When the Unthinkable Happens

As chief information officer of FireEye, an industry leader within the cybersecurity world, I deal with risk every day. It’s part of why I jumped at the chance to be the guest editor for this issue of Profile, which is focused on reconciling IT and cybersecurity issues while meeting the bottom line. I live this balancing act every day.

The sad truth is cyberbreaches are inevitable—even with the very best technology. The most effective thing we can do is prepare for the worst and lessen our exposure to risk. For me, this includes working with the executive team to measure the company’s level of vulnerability, getting buy-in from across the organization on how much risk is acceptable, and negotiating which security concerns need to be addressed at the executive level. Armed with these steps, we’re in a better position to strategize about balancing IT and security concerns.

The average cyberattacker spends 146 days inside a network before being detected, which is ample time to steal data, and damage your company’s bottom line and reputation beyond repair. It’s why I take this issue so seriously and why I think you should too.

Business needs change over time, as do security risks, and unfortunately, most of us don’t have unlimited IT budgets to address them all. When you’re considering whether new technology is worth the investment, ask yourself: how important is this change to the company? Is it impeding business operations to keep the status quo? Will this change create potential data leakage or privacy concerns? The challenge is balancing productivity and security, and the answer varies depending on your enterprise and your needs.

The newest technologies provide more information than ever. More data means more chances to find and stop an attack; it can also mean more noise that requires extraordinary amounts of manpower and expertise to address. Context is crucial—correctly identifying attackers, their motives, and their methods can save valuable time and money. It’s part of why FireEye provides as much context as possible, so efforts aren’t wasted chasing false positives instead of stopping attacks.

Ultimately, you and your executive team need to determine what level of risk is comfortable and take precautions to protect yourself. A robust security program requires a budget to support it, which means the executive team needs to work together on determining liabilities, measuring and rating risk, and what it will take to protect the enterprise. Together, they need to answer the challenging questions about security posture and risk tolerance, and to agree on a worst-case plan for when the unthinkable happens.

Cybersecurity is an executive-level issue and if the executive team doesn’t care about it now, you can bet they will care deeply when attackers have found their way into your network. Cyber risk can’t rest on the shoulders of the CIO, just as it cannot be managed by the IT department. It’s an enterprise-wide issue with enterprise-wide implications. The executive team needs to be involved in decision making, and they have to understand enough about their organization’s security to get the board’s buy in. It’s a balancing act that protects everyone: the enterprise, the employees, the shareholders, and the company’s future.

Read Cullivan’s Q&A with Profile here