No one can be an expert on everything, which is why companies aren't run by just one person. But there is one critical area that every organization's leadership needs to be knowledgeable on at all times: Risk.
We've seen what happens when an organization isn't properly aware of — or prepared to handle — risk. Most commonly, risk-related incidents occur with cybersecurity breaches that result in loss of confidential and customer data, which can ultimately damage a brand's reputation.
Recently, we saw a risk-related scenario play out in finance instead of cybersecurity for a change: the Silicon Valley Bank crisis. While there has been much discussion of what went wrong at Silicon Valley Bank, it's clear that the situation could have been much worse. The banking industry has safeguards designed to mitigate financial risk, which is something the cybersecurity industry can learn from.
Consistent, Transparent Measurement and Reporting
After the Great Recession, new government regulations began requiring banks to measure and prove their financial positions on a daily, weekly, and quarterly basis. This level of visibility is what led the SVB crisis to become public knowledge and addressed quickly. When it comes to the security and privacy risks for a business's software, there are no requirements for real-time visibility into risk. Many companies rely on point-in-time reports, which become out of date as soon as they're published.
What will it take for software companies to continuously measure and share their security and privacy posture? If we want our industry to become more accountable, we need to evolve our expectations about what we should report, and when. By requiring more transparency and tolerating a more honest, if imperfect, view into security posture, we can get a more accurate understanding of how to prevent and address security issues.
Assessing the Business Impact of a Security and Privacy Risk
Banks have a way to measure the financial impact of their investments, and balance it out with their liquidity requirements. SVB tried to do this and raise the capital it needed, but wasn't able to, leading to the crisis playing out as it did. Software companies, however, have been unable or unwilling to measure and communicate the potential business impact of violating security and privacy commitments. This creates a couple problems: Leaders fail to recognize the important role that governance, risk, and compliance (GRC) teams play in protecting revenue, and it can be hard to prioritize security and privacy projects. Connecting GRC programs to revenue and liabilities is critical to earn the recognition they deserve, as well as determine how to resource against them.
How to Protect and Inform Customers
When SVB shut down, all its customers were at risk of not being able to keep operations flowing as usual because they didn't have access to their monetary assets. Similarly, organizations leverage SaaS solutions as part of critical day-to-day operations. When a breach or cybersecurity incident does happen, there are some best practices to consider to keep it from becoming a national news crisis and shuts down operations.
- Secure your operations, and bring up a second environment: Before you communicate to customers, take steps to secure your operations. In an ideal scenario, you will restore your product from a backup environment. Remember, the one thing that is worse than a single data breach is multiple data breaches. Securing your operations and running off a second environment protects your business quickly.
- Consistent and thorough communication: When a breach occurs, your customer wants to know four things. They want to know what time the incident happened; if their data was stolen; what other kinds of risk their data was exposed to; and what obligation or actions they need to take in regard to regulators, customers, company directors, and others. Your communication strategy with your customers must provide frequent, timely, and comprehensive updates across multiple communication channels to ensure that all affected parties receive updates in a regular manner.
Transparency and Trust
The SVB crisis was unfortunate, but it could've been much worse if not for our financial system's safeguards and reporting requirements. This is something the software industry can learn from when it comes to improving how our own crises (cyberattacks and breaches) are handled. Requiring more consistent and detailed reporting in security and risk creates more accountability and transparency, and in turn, builds trust. Honest, clear communication and maintaining trust are critical pillars that allow for organizations to conduct healthy business without worry that operations might come to a standstill at a moment's notice.