We can see cybersecurity as a business enabler rather than just a cost, says Manny Rivelo, CEO of cyber firm Forcepoint.
Every week it seems like there is another high-profile cyber attack, data breach or incident that shows just how aggressive and disruptive cybercriminals have become. One in five UK businesses have experienced a negative outcome as a direct consequence of a cyberattack, according to the UK’s Department of Culture, Media and Sport (DCMS) Cyber Breaches Survey.
As businesses move more of their data and operations to cloud-based environments, there has been an accompanied increase in the threat of sophisticated ransomware, software supply chain attacks, and exploitation of unpatched vulnerabilities of all kinds. And that’s before you even consider the potential spill-over into the digital world from real-world conflicts.
The total of all of this is that a paradigm shift is happening in organisations across the world, and adapting to cyber risk is both the cost and driver of doing business today. Perhaps the best way to visualise this is to think about it in terms of the balance sheet. Seven out of every 10 breaches are motivated by money. We’re seeing ransomware attacks every 11 seconds, and more than 80 per cent of organisations that pay ransoms are attacked a second time.
Alongside profiting from ransom payments, cybercriminals and nation-states alike are also stealing intellectual property. The private sector and the vast troves of proprietary information that is stored digitaly is their number one target here, but we can also expect operating technology to end up under more frequent attack. The Colonial Pipeline attack was just one example.
On the other hand, cybersecurity is also a business enabler. Forcepoint recently surveyed more than 500 CEOs and CISOs and found 41 per cent agree that cybersecurity delivers a competitive edge, with 48pc believing it also has a bigger role in facilitating innovation.
While planning for and managing risk may appear purely a reactive and defensive strategy, the reality is that it also provides an outlet for innovation – and the C-suite are increasingly aware of this. But how can leaders better understand what risks they’re facing, and find those opportunities? It begins with aligning the cyber risk management that’s taking place with the strategic needs and outcomes of the business:
-Weigh up the economics of cyber risk. Entering a new market or product category for example may carry substantial business opportunities and advantages. But there may be accompanying cyber risks like intellectual property theft or increased network exposure that could be just as, or even more, substantial. Assess whether the trade-off between digital transformation and cyber risk will be worthwhile before moving ahead.
-Carry out scenario planning. Many organisations already do some form of this when it comes to disaster preparedness, but it’s also worth considering this in terms of the gains and losses relative to the business’ other priorities and obligations. What are the possible contingencies and their accompanying costs?
-Measure cyber risk empirically against strategic objectives where possible. For example, what are the regulatory and statutory requirements for your business units? Where are the potential business outcomes and costs of accepting, avoiding, mitigating, or transferring the risk? Should your board and leadership wait until a scenario plays out further before taking action, or proactively invest resources in mitigation?
-Simplify your security architecture. For today’s environment, where people are working from anywhere, simplicity is critical. In order to allow secure access and use of business information, you need to start by putting data security at the centre. Cybersecurity needs to become part of your IT network’s wider fabric, and be as non-intrusive as possible. If there are barriers, users will seek insecure workarounds. Security and connectivity must become one.
Those boards and enterprises that are able to structure their organisations to support cybersecurity can see it becoming a competitive differentiator. The success of cybersecurity drives the success of the business, because the two are inherently intertwined. Not only does it preserve business value, but cybersecurity helps generate new opportunities to do so. No modern business can be transformed without effective cyber risk management.