Some executives do not see security as a key business function, rather as an IT only function. This is a mistake. Without good security throughout an organization, compromise will occur. This is one of the many topics that the security management team and the top level executives need to discuss is frank detail.
There are a wide range of security breaches, intrusions and compromises. Often C-suites assume that their IT staff has everything under control. However, even a well-meaning and highly-skilled IT staff simply cannot protect against every possible threat. There should be a prevention and response prioritization based on risk, consequences and likelihood of compromise. The IT staff cannot make business prioritization decisions on their own, they must involve the top-level executives.
As part of that prioritization conversation, the IT security team needs to inform the C-suites of the potential consequences of security violations. Here are some key points to bring up in the discussion.
- Vandalism is the act of falsifying or altering presented content. This might be used to harm customers or the organization. This could result in liability issues as well as a loss of reputation.
- Loss of reputation may occur due to vandalism or any number of other security compromises. If customer private data is disclosed, if a breach leads to identity theft, if a data leak reveals sensitive internal documentation, or if a violation discloses questionable financial or business practices, an organization’s reputation might be damaged beyond repair.
- Theft of money, private data or company secrets can cause irreparable harm. Theft could be of the organization’s money or that of customers. Customer information as well as proprietary company information can be distributed online, which could result in lawsuits against an organization or remove its ability to continue to operate.
- Lost revenue due to a security violation may be significant. This could be the direct result of theft, loss of reputation, loss of market share, customers going elsewhere, recovery expense or court costs and legal fees.
- Breach of intellectual property could be devastating to an organization. If blueprints for new products, marketing strategies, updates to existing products or changes in business plans are stolen, this could prevent an organization from staying relevant in the industry.
- Lawsuits may be initiated by customers, clients and suppliers who were directly impacted by a security breach at an organization. This might also lead to a need for an organization to defend itself in court from those who think they have been wronged or lied. Allegations could include failing to stop a security breach due to poor security or not being able to live up to a claim of being difficult to compromise.
- Loss of license to operate might occur if federal, state or industry regulations were violated in the compromise. These could be violations caused by the attackers or violations of your organization that made the attack possible.
These are just some of the consequences that an organization may face if a security violation occurs. It is the responsibility of both C-suites and IT staff to be aware of these issues and make security decisions to minimize the chance that a devastating security breach takes place.