The triple threat that should be at the top of every corporate agenda

April 29, 2024
For information security professionals, the intersection of these three topics is particularly noteworthy.

Security, sustainability, and automation and user experience have dominated conversations at user conferences, analyst events, and other IT industry events for much of 2023. Those conversations promise to continue into 2024, giving IT leaders a glimpse of the year ahead. And for information security professionals, the intersection of these three topics is particularly noteworthy.

Below, we’ll look at the risks that cybersecurity threats pose to individual and collective sustainability efforts. We’ll also look at automation and user experience and at corporate governance as ways to mitigate those risks and possibly eliminate some of them altogether.

Formidable cyberthreats to sustainability

Sustainability refers to the judicious use of natural resources to ensure their long-term viability and availability. The three foundational elements of sustainability are its social, environmental, and economic aspects, each of which is uniquely impacted by cyberattacks and their repercussions.

Social. Companies are under constant cyberattack. The constant barrage takes a toll on info security and IT professionals, business users, and the general public. As the number of cyberattacks increases year on year, the pressure on people inside and outside the organization increases with it. People living under constant stress risk physical and mental health problems including heart attack, stroke, anxiety, and depression.

The social threat posed by cyberattacks may be most extreme in the healthcare sector, where lives are literally at stake. In 2020, a ransomware attack on a German hospital led to the death of a patient suffering from heart disease. The New York Times reported it as the first known death from a cyberattack. In its 2023 Data Breach Investigation Report, Verizon refers to healthcare as “a sector under siege.” Cyberattacks kill when they prevent or delay life-saving care because health care providers can’t access patient information, diagnostic equipment, and other digital resources.

Environmental. Critical infrastructure sectors—chemical, energy, food and agriculture, transportation systems, water and wastewater, etc.—rely heavily on digital systems that are at risk of cyberattacks. An attack at a nuclear power plant might ultimately result in deadly levels of radiation and radioactive contaminants being unintentionally released into the surrounding environment. 

Likewise, an attack on a chemical plant might lead to the unintentional release of toxic gases. The environmental damage can be catastrophic—think Chernobyl, Fujiyama, or Bhopal—and can be felt for decades.

Similar risks face smart cities, which use digital technologies to improve municipal operations and services. Developing countries, in particular, are investing heavily in smart cities and green buildings. If a cyberattack targets the public utilities infrastructure of a smart city and incapacitates its waste management systems or electric grid, the environmental consequences can be dire.

When it comes to renewable energy, cyberattacks pose a different kind of threat. Cyberattacks on the renewable sector threaten environmental degradation directly. Instead, they threaten the success of environmental improvement, either by stalling renewable energy research, development, and adoption or by preventing it altogether. Proven renewable sources may be deemed unreliable while research into promising but nascent alternatives is abandoned. 

Economic. The economic impact of cyberattacks is likely the most well-documented aspect of the sustainability triad. Calculating the costs associated with a data breach, IBM reported that “the global average cost of a data breach in 2023 was USD 4.45 million.” The company found that the healthcare sector paid the highest average cost, USD 10.93 million. Those figures cover costs associated with detection and escalation, notification, post-breach response and lost business. 

Regulatory fines, which IBM factors into post-breach response costs, merit special attention.  Failure to comply with industry regulations such as breach reporting timelines or implementing appropriate security controls can have an outsized impact on the cost of breach. Equifax was fined USD 575 million for its 2017 data breach, and T-Mobile was fined USD 350 million for a 2022 breach. While extreme, such fines reinforce the gravity of proper security.

Not surprisingly, the costs of a breach have driven countless companies out of business.  “According to the National Cyber Security Alliance, 60 percent of small and midsized businesses that are hacked go out of business within six months,” Inc. reported in a 2018 article. And constant advances in cyberattack methods ensures that a significant percent of hacked companies will continue to go out of business for the foreseeable future.

Promising responses for cybersecurity

The cyberthreats to sustainability are being countered by progress in the field of automation and user experience and the field of corporate governance.  Taken as a whole, the progress reflects the promising evolution of cybersecurity as a technical challenge and a board-level concern.

Automation and user experience. The advantages of automating security-related tasks are hard to overstate. If you can automate some or all your threat detection or incident response processes, everyone benefits—security analysts, business users, and the company at large—especially when there is a shortage of skilled, IT security professionals.

For example, an automated SIEM or security analytics solution that relies on AI and ML has adaptive thresholds that adjust dynamically and automatically, without human intervention. The automated solution learns on its own by analyzing the behavior of every user and entity in the network. It then sets a unique threshold for each user and entity, based on the behavior of each user and entity. As the baseline behavior of the user or entity changes, the solution automatically adjusts the threshold to accommodate the new baseline.  

For security solutions, there’s a difference between user experience and analyst experience. The user experience is all about the look and feel of the UI, and the user’s ability to navigate the product, moving from one tab or function to another, and ultimately get the job done with ease. The analyst experience is a subset of user experience that focuses specifically on the security analyst’s workflow itself from threat detection to investigation and response.

Corporate governance. While CISOs typically report to CIOs who in turn report to boards of directors, that’s beginning to change as security becomes a higher priority. Now, CISOs are starting to report to the CEO and update the board of directors directly on risk levels and security posture so that the board can best govern and oversee their company’s cybersecurity efforts.

In addition to a better-informed board, the move prevents conflicts of interest that could arise when the CISO reported to the CIO. After all, the CIO is responsible for implementing technologies that work for the company. The CISO is responsible for probing the CIO’s proposals, looking for weak spots and anticipating what might go wrong if a particular security strategy is pursued or technology is implemented.

Conclusion

Today’s IT security professionals find themselves at the nexus of their companies’ activities, thanks to the relentless expansion of digital technologies into corporate life. As a result, the security pros are in a unique position to advise and act on opportunities presented by sustainability, security, automation and user experience. Company directors and senior leaders should take advantage of that experience and insight.

 

Ram Vaidyanathan is a cybersecurity & SIEM evangelist, product marketing manager, and industry expert in IT security and cyberrisk at ManageEngine, the enterprise IT management division of Zoho Corporation. He keeps himself updated about the latest techniques attackers use to compromise organizations and how we can defend ourselves. His responsibility includes informing product roadmap decisions and helping customers deploy and get the most value from ManageEngine Log360, a comprehensive SIEM solution.

Brent Dorshkind is an enterprise analyst and content manager at ManageEngine. He covers leadership, management, and culture and favors big picture, Infinite Game-style strategies and their application in the IT department and the organization at large. Brent believes today’s IT leaders are among the best qualified candidates for the CEO seat, thanks in part to the acceleration of digital transformation in the workplace. His goal is to expose leaders at every level to ideas that inspire beneficial action for themselves, their companies, and their communities.

About the Author

Brent Dorshkind

Brent Dorshkind is an enterprise analyst and content manager at ManageEngine. He covers leadership, management, and culture and favors big picture, Infinite Game-style strategies and their application in the IT department and the organization at large.

Brent believes today’s IT leaders are among the best qualified candidates for the CEO seat, thanks in part to the acceleration of digital transformation in the workplace. His goal is to expose leaders at every level to ideas that inspire beneficial action for themselves, their companies, and their communities.

For more than 30 years, Brent has advocated information technology as a writer, editor, messaging strategist, PR consultant, and content advisor. Before joining ManageEngine, he spent his early years at then-popular trade publications including LAN Technology, LAN Times, and STACKS: The Network Journal.

Later, he worked with more than 50 established and emerging IT companies including Adaptec, Bluestone Software, Cadence Design Systems, Citrix Systems, Hewlett-Packard, Informix, Nokia, Oracle, and Sun Microsystems.

Brent holds a B.A. in Philosophy from the University of California, Santa Barbara.