Growth series: IT, cybersecurity have key roles

Mid-market companies may be vulnerable

For some companies, the motivation to improve cybersecurity is increased when a cyber insurance provider raises rates or threatens to deny coverage because controls aren’t strong enough.

“You can spend less on cybersecurity, but your insurance premium would go up and then if you experience a breach, you’d have to pay for that as well,” Han said. “There’s no free lunch in my opinion. You have to spend money. But also, I believe as the industry adopts more standard controls, the cost will go down. You look at Microsoft, and they’re building a lot of their cybersecurity solutions into their Microsoft 365 subscriptions. More and more, cybersecurity will become a feature of your computing devices. I think the cost will come down.”

Cybersecurity risks may be particularly challenging for mid-market companies with less than $500 million in annual revenue. They often have a director or vice president of IT, but not a dedicated chief information security officer. If the IT leader is not a cybersecurity expert, the company might be lacking in controls and cyber resilience.

Origitano said mid-market companies may be especially vulnerable when they are in the news because of an acquisition. He said the impetus for cybersecurity improvement at these companies may come when a strategic buyer wants to improve their controls.

It should be no surprise, then, that IT maturity and cybersecurity have become core elements of due diligence activities related to transactions. They’re also considered when companies are choosing suppliers.

“If your business model is one where you’re holding data or anything else belonging to a client, you had better have these controls in place,” Origitano said. “Nowadays companies are getting more sophisticated when they do their own diligence on a provider or supplier. If you don’t have the right controls in place, a potential client may pass you up and find a different provider.”

2:48 | Transcript

Plan for every scenario

In addition to improving IT assets and augmenting cybersecurity controls, companies can drive growth by building cyber resilience into their organizations. This is built by creating a team composed of key people throughout the organization who would be crisis-mode responders in the event of a cyber incident. This team should meet regularly and practice cyber incident scenarios.

One of the issues this team would discuss is disclosures, as new regulatory requirements are emerging that may compel reporting of a cyber incident within just a few days. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. Additionally, proposed amendments to the New York State Department of Financial Services Part 500 Cybersecurity Regulation (23 NYCRR Part 500) would require such timely reporting for covered entities.

Meanwhile, Han predicts that automation will emerge as a key element in cybersecurity in the coming years.

“We don’t have enough humans and talent for all the cybersecurity jobs,” Han said. “Globally, we’re 2.7 million jobs short from a cybersecurity perspective. We don’t have enough humans to do it. Automation is definitely a key focus for gaining more visibility, quicker response time, quicker remediation and quicker detection.”

This will be yet another technological opportunity that companies can take advantage of in their continuing quest for growth.

Contacts: