Page 108

Risk Management | Cybersecurity

Leveraging data at the board level Cybersecurity professionals increasingly rely on data to make better decisions regarding prioritising risks and threats. In addition, directors have become accustomed to using metrics to evaluate business and unit performance and return on particular investments.

Despite these trends in using more data at the board level, directors could better enable their companies in deciding how to focus their cybersecurity priorities by better valuing corporate data. Th is article will review how companies fi nd value in their own data, how that understanding does not always align with the IT security staff ’s own data valuations and how a cybersecurity programme can be strengthened by better leveraging a sophisticated understanding about where business value lies within corporate data.

Valuing data

Every corporation uses data in myriad ways to enable their current business, assess how it is doing and prosper in the future. Increasingly, businesses are using data not only to improve their customers’ experience, but also share insights of how customers engage with third parties who can glean other information from the same dataset. Managing all of this data is no longer just an information technology or business requirement but a board concern as well. There are two ways data can offer value to a business: through direct monetisation and through better insight on how the business is operating.1 With direct monetisation, companies can sell their data directly to third parties or provide third parties with insights from the data without selling it, for example, through targeted 108 Ethical Boardroom | Spring 2019

Improving cybersecurity outcomes by sharing information across your organisation Evan Sills & Reda Baig

Evan is a Director and Reda, Associate at Good Harbor Security Risk Management

advertising. Data also provides businesses with the information needed to assess their operations and to determine if the policies implemented are bringing value to the company. Assigning exact value to data is challenging. One needs to Managing all determine how much value the data will bring to the company in of this data the short-run and the long-run. is no longer Understanding the value of data within the enterprise is just an recent study conducted critical to deciding how to protect information byAthe Ponemon Institute it. However, assigning value revealed that organisations to particular types of data is a technology are struggling to assign value complex endeavour that changes or business to data and that one business rapidly and its value may depend component is not likely to on the time frame through which it requirement have a good understanding is being viewed. Data classification but a board of the value of other data is its own specialised field and data concern within the business.2 For can be classified according to how instance, IT security rated it is created, what subject matter it as well R&D documents only half as contains and when it was created. valuable as the business unit who owned the Consider these examples. Board minutes, documents. Alternatively, some businesses containing data relating to fi nancial, legal or functions may be highly sensitive to and operational matters, may be highly personally identifiable information (PII) valuable as they are being developed and being breached due to implications for before an earnings call, but the data will be compliance or reputation but may not of much lower value afterwards. Business understand the actual costs of that type of performance data may be highly valuable breach compared to, for example, the loss internally to the company but of little of intellectual property or a ransomware value to outsiders. Research and attack that shuts down operations. development (R&D) data may be of A similar challenge currently exists in relatively low value to the business in society today, as Facebook’s Cambridge 2019 but it could be critical in 2021.

Profile for Ethical Boardroom

Ethical Boardroom Spring 2019