"CIOs have always been interested in the issues but now you're seeing CEOs, CFOs, CISOs, and [people] at the board level wondering what questions they should be asking and how to protect shareholder value," said digital forensics specialist Erin Nealy Cox, executive managing director of Stroz Friedberg. "They want to tell their boards they're doing everything they can. But they can't make their company invincible. The threat is evolving and you have to be realistic about it."
"The reality is you're not going to protect yourself from a breach, you're going to be breached," said Paul Kleinschnitz, senior vice president and general manager, cyber security solutions, First Data Corp. The goal, say the experts, is to manage the response to a breach, something that still isn't happening as frequently as it should given the number of high-profile data breaches that occurred in 2014 alone.
"There has been a paradigm shift within the security industry. We're incident responders, but we have to stop waiting" said Cox. "Companies are just waiting to be victimized, [roughly] 70 percent of companies are not finding out about their breaches on their own, they're being told."
