Cybersecurity-Related Financial Risk as a Board Imperative


How IT leaders can communicate risk for maximum impact.

October 16, 2020 • Published by


Over the last few years, organizational board members have taken an increasing interest in cybersecurity as a financial risk. This is due in large part to highly publicized breaches, but also regulatory efforts to legislate cybersecurity as a part of boards’ corporate mandates.

If you think about it, this makes sense because securing your company’s data stops the bleed of shareholder value. The value of data is changing, so the level of protection you need to apply is changing. Companies are looking at these things to maintain their brand and viability.

The financial losses resulting from a data breach event, or worse, encryption of data from a ransomware event, are steep. Naturally, this keeps board members and corporate executives up at night.

It’s one thing to understand and know where your cybersecurity risk is, it’s another to begin implementing a strategy that reduces that risk. The board wants to know “what are the implications, what are the mitigation plans in place, how quickly can you respond (is it going to be a PR nightmare or not), etc., etc.

Boards are looking to protect financial risk.

When it comes to cybersecurity, today’s boards are not so much aligned with protecting data, but more so aligned with protecting financial risk. When you look at it this way, it becomes much easier to communicate the company’s needs upward.

“OK, that base is covered. Let’s continue along our security maturity stack and determine what we need to do next to protect our company and its assets.”

“We’ve got mediocre software doing a mediocre job and we don’t have the staffing for 24x7 coverage. We really need to figure out how to better utilize the investments we’re making in cybersecurity.”

These are just two examples of what I mean by communicating risk upward.

Building a business case for managed detection and response.

Security maturity varies by organization. Some companies simply wish to check a box on a compliance form while others are more established in maturity and have a security team and risk management platform in place. However, even the most cyber-mature companies sometimes recognize that the usage of bodies within their organization isn’t meeting goals. And they don’t want to staff a security team, so they look for a partner in security and compliance.

On both ends of the scale, a managed detection and response (MDR) partner can extend into that environment to become a proactive part of the security team. It begins with providing a tactical representation of a risk strategy and extends upwards to a policy base.

Check out my podcast interview on the financial risk topic (and more) here: https://www.controlscan.com/mdr-with-tom-callahan/