Cybersecurity for Executives

Teri Radichel
Apr 30, 2019 · 8 min read

Why executives need to care more about cybersecurity

Image for post
Image for post

I recently taught my to a multi-national organization and was asked how to discuss information security and cybersecurity with executives. I’ve been asked this question before, and it is something that has been on my mind lately so I thought I’d write about it. I’ll explain why executives at the highest level should know more and invest more in cybersecurity. In fact, I’ll be writing a modern book one blog post at a time on the topic of cybersecurity for executives. In the next post, I offer a in ways that provide a positive return on investment instead of just buying a product or service and hoping it works.

Cost-Benefit Analysis

Most executives probably understand that data breaches are costing organizations money in terms of fines, fees, legal battles, but let’s break this down in a bit more detail. At one point I heard a security professional suggest not to use the cost of a breach as a basis for more investment because the losses associated with a breach do not offset the upside of skipping security. That cost-benefit analysis is going to be relative to the organization and the size of the security incident as I will explain.

Image for post
Image for post
Get the full book by Teri Radichel in paperback or ebook format on Amazon:

This equation is also changing now that . Many other countries and states are considering or have passed privacy and data breach laws that may incur fines on top of that or even if you don’t serve European customers. More legislation will be coming if companies do not take responsibility for information security in more effective ways — in fact, it may be too late. New privacy legislation is delaying business initiatives and costing companies money as explained by the CISO of Sumo Logic, George Gerchow, in a recent podcast I was on with him.

What is the cost of a data breach?

The average cost of a database breach per the was $3.86 million. For some companies, this may not be a large number. That dollar figure is going to hurt smaller companies more than bigger companies. But remember this is also an average. There are different sizes of data breaches and a large company with more money or data may be a bigger target. Ponemon estimates the cost of a breach of 1 million or more records is $40 million and the cost of a mega breach to be $350 million dollars.

Image for post
Image for post

Since the initial writing of this blog post

The harm to the brand of an organization after a data breach may be hard to quantify but consider this. The cost of the breach includes lost revenue if customers choose not to use your product, invest in your company, or buy from your store or web site after a breach. Although some companies bounce back after a breach, who can say that they would not have had even greater success without the breach? How far ahead did their competitors advance while they were dealing with the incident? If organizations lose financial data, the effect on a brand may be more detrimental according to past .

Lost time is also a factor in a data breach. Do you want to be spending your time talking to lawyers, the news media, and having your support staff explaining to customers what happened and if they are affected? I have seen entire support teams tied up with a big issue and other staff members had to get on phones to cover emergencies the existing support staff could not handle alone. I’ve also seen teams pulled off big projects to triage security issues when sufficient resources were not deployed in advance to understand and prevent the problem. What positive things could you business be doing instead of dealing with a data breach?

Executives may be personally affected by a data breach

Recent large scale data breaches have resulted in CEOs testifying in front of Congress including the and breach. Some executives involved in massive data breaches and privacy scandals have been speaking to governments all over the world. For example, . In some cases, CEOs, CISOs, and others have lost their jobs including the and breaches. Hiding a breach did not go so well for the subsequently fired CISO of . A bill has been proposed in the US that could result in . Australia’s parliament passed a law that includes imprisonment of

Board members may be held liable and face lawsuits

This article from Goodwin Proctor, , sums up a landmark case and provides some recommendations for moving security from the server to the boardroom:

In its 1996 Caremark decision, the Delaware Chancery Court declared that, in such actions, directors can be held personally liable for failing to “appropriately monitor and supervise the enterprise.” The court emphasized that a company’s board of directors must make a good faith effort to implement an adequate corporate information and reporting system. Failing to do so can constitute an “unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”

We are in a cyberwar

This statement is not political, and it is global — it applies to any organization in any country where people care about the well-being of their families and fellow citizens. It is not an attempt to spread FUD (fear, uncertainty, and doubt). It is just a fact. I have been researching cybersecurity for years — since my first data breach and through my time working on the security research team for a security vendor. I am a member of and other organizations that provide information about cyber attacks and breaches. I spent over five years getting a masters degree in information security engineering from the top cybersecurity professionals in the country who have worked for elite security firms and in government organizations. I also have taught classes to government organizations and individuals involved in national security. I hold a SANS certification. I research. A lot.

A cyberwar is going on between organized crime and organizations and between countries. Reports indicate that countries are working together with those involved in organized crime.. Many . Organizations are losing proprietary information in data breaches that cause loss of business and competitive advantage. If you want to read more about it, I could give you a whole list of books and articles, but I’m not going to do that here. Maybe I’ll save that for another blog post. I also talk about how these attacks work in my class.

What you need to know is that your systems are under attack, and in some cases even though the attack on your system may not harm your business or your network and you may not even notice it, the compromised systems may be used to harm other people and systems. No matter what country you live in, you may have a vested interest in protecting systems against cyberattacks that could ultimately harm hospitals, industrial control systems, communications systems, election systems, financial organizations, and more. The ultimate damage could be worse than a data breach of your organization.

These are the things I would tell all executives if I could, and I do when I give or teach organizations about . Hopefully, this will help you when trying to obtain investment for cybersecurity initiatives at your organization. In a subsequent post, I will explain what executives can do to help prevent data breaches and improve return on cybersecurity investments.

Teri Radichel — Follow me

© 2020


Seeking Cloud Security Training or Classes?

Join students like those from large multi-national organizations, startups, technology, retail, and financial companies, and government organizations that have attended classes taught by Teri Radichel. 2nd Sight Lab offers on-site cybersecurity and cloud security training. Author Teri Radichel, GSE #240, formerly taught for SANS Institute and helped with the cloud security curriculum and has helped multiple companies move to the cloud.

SANS Institute awarded her the 2017 Difference Makers award for cybersecurity innovation for her work in cloud security. She is an AWS Hero, IANS faculty member, and speaks around the world about cybersecurity and cloud security. She doesn’t just talk about cloud security — she helped two companies move to the cloud as a member of the Capital One cloud team and as a director and cloud architect responsible for moving a security company’s product to AWS. She now researches and implements technology for pentesting and security management that she includes in her 5-day cybersecurity class.

Her 25+ years of experience and master’s degrees in both software and security results in class content that can help teams both learn new material and work together more effectively. All 2nd Sight Lab instructors are certified in cloud and security.


Image for post
Image for post


Some of the events where will be or has spoken on cybersecurity and cloud security:

Please visit the 2nd Sight Lab website cloud security training and events:

Past Cloud Security Presentations (Videos and Podcasts)



Other past events:

~ Presented to Seattle ISACA and IIA

— Melbourne, Australia

KeynoteQuebec, Canada (October 7–9)

Cloud Security

Cybersecurity in a Cloudy World

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store