Security is a top concern at all levels of the organization, but especially at the board level and C-suite. SoftwareONE’s Mike Fitzgerald champions a “security-first” mentality and discusses the implications of failing to meet industry standards and regulations.
Instances of lost intellectual property (IP) due to data breaches are gaining attention in the mainstream press and in board rooms across the globe. C-suite executives are taking note of these events; security and compliance are no longer just IT issues. They are very real and very urgent business issues. Breaches and noncompliance have a major impact on business. After all, in the U.S. alone, the average data breach could cost a company upward of $7.9 million[1] .
Compliance concerns are receiving attention from existing c-suite executives and have caused enough of a stir to lead to the creation of new roles, such as the Chief Compliance Officer (CCO), who is tasked with understanding and managing the plethora of compliance requirements that organizations must address. The CCO and the Chief Information Security Officer (CISO) need to be aware of compliance requirements on the global level (think General Data Protection Regulation (GDPR)) and on the local level (Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX)), since most organizations store at least some of their data in the cloud. The fine for a breach or lapse in compliance with an industry standard or regulation like GDPR can equal as much as 4 percent of a company’s revenue; that is potentially enough to put a company out of business. This new compliance-driven market makes it imperative to have a security-first mentality when it comes to IT decisions and a thorough understanding of the greater business implications resulting from a lack of proper security practices.
Below are the top three reasons why a security-first mentality is crucial to the success of your business:
1. Security and Compliance Requirements are Constantly Evolving
In many organizations, IT decisions are driven by the need to meet or conform to industry regulations and customer expectations. Once met, it is essentially business as usual. If not properly met, this need can hinder a company’s bottom line. A recent CISCO survey[2] on data privacy benchmarks revealed:
- 59 percent of companies reported that they met all or most of GDPR’s requirements today.
- 29 percent of respondents expect to be GDPR compliant within a year.
While everyone aims for compliance, not all succeed. Organizations face a number of challenges, including the ability to establish data security parameters, provide adequate employee training and stay current with evolving regulations. Only 3 percent of the respondents in the CISCO global survey indicated that they did not believe GDPR applied to their organization, which highlights the fact that the need to conform is not only beneficial, but quickly becoming the industry norm. However, preparedness, or lack thereof, holds global relevance. For example, there was a gap in GDPR “readiness” between U.S. and U.K. companies, with only 57 percent of U.S. companies citing they were ready for to comply with the regulation compared to 69 percent of U.K companies[3]. This further supports the necessity of conforming and the difficulty organizations face in trying to prepare for any regulation properly on a global level.
Despite the recent focus on GDPR, it is not the only regulation forcing organizations to step up on the security and compliance fronts. In the U.S., HIPAA was launched in 2006 to secure electronic health records and ensure the confidentiality of patients’ health records. From a patient privacy perspective, HIPAA is one of the most significant standards in the health care industry, as records are often sensitive. More than 10 years since HIPAA launched, exposed patient health care records are reported on a daily basis. In 2016, new HIPAA guidelines involving cloud computing were issued for how Business Associates (BAs) and Cloud Service Providers (CSPs) should behave to be compliant with cybersecurity regulations. This included significant fines for data breaches, data loss and data theft. According to a recent survey[4], the percentage of organizations that report they are required to issue a cybersecurity disclosure continues to increase, rising by 13 percent for the second year in a row.
2. Customer Security Concerns Directly Impact Sales
Gaining – and keeping – customer trust is essential for all companies, as security-related concerns can be a deal breaker for most customers. When a customer lacks faith in the security of a relationship, the impact is significant. In fact, 87 percent of respondents[5] said sales cycles can become stalled, which ultimately impacts revenue targets due to existing customer or prospect privacy concerns. This concern seems to continue to carry more weight as this percentage is increasing on an annual basis.
A stall in a sales cycle due to customers’ data privacy concerns can have a companywide impact.
- The average sales delay[6] is 3.9 weeks, but more than 94 percent of organizations reported delays between zero and 10 weeks. Some organizations reported delays of 25 to 50 weeks or more.
- In the U.S., the average sales delay was 3.7 weeks, while in the U.K. this delay grew to 4.9 weeks[6a].
A lack of trust can have a long-lasting impact on a company’s sales, which is clearly more widespread and tangible than just a feeling of a customer’s hesitation. A loss of sales opportunity goes beyond the sales department and can ultimately hinder a company’s reputation and employee trust if not addressed properly.
3. Being Up-to-Date on Privacy Standards is an Investment in the Future
Being up-to-date on evolving security requirements is an investment in both present-day and future business concerns and can set a business on the path to success.
The least prepared organizations have average sales delays that are nearly 60 percent[7], longer than those who fall into the most prepared group. While a majority of companies surveyed reported having a data breach in the last year, a lower percentage (74 percent)[8] of the GDPR-ready companies were impacted, compared to 80 percent of the organizations less than a year from GDPR readiness and 89 percent of those that are farthest from being GDPR ready. HIPAA’s Cybersecurity Framework[9], created in 2014, provides organizations with the necessary outline for their cybersecurity practices to best prepare for the future. Implementing this framework would provide organizations with a voluntary, risk-based approach to security to help manage, understand and communicate cybersecurity risks. This encourages organizations to take a preventative approach to cybersecurity rather than relying on reactive measures alone.
Security is a top priority for businesses today. Having an up-to-date, comprehensive cybersecurity strategy that is ready for any new regulations or standards can put your organization one step ahead, eliminate any concern that could directly impact sales and invest in the future of the business. A recent survey reported that 56 percent of C-level executives believe their organizations have migrated security workloads to the cloud, giving security a prominent seat at the boardroom table and making it a topic that can no longer be ignored.
[1] IBM, 2018 Cost of a Data Breach Study: Benchmark research sponsored by IBM Security Independently conducted by Ponemon Institute, July 11, 2018 [2] CISCO, Maximizing the value of your data privacy investments: Data Privacy Benchmark Study, January 24, 2019 [3] Ibid. [4] Protiviti, Benchmarking SOX Costs, Hours and Controls, August 9, 2019 [5] Ibid. [6] and [6a] Ibid. [7] Ibid. [8] Ibid. [9] U.S. Department of Health & Human Services, HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, February 22, 2016