Why CyberSecurity And AI Are Top Governance Risks For Board Directors And CEOs?
Ask most board directors and CEO’s to define cybersecurity and artificial intelligence in a board meeting and have them share their answers and you may well find that their depth of knowledge is too shallow in their duty of care responsibilities.
This, however, is fast changing after many years where cyber-security and artificial intelligence was left in the hands of information technology leaders, versus integrated equally better business and IT professionals practices. Today bringing key business stakeholders across the enterprise with diverse skill sets ranging from: human resources, legal, business, technology, security – all with a unified mission to bring cybersecurity and artificial intelligence matters into a unified governance operating model is finally emerging across the Fortune 500.
Leaders are recognizing that they have often been asking the wrong questions and often applying the wrong methods. This article takes a rapid scan of interesting facts to define why it is imperative to get Cybersecurity and AI harmonized to de-risk organizations exposure to cybersecurity incidents.
Gartner Group released recently the report: The Urgency to Treat Cybersecurity as a Business Decision, stating that after years of quarterly reporting on cybersecurity to board directors, boards for the first time are pushing back and asking for improved data and a clearer understanding of what companies have achieved after years of heavy investments into cybersecurity areas.
You will likely recall the cybersecurity Equifax hack in 2017 where the CEO, Richard Smith, resigned after 143 million American’s data was compromised, and he made it clear that he was stepping down due to the cybersecurity incident. This hack cost Equifax over $4B to recover from all the damages, let alone the customers that moved off their loyalty roster which severely impacted annuity streams.
Cybersecurity fines are accelerating as well. The UK Information Commissioner has increased cybersecurity fines under GDPR, up to $20M Euro, or $23.6M USD if controls are not consistent, reasonable and adequate. This certainly has driven an accelerated frenzy in GDPR compliance and regulatory controls.
Irrespective of the compliance accelerated regulations, Cyber-attacks are increasing, and over 4.1 Billion records were breached in the first half of 2019, according to Varonis.
By the end of 2020, it is estimated that the numbers of passwords used by humans and machines will grow to over 300 billion (CyberSecurity Media). Verizon has also reported that over 71% of breaches were financially motivated and 25% were motivated by espionage. Over 50% of the breaches are from hacking, while 30% is from malware, and balanced from phishing or social engineering. 94% of malware attacks are delivering by email, as well.
The intensity of hacking is also intensifying, as hackers are attacking every 39 seconds world-wide, on average over 3,000 times a day, according to leading researchers from the University of Maryland.
You may recall the Wannacry virus that impacted over 150 countries, and more than 400,000 computers in over 100,000 different groups were compromised, at a cost of over $4B in damages.
These types of high risk cybersecurity breaches are increasing in severity, ruining company brand reputations, impacting careers, as CEOs or board directors are leaving companies for compliance violations and avoiding the political outcry from shareholders.
IBM recently reported that $3.9 million is the average cost of a data breach worldwide and $8.2 million in the USA. While costs to maintain cybersecurity problems are increasing, so are the regulatory requirements.
Keeping data governance in high compliance parameters with maintaining diverse data, and privacy legislations from SOX, ISO 27001, HIPAA, GDPR and the recent California Consumer Privacy Act are causing considerable angst in increasing operating costs, as the regulatory, and privacy compliance costs just never seem to end. Yet the hackers are always improving their hacking techniques. Some might say they are winning in terms who is on first or second base, as hacker networks work in unified packs, with no boundaries, and continually poke and probe for vulnerabilities every second.
One of the reasons hackers and breach artists are improving is due to the sophisticated artificial intelligence and machine learning algorithms which crawl the world wide web and detect pathways into personal computers, networks, cloud, etc. cracking passwords, causing havoc, giving not just headaches but also heart attacks.
Few leaders realize that heart attacks are on the increase as employees impacted from cyber-security attacks are under extreme stress, which is often the unspoken smoke that trails these serious crimes.
Cybersecurity has a health and wellness responsibility so board directors and CEO’s need to ensure that cybersecurity employees are being coached on the the medical risks in their career and stress the importance of living a healthy life style to compensate for the work related risks – that simply come from having a career in cyber-security.
Gartner has gone on record that by the end of 2020, security services will have 50% of their operating budgets tied to cybersecurity. Yet I wonder how much of these operating budgets have a focus on health and wellness to support talent at risk due to accelerated job stresses due to cyber-security high expectations of zero – tolerance risks.
While the rise in cybersecurity is increasing, the shortage of cybersecurity skills continues and unemployment rate according to CSO Online is at 0% unemployment with talent with these skills. Looking ahead, by 2021 there is estimated to be over 4 million jobs for cybersecurity roles that will be unfilled. Clearly we have much to get this gap under control.
This provides a major career entry trajectory opportunity to re-skill talent impacted by Covid19.
In summary, we are living in a period where cybersecurity hackers are able to work globally and tap into underground connected networks to do their crime making.
Although AI and ML are enablers to commit cybersecurity crimes, on the other hand, these methods are going to be the defence networks and detectors to control all the parameters to ensure there is zero-tolerance defence systems at work.
As we look into the increasing realities of the number of systems we are accessing and passwords, and accelerated cloud environments, we are going to need new technology innovations to advance and simply our digital life. One company striving to build disruptive apps and private cloud technologies committed to simplifying and protecting your digital life to increase protection levels is QNext, in early growth mode but with a very promising vision.
Organizations simply have to be better prepared that the cyber attackers. The only only way foreward is to embrace AI into all business operating practices and ensure that all vendors involved in your cyber security entablements have modernized advanced AI and analytics methods at work to protect your organizations. No longer can you use technologies looking in the rear view mirror with traditional BI methods, companies have to leap forward and learn more rapidly about AI and increase their knowledge know-how to move from being classified as stuck in the past to leading forward.
Board directors and CEO’s have a duty of care and responsibility to improve their knowledge and understanding of AI and cybersecurity to understand the risks, and ensure their company’s business strategy is robust with rigorous risk assessment processes, and that they leverage third-party auditors to tighten up internal control operations, at the same time invest in health and wellness practices to ensure a healthy work environment that can cope with the stress as the hackers persistency is a constant drum beat that sound either is pulsating in a slow drone at different intervals and tones, or ratcheting up in such high pitch volume that even the board directors and CEO’s strive to escape the cascading carnage.
Being prepared at all times sounds simple, but cybersecurity prevention is simply the cost of doing business and is key in all business types: small, medium, or large.
Having a clearly defined cybersecurity set of controls, which leverages modernized methods from AI, will not only keep your customers, employees, and suppliers safer; it will also give you as board directors and CEO’s a greater peace of mind.
About the Author:
Dr. Cindy Gordon is a CEO, a thought leader, author, keynote speaker, board director, and advisor to companies and governments striving to modernize their business operations, with advanced AI and advanced analytics methods. She is the CEO and Founder of SalesChoice Inc., an AI SaaS B2B company focused on Improving Sales Revenue Inefficiencies and Ending Revenue Uncertainty. A former Accenture, Xerox and Citicorp executive, she bridges governance, strategy and operations in her AI contributions. She is also a board advisor of the Forbes Business School of Business Technology and The AI Forum. She is passionate about modernizing innovation with disruptive technologies (SaaS/Cloud, Smart Apps, AI, IoT, Robots), with 13 books in the market, with the 14th on The AI Split: A Perfect World or a Perfect Storm to be released shortly. Cindy has recently completed a MIT Program on AI and Business Strategy Transformation to help her company’s B2B clients modernize their value-chain operations. You can also Follow her on Linked In.