Protiviti.
Tony Sager, senior vice president for the Center for Internet Security, said that collaboration, and translating knowledge into action, are the key to breaking down barriers between top executives and technology experts.
“We, as a large community, society, or a group of enterprises, are just coming to agreement on the set of things we all ought to do,” said Sager.
Challenges that make risk management around cyber threats complicated include the complexity and cost of tracking threats for large scale companies and the creativity of new hacking methods, according to Rubenstein.
Companies are also eager to adopt new technologies that reduce costs, but these can be problematic for security.
“The new technologies are out there, reduce cost, allow companies to be agile, but they also impact security,” said Rubenstein. “Doing things securely is more expensive.”