By Cynthia Corzo
As cybercrimes and data breaches continue to impact the global landscape, businesses must look beyond innovation and technological advancements. The escalating situation has redefined the role of cybersecurity and placed it on a steady rise to the C-suite.
Today, the business value of cybersecurity is critical.
The total cost of cybercrime is forecasted to reach $8 trillion in 2023 and $10.5 trillion by 2025, according to data from Cybersecurity Ventures.
“Industries have realized that cybersecurity isn’t an IT problem, now it’s a business problem,” said Yan Chen, Ryder Eminent Scholar Chair in Management Information Systems at FIU Business. “The first step to successful information security management is to get top executive buy-in for cybersecurity investment as it’s not a one-time, but continuous investment on both security technology and people.”
Despite growing attention and budgets for cybersecurity in recent years, attacks have become more common and more severe. IBM’s Cost of a Data Breach Report 2022 noted that the average cost of a breach in the U.S. is $9.44 million.
“The trick is to figure out the appetite for risk so that you’re protected,” said Ronen Lapidot, who sits on the advisory board of the Department of Information System and Business Analytics at FIU Business and is senior vice president of information technology and chief information security officer at Perry Ellis International. “A cyberattack starts in seconds, you need to be ready all the time.”
While the increased digitalization of life and government has brought benefits and value, it has also identified a shortage of cyber skills, explained Sebastian Schuetz, assistant professor of information systems and business analytics at FIU Business.
“People want to be very technical, but it’s also a business problem,” he said. “You need to understand issues including regulatory compliance, privacy and data insurance, products and services. In cybersecurity, business requirements meet technology, so both technical and businesspeople are outside their comfort zone and the mindset hasn’t shifted.”
Schuetz points to a vacuum in the market where business leaders and technology experts – both aware of increasing cybersecurity challenges and the need to learn more about keeping data secure – can’t find resources to focus those efforts where they matter most.
“Areas where cybersecurity needs to be focused are trade secrets and proprietary information,” said Schuetz. “Organizations need to move more to increased cloud security and application security. That changes the game of how data is protected and who is responsible for protecting the data.” Industry insiders point out that, in many cases, hackers are moving faster than the good guys, making it increasingly important for executives to understand how to bridge the gap. Today, it’s possible for anyone on the dark web to acquire either software or hacking skills, just as if they were buying any other software or IT service.
“In the past, attackers needed to be at a master level, but it became such an organized business that you don’t even have to be the smartest in the room,” said Lapidot. “We’re seeing so much malware and ransomware because these things are no longer hard to do.”
Cybersecurity experts who can defend complex attacks, like to the cloud, and work with new technologies are now critical for a broad range of companies of all sizes.
“Though the fast-paced technological advancements and trends enable innovation and competition, sophisticated and emerging threats are prompting companies to reconsider cybersecurity as part of their strategy, reputation and overall success,” said David Tamayo (MSIS ’22), information security supervisor for the City of Miami.
Factors that have enabled malicious actors to gain access to data goldmines include the massive move of many businesses to the cloud and poor security implementations. Other factors include increased use of application programming interfaces, which allow software to share data.
“From the hacker perspective, the popularity of the cloud service model has elevated its visibility as a target,” said Tamayo. “From the business perspective, there has been a trend to embark on zero-trust initiatives, given the benefits in security posture and the recent laws that prohibit the payment of ransom money to attackers.”
Phishing remains one of the top cyber threats for companies. The easiest way to gain access to data is for employees to give out credit information rather than using sophisticated technologies.
Another rising trend is the use of advertising space to either redirect unsuspecting users to malicious sites or perform drive-by download attacks.
Ransomware attacks, which can deliver significant financial losses and reputation damage, reached a high during the COVID-19 pandemic, when companies rushed to implement remote work. Hackers attach sophisticated encryption methods to the organization or individual’s data and demand a ransom for its return.
Lapidot pointed to the need for code developers to build the software and work alongside the company’s security teams to embed the program, make sure the connection is sustainable and identify potential vulnerabilities.
“We had to add behavioral analytics, situational awareness, more focus on ‘they’ll get there soon enough,’” said Lapidot. “It’s a very wide fence to patrol, and we need to look at all the attack vectors.”
The new era of high-profile cyberattacks, in addition to top-level executives’ increased focus on cybersecurity and advances in technology, is redefining where responsibilities lie.
Today, at most companies, it’s in the company’s DNA.
Faiyaz Hack (BBA ’04), senior IT manager at a leading utility company, recalls that when he joined the industry 18 years ago, cybersecurity was not as paramount as it is currently.
Today, all major purchases at the company are required to go through a cybersecurity assessment, and all leadership meetings and town halls wrap up with a message about safety and cyber-awareness. The cybersecurity team has doubled in size over the last 10 years.
“Cybersecurity has to be at the company’s core, part of how the company operates, because cyber adversaries are relentless,” said Hack, who manages a team of IT professionals. “It’s inevitable that you’ll have to deal with a cyberattack. One of the most important aspects is how quickly you can detect, segment and respond to the cyber event.”
The battle of the future: Smart everything will increase the need for cybersecurity dollars.
“Today, we live in a very connected society,” said Hack. “Our homes and automobiles are connected. Technology has evolved and will continue to evolve. The ability to deter, detect and prevent cyber events is going to be critical in the coming years.”
FIU Business will launch an MBA in Cybersecurity Risk Management program in fall 2023. The program is designed for working professionals who have established themselves in the cybersecurity field with more than four years of experience. It aims to develop executive leaders who can look beyond technology alone and consider the business implications of cybersecurity strategies, investments and risk.
Taught fully online, the 20-month program includes two optional on-campus residencies at FIU’s main campus.
The STEM-designated program will prepare students to take cybersecurity leadership positions in the international business C-suite, with the capability to manage the cybersecurity function and engage in cybersecurity strategic planning, risk management and investment portfolio management.
Students in the program will learn cybersecurity analysis, strategy, policy and governance, cybersecurity risk management, business continuity and incident response, and cybersecurity standards and frameworks.