Key Business and Cybersecurity Lessons from Our APAC Region CISO Roundtable

In today’s world, it can be easy to lose the forest of cybersecurity for the trees – to lose sight of the business impact of potential cyber threats amid so much jargon about threat actors and their tactics, techniques, and procedures (TTPs). 

Yet, for today’s companies, what cybersecurity boils down to is simple: dollars and cents (and, given the global impact of cyber threats, just about any other currency you can think of). Sure, there’s a lot of programming, scheming, and investigating that goes on behind the scenes. And, of course, cybersecurity can affect your brand reputation, your customers, the way your employees feel about their jobs, and other factors. But ultimately, for businesses and other organizations, defending themselves from cyber threats is a matter of protecting their bottom line. 

That kind of business-oriented mindset was front and center at our fourth CISO roundtable discussion, which recently brought together thought leaders and cybersecurity experts from the Asia-Pacific region – including representatives of Ericsson, JPMorgan Chase, BNY Mellon, GE Healthcare, and other organizations. Like our previous roundtable discussions, this insightful session  - chaired by VJ Viswanathan, a veteran global technology executive and founding partner at CYFORIX - created a forum for experts with a variety of real-world cybersecurity experience to share their perspectives with each other and with our audience. But unlike the earlier roundtables, the most recent one did not include any discussion of the impact of COVID-19. Instead, it put an especially strong emphasis on long-term trends surrounding the business aspects of cybersecurity and predictions regarding the future of this dynamic field.

Here are five key takeaways from our recent roundtable discussion:

The sharing of cyber threat intelligence is an important, powerful, and promising trend

Cyber threats continue to grow in sophistication – not only in terms of the technology they use, but also in terms of the ecosystem of cooperation, collaboration, and transaction among threat actors on the deep and dark web. So it makes sense that there is a growing awareness among many cybersecurity professionals of the necessity of sharing threat intelligence across organizations in order to maximize both the reliability and the efficiency of their cyber defenses. And while they realize this requires their organizations to invest some resources in sharing their own threat intelligence with others, they also see the return on investment that the sharing of threat intelligence offers them.

The participants in our discussion also discussed how CISOs are working to overcome the hurdle of data silos and to share threat intelligence not only across organizations, but even across disparate industries. In part, this is because much of the threat landscape that today’s companies face extends across industries. And in part, it is because the companies that employ cybersecurity professionals themselves work across industries. For example, GE Healthcare falls into the category of healthcare providers, but it is also affiliated with the rest of the GE corporation and its various subsidiaries operating in different industries.

It’s worth considering how to measure the ROI of threat intelligence

We know that paying for a cybersecurity solution is a business decision – and when you make that decision, you know how much it’s going to cost you. But how can you tell what your return on investment is? After all, the point of using that solution in the first place is to prevent yourself from falling victim to a cyberattack (or at least to mitigate the risk). That means the ROI of a cybersecurity solution is the sum of the costs of all the cyberattacks that would have affected you had you not used that particular solution. Since you have no way of knowing for sure how much a hypothetical cyberattack would have cost you, you can never be totally sure of your cybersecurity ROI. 

With that in mind, the question of how to estimate the ROI of any given cybersecurity technology was an important topic of discussion during our roundtable session. One approach that was mentioned is using red teams to simulate the activity of threat actors and then evaluate how much damage they could have done. But whether or not you take that approach, this part of the discussion drove home the point that cybersecurity technologies are a business expense with business value, and their effectiveness can and should be quantified in business terms. 

Threat intelligence can help you plan your cybersecurity budget

One interesting perspective on cyber threat intelligence that came up during our discussion is the comparison between cybersecurity and insurance. The idea is that you can never have entirely full coverage in either cybersecurity or insurance, you could always pay more for additional coverage, and there’s always some risk that something unexpected could happen and you would have to pay for it. But at some point, there’s a limit to the amount of money that you can invest in your coverage. And it’s generally not worthwhile to overspend on coverage for things that wouldn’t be damaging enough to justify their premiums, or on protecting yourself in case of a hypothetical scenario that has practically no chance of ever happening.

But in the realm of cybersecurity, threat intelligence can help you both to quantify the various risks that you face and to prioritize the most urgent threats. That’s because great threat intelligence can shed light on the likelihood of any particular type of cyberattack taking place, as well as providing additional context for the various threats you may face. As the roundtable discussion highlighted, that reality makes threat intelligence a key part of the process of making business decisions related to cybersecurity. 

When it comes to data breaches, sometimes the greatest threats are insiders

When many people think of cybersecurity, they think of using digital technology to stop outside attackers from remotely accessing (and often stealing) an organization’s sensitive information or committing other types of cyberattacks from afar. But, as our discussion pointed out, many cyberattacks are carried out by insiders within a targeted organization. In some cases these insiders act due to nefarious motives, often financial in nature – but in many cases, the insider culprits play into the hands of threat actors inadvertently, such as by clicking deceptive links within phishing emails. 

Stopping an insider data breach can be particularly difficult. But, as our participants discussed, sometimes the most promising way to fight against these attacks is to quickly discover that an organization’s leaked data has been exfiltrated. That’s one reason it is so important to understand that the dark web is the go-to channel for threat actors looking to anonymously cash in on data they’ve stolen. As a result, monitoring threat intelligence from the dark web can help cybersecurity professionals to know when they need to take action to protect their sensitive information that has been compromised by a data breach or cyberattack. 

It’s important to convey threat intelligence to executive management in a way that speaks to their business needs and goals

Cybersecurity decisions are largely business decisions that boil down to considering the financial risk of a potential cyberattack as compared to the financial cost of using a given cybersecurity technology. So it makes sense that many organizations’ executive boards are increasingly interested in taking an active part in making these decisions. It also makes sense for them to be kept up to date on cyber threat intelligence, and – as our participants discussed during the roundtable – keeping these executives in the loop can be an important part of a CISO’s job. 

But that doesn’t mean that many organizations’ executive board members need to have the kind of understanding of cyber threats that a CISO would have. And when CISOs overload executive boards with technical details, those CISOs risk not only confusing them but also underselling the importance of vital cybersecurity concerns. Instead, it is generally a good idea to convey important cybersecurity information to business executives in a way that speaks to their business needs and goals. By helping these executives to understand the business context (and the potential cost) of any given cybersecurity-related decision that board members might make, you can provide them with the information they most need – while also keeping their attention and showing them the business value of cybersecurity.

Be part of the conversation

Interested in continuing to learn from top-notch CISOs from a wide range of organizations around the world? We’re continuing our series of roundtable discussions bringing together top cybersecurity minds from the field, so check back soon for valuable and helpful insights. And if you’re an expert CISO eager to share your perspective and learn from your fellow CISOs, we’d love to hear from you! You can sign up for a future roundtable right here.