How CISOs Balance Business Growth, Security in Cyber-Threat Landscape

Collaboration, care, and proactive planning need to be part of CISO toolboxes as worsening threat environments become the new normal. CISOs need to adjust processes so business innovation can continue.

Rita Gurevich, CEO & Founder, SPHERE

February 21, 2024

4 Min Read
Figure balances on a tightrope held between two hands
Source: lorenzo rossi via Alamy Stock Photo

COMMENTARY

The cyber-threat landscape is evolving at lightning speed with attacks growing more complex and obscure, and they're often aimed at third-party suppliers. While highly recognizable brands remain prime targets, attacks are now affecting organizations that previously didn't have to worry as much about cyber threats.

For example, according to the "2023 Data Breach Investigations Report" (registration required), businesses with fewer than 1,000 employees and those with more than 1,000 employees face similar challenges. The researchers identified 699 incidents with 381 confirmed data disclosures for small businesses and 496 incidents with 227 confirmed data disclosures for large businesses.

As if more attacks were not concerning enough, the costs of a data breach continue to increase year-over-year. According to the "Cost of a Data Breach Report 2023" (registration required), data breaches cost an average of $4.45 million in 2023, a 15% increase over three years. Meanwhile, over the last few years, the rate of inflation has averaged between 3% and 6%. Small businesses are already struggling to overcome these economic increases — with the cost of a data breach being double or more than inflation, a single data breach can undermine a company's overarching revenue objectives.

CISOs Face a Perfect Storm

In response to the increased volume, complexity, and impact of data breaches, governments and regulatory agencies continue to implement and force more rigorous compliance requirements. To meet these compliance requirements and give customers assurance over their cybersecurity posture, small businesses that already struggle with low revenue and operating margins need to spend more money on security technologies and audits. As a CISO or C-suite executive trying to balance business growth, compliance, and security today, you may feel like you're facing the perfect storm.

For these senior leadership members struggling to achieve growth and protect data, finding cost-effective cybersecurity investments that stay within conservative budgeting ranges can feel overwhelming and nearly impossible.

Balancing business productivity innovations such as artificial intelligence with responsible security is a prime example of the tension that executives face. While AI promises improved decisions, automation, and leveraging staff more efficiently, it also requires unprecedented data access to function properly, like a big, blinking "attack me" sign for threat actors.

Historically, organizations wait for an incident to occur then purchase a security tool in reaction. However, today's threat landscape demands a proactive mindset, as there are countless potential intrusion points and actors from petty thieves to hostile nation-states trying to access sensitive data or make a political statement. With computing resources now extensively in the cloud instead of being contained neatly on-premises, the scope of what CISOs must try to secure has essentially doubled. As organizations implement software-as-a-service (SaaS) applications to ensure productivity and business continuity, they expand their attack surface exponentially with new access points such as APIs. Essentially, a single small business may feel as though it is managing security for multiple companies as each business line from sales to marketing to accounts payable creates its own digital ecosystem.

The skills gap among security professionals adds additional strain for CISOs seeking competent guidance for proactive strategies. They face shortfalls in talent along with skyrocketing software costs, strict compliance standards from multiple auditing bodies, rising cyber-insurance premiums or even coverage denial, and the possibility of personal liability, with regulators and prosecutors taking punitive action against executives in the event of incidents like data breaches. To enable growth and innovation while navigating this intricate minefield, businesses increasingly rely on automation and AI.

Align Business Objectives, Security

While automation can help streamline redundant processes and AI has potential to aid the detection and response workflow, integration-friendly security tools that provide true return on investment remain paramount. By integrating security tools and quantitative key performance indicators into their daily processes, small businesses can align their business objectives and security posture more precisely.

Calculators and metrics that clearly translate technical capabilities into hard dollar savings and risk reduction figures help justify purchases to dubious C-level executives. Senior leadership teams are responsible for ensuring that the business remains solvent, meaning they need to understand how security metrics affect their financial bottom line.

Additionally, they need to understand the coverage that their security investments provide. Disconnected technologies can create security gaps and blind spots, leaving them at risk of a data breach. To solve this problem, even small businesses must consolidate solutions across multiple internal teams, security, fraud, and IT. By doing this, they gain enhanced insights into their security and privacy coverage while being able to identify future investments that will add value to their programs, making it easier to obtain approvals for new products.

Of course, that's easier said than done. The cold, hard truth is that elevated complexity while balancing a myriad of internal and external stakeholders amid a threat environment in perpetual acceleration is our new normal.

Both C-suite executives and CISOs must reconcile this reality and adjust processes appropriately. Business innovation must carry on despite continuously evolving threats. While quality vendors can provide support, cybersecurity remains a stormy sea for leaders to traverse. But with collaboration, care, and proactive planning, organizations can stay afloat, even if waters remain choppy.

About the Author

Rita Gurevich

CEO & Founder, SPHERE

Rita Gurevich is the CEO and founder of SPHERE, leading the strategic growth and vision for the organization.

Rita began her career at Lehman Brothers and helped oversee the distribution of technology assets after their bankruptcy in 2008. From this, Rita gained a deep understanding in analyzing identities, data platforms, and overall application and system landscape that had to be distributed across all the buying entities. At the same time, the enhanced regulatory environment focusing on protecting data from misuse, forced large enterprises to manage and control access more proactively across their on-premises and cloud environments.

With this knowledge, Gurevich founded SPHERE, an identity hygiene organization that provides critical discovery, security and compliance solutions centered around identity security and access control problems that organizations face. The company has developed a repeatable and effective approach to automating the discovery, remediation, and management of access controls across any scope. Rita has overseen the growth of SPHERE into a leading software company providing its clients with the only end-to-end identity hygiene solution available today.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights