Executive summary
Cyberattacks are targeting tech firms with growing frequency and complexity. At the same time, evolving regulations are affecting the use of AI and the data stores on which it depends. That’s part of why the industry’s board members and investors need to adopt a proactive perspective about cybersecurity and data protection. These issues are no longer just technical concerns — they tie to business risks that require ongoing education and awareness, as tech firms work to achieve cybersecurity maturity and move toward cyberagility.
As technology becomes increasingly connected and AI-driven, new vulnerabilities emerge. A growing number of cyberattacks are targeting midmarket tech firms, where defenses might not be as robust as at large firms and attackers can find valuable data — or points of entry into larger software supply chains.
With attacks increasing in frequency and complexity, board members and investors at tech firms need to adopt a proactive perspective about cybersecurity and data protection.
“Boards are actually forming subcommittees to deal with cybersecurity,” said Grant Thornton Technology Industry Head Andrea Schulz. “They want to increase their level of attention on it.” Grant Thornton Cybersecurity and Privacy Leader Derek Han said that board members should consider sharpening their knowledge about cybersecurity issues. “Some boards already have individuals with knowledge in cybersecurity. I would encourage all members to continue getting educated. Cybersecurity is such a fast-paced field that, without that education, it could be hard to provide effective oversight.”
Cybersecurity and data privacy can have multiple layers at technology companies — for the organization, products and services — and a failure in any of these layers can affect the enterprise. “Cybersecurity is a strategic investment to protect the company’s brand,” Han said. So, what do board members and investors need to understand about the cybersecurity and data privacy risks facing tech firms today?
Establish points of reference
Board members and investors need points of reference to evaluate or provide oversight of a company’s cybersecurity and data privacy. Frameworks can help establish maturity, metrics can track risk management, and spending can provide context within the industry sector.
Frameworks
Frameworks can give board members and investors a starting point and a foundation. The National Institute of Standards and Technology (NIST) offers several important risk management frameworks, including the NIST Cybersecurity Framework. “Everyone can look at the framework, measuring your overall security posture and maturity compared to your peers and the industry,” Han said. “The maturity score from this framework is a common foundation.”
Metrics
Beyond frameworks, tech firms can provide metrics that help leaders see how management is managing risks over time. “Larger tech companies have consistent reporting that they provide to the board — year-over-year performance against the same criteria, how they’re measuring it and how that aligns to strategic planning,” said Grant Thornton Privacy and Data Protection Principal Ariana Davis. “It’s important to avoid overwhelming the board with a lot of metrics and details, but to be able to benchmark where you are.”
Smaller or newer tech firms might not have a history of metrics to evaluate — so, what should reviewers ask to see? “Look for risk-reduction metrics, whether they are internally identified or externally identified — from the certification program, internal audit or external audit,” Han said. “These risks got identified, so how many were there? How many are being remediated?” These metrics can help translate security risks into business impact, connecting cybersecurity to a broader risk management perspective.
Spending
Beyond the metrics for performance and risk management, the amount of money spent on cybersecurity and data privacy can be an important reference point.
Spending can be especially relevant for companies that want to move beyond baseline compliance. “You can invest in cybersecurity as a competitive advantage, so you might actually want to invest more than industry peers,” Han said. Look at spending over time, as compared with other firms, to trace the impact of new technologies, changing customer needs and evolving risks.
Monitor evolving risks
Cybersecurity and data privacy risks evolve quickly. Board members and investors cannot maintain a constant awareness of these complex changes, but an overall awareness can help them evaluate management’s readiness for evolving risks.
Data transfers
Recent U.S. governmental actions have restricted the transfer of sensitive personal data to certain countries, and have specified security requirements or prohibited certain bulk data transactions. As the rules and regulations governing data management change, companies must be ready to ensure their compliance for business continuity. “We’re starting to see that you need to make sure the foundations are in place to respond quickly for these types of asks,” Davis said. “A lot of tech companies are dealing with large volumes of information that might now be considered sensitive but aren’t otherwise regulated. They need to make sure that they have adequate controls for how it’s being transferred globally.”
Han noted, “A lot of European countries have data residency rules that encourage you to store data locally or regionally versus transferring it outside Europe. Generally speaking, cross-border data transfers will continue to be an issue for a lot of technology companies because companies tend to want to centralize data for improved efficiency.” Data centralization often facilitates AI solutions that involve data analysis, machine learning and predictive intelligence.
Spending can be especially relevant for companies that want to move beyond baseline compliance. “You can invest in cybersecurity as a competitive advantage, so you might actually want to invest more than industry peers,” Han said. Look at spending over time, as compared with other firms, to trace the impact of new technologies, changing customer needs and evolving risks.
Artificial intelligence
“AI wants all of the data, and so the potential risks around how you’re collecting data, using it or combining it become especially important for tech companies,” Davis said.
As tech firms adopt, implement and develop data-driven AI capabilities, they must maintain an awareness of the risks and regulations across the countries, regions and states where their operations and customers reside. “We’re probably going to see more enforcement action take place in the next two or three years,” Han said. To help ensure readiness for evolving technologies, regulations and risks, board members can look for ways to help companies build agility.
Build agility
Board members and investors can look for ways that companies are — or aren’t — prepared to respond to evolving risks and regulations.
Certifications
Like frameworks, certifications can provide a foundation for assessing a company’s cybersecurity and data privacy readiness. ISO/IEC 27001, the Payment Card Industry Data Security Standard (PCI DSS), the Federal Risk and Authorization Management Program (FedRAMP) Authorization and other external certifications can assess a company’s readiness for evolving risks.
These certifications can be important for customers as well. “When a product is certified, that can really improve the confidence of clients and customers,” Han said. “That’s one part of it. The second aspect is building security into features by design as AI becomes mainstream. Push to get a sturdy build into the product features, versus just another layer of physical control.” As companies build security into development processes, they can also streamline those processes.
Automation
Tech firms can improve and streamline security on the development side by using automation to help identify, address and test vulnerabilities before release.
“Automation will take a major role in cybersecurity programs for technology companies in the next two or three years,” Han said. “You’re probably going to see more efficient investment and more productivity, accuracy and protection for technology companies, from not only the infrastructure standpoint but for their product and services.”
To further streamline risk reduction during development, tech firms can also consider the data they use.
Synthetic data
Companies can artificially generate "synthetic data" that has similar characteristics to real-world data but doesn’t connect to real people.
Synthetic data helps tech firms train AI models without the risk of exposing real and protected information, especially in heavily regulated tech sectors like healthcare, finance and insurance. Synthetic data can also help tech companies that don't have access to enough real-world data for AI model training or testing. “Some tech companies are investing in synthetic data to stay at the cutting edge,” Davis said, “but that field has required heavy investment.”
Whatever method companies choose, it’s important for them to build agility that will help them adapt to regulations and requirements in the future. “The whole idea of AI versus data issues, from a regulatory standpoint, will continue to be a very hot topic for debate and discussion,” Han said.
Get ready for what’s next
With preparation and agility, tech companies can keep ahead of the next evolving risks and regulations — even if that preparation goes uncelebrated. “When it comes to a company’s cybersecurity policy, the point is to stay out of the headlines,” Schulz said. She added that boards and their cybersecurity subcommittees are helping companies stay that way. “On these committees, processes are being put in place to prevent cybersecurity incidents from happening. What subcommittees are looking for is the management response to proactive preventative measures.”
This proactive view can push tech firms to achieve cybersecurity and data privacy maturity, then move beyond that to agility.
“Cybersecurity is constantly changing at this point,” Schulz said. “It's really about having that continuous learning at the board level. Beyond seeking maturity, it’s a question of continuous improvement and continuous cyberagility.”
Contacts:
Partner, Cybersecurity and Privacy Leader, Risk Advisory Services
Grant Thornton Advisors LLC
Derek is a Partner in the Advisory Cyber Risk Services Group. Derek has eighteen (18) years of professional experience in information security and IT risk consulting.
Chicago, Illinois
Industries
- Technology, Media & Telecommunications
Service Experience
- Advisory Services
New York, New York
Content disclaimer
This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.
Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.
Trending topics
No Results Found. Please search again using different keywords and/or filters.
Share with your network
Share