In short, it's time to provide financial benchmarks to cybersecurity. Securing corporate America is not a technology problem. Shareholders need to value cybersecurity and begin to punish poor performance in this area.
Until the economic incentives driving behavior related to cybersecurity change, very little else will. Take, for example, the truism that stock prices get hammered and CEOs get fired when they consistently miss their revenue or profitability targets. Why do they then get a pass when it comes to losing millions of dollars as a result of negligence in addressing cybersecurity concerns?
Unfortunately, there’s little market incentive for executives to take their focus off of growth and profits to worry about breaches. That’s true because, even though hundreds of millions or billions of customers may be affected, their companies’ stock prices during and after the disclosure of high profile-data breaches may decrease only slightly and often a quickly recover.
Indeed, a company’s data assets may be hard for investors to find. Today, it’s likely that some of a company’s most valuable and vulnerable assets don’t even appear on the balance sheet. How much is your email database really worth? Probably not much in conventional accounting terms. But consider what its value might represent if it were completely locked down and made inaccessible by ransomware or hacked and placed on Pastebin for anyone in the world to download and peruse?
