Cybersecurity, Board of
Directors and What This
All Means for IT Consulting
Over the past couple of years board of directors have become highly aware of the
risk of a cyber-attack and more involved in
a company’s measures to prevent breaches.
Historically, there was less at stake with
cybercrime—attacks were less sophisticated, less frequent and less of an organization’s business was online.
This, as we know, has changed drastically, as made painfully aware by massive customer data breaches, such as the
Anthem and Target breaches. Through
boards’ informal social and business networks, which often cross industry lines,
awareness of new breaches and cybersecurity measures organizations are putting in place travels quickly.
This is leading to cross-pollination of
concerns, cyber risks and cybersecurity
investments taking place, and in turn,
is accelerating the rate at which boards
are becoming aware of cybersecurity
vulnerabilities and is driving direct involvement in bringing professionals on-board for cybersecurity assessments and
The growing involvement of the
board, and also non-IT/security executives (e.g. CEO, CFO, CRO), in cybersecurity matters is changing the skillset
required to be a successful cybersecurity
consultant. When the primary buyer was
the CIO or CISO, cybersecurity consultants focused on advising clients on IT
products to protect IT assets (e.g. networks, applications, databases).
Now, in addition to being knowledge-
able on tools and products available and
IT requirements, cybersecurity consul-
tants must also have strong and estab-
lished board- and executive-level rela-
tionships and be able to identify, mea-
sure and convey cybersecurity risks to
the business as a whole, rather than only
within the IT network.
Additionally, the new cybersecurity
consultant needs to possess the ability to
assess risks to enterprise customers and
business partners, such as discussing a
cybersecurity-modified ROI that weighs
the value of cyber investments.
This expansion of the cybersecurity
buyer is playing out favorably for those
consulting providers that have established relationships and credibility with
boards and executives at Global 2000
However, a relationship and busi-ness-side expertise is not enough—there
is a still a need for access to leading-edge
technologies and expertise in order to
deliver a holistic cybersecurity solution.
This need is leading to fast-paced investment (e.g. acquisition, partnerships,
hiring) by consulting firms to build a cybersecurity practice that can address each
angle of a client’s needs from a clearly
defined business case down to the technical requirements of a comprehensive
BY ERIN HICHMAN
For additional information
on KCRA, please visit
Erin Hichman is Senior
Analyst and Lead for IT