Every type of organization has to take risk into account: it is part of doing business. Whether launching a new product or entering a new market, every strategic decision will involve risk analysis. Risk is understood, assessed and weighed up against potential outcomes before a business decision is made. Why, then, is cybersecurity’s role in business outcomes still not widely or well understood in boardrooms?
Rich Turner is SVP EMEA at CyberArk.
Every day we hear about cyber-criminals breaching businesses and government agencies, often to a staggering degree. Now, we don’t often know the full story or full extent of the problem until later down the line – sometimes this takes years – but the fact that critical data and assets are constantly compromised tells us that a key aspect of the business has not been properly assessed for risk.
This problem is not unique to the UK; it is prevalent across the world. And, in fairness, there are some attacks that could not have been prevented. What we have learnt from the US Senate's select committee regarding intelligence on last year’s SolarWinds attack is that the degree of resources and hacker innovation can be overwhelming, even for the best-prepared organization. For example, Microsoft President Brad Smith estimated during the hearing that at least 1,000 skilled engineers took part in the attack.
But this is an exception. Most cyber-attacks can be prevented from causing severe damage to an organization, and mitigation relies in part on greater executive-level understanding. The situation would be less concerning if digital was not an essential building block for so many key business initiatives. But, there is huge focus on digital transformation initiatives as businesses become more reliant on digital technologies to accelerate the pace of innovation, gain a leg up on the competition, and improve performance.
As part of this push, businesses are embracing DevOps methodologies, cloud computing services, and on-demand applications to increase business agility and improve efficiencies. Meanwhile, developments in artificial intelligence, the internet of things (IoT), and robotic process automation are helping enterprises transform raw data into meaningful insights, increase productivity, and automate tasks.
All this, of course, increases an organization’s exposure to threat actors and, therefore, the potential risk levels associated with an attack on digital infrastructure. COVID-19 is partly to blame for this. There has been such pressure to digitally transform in months, rather than years, that certain aspects which would normally be risk-assessed have fallen by the wayside. Digital risk is arguably one of them.
What we see at executive level is not an unfamiliarity with digital risk as a concept, but a lack of widespread technical or digital literacy, and therefore not a full picture of how all-encompassing a devastating cyber-attack could be for a business. Knowledge of this and a shared sense of urgency is needed both at executive level and amongst senior leadership just below the board.
Embed digital risk in the decision-making process
Any discussion on digital transformation must include digital risk as a component. Without this, there can be no full understanding of the risk associated with a decision. It's all very well to call upon security experts once you've been breached, but this is not a substitute for a pre-existing strategy that has considered the risks and acted upon them.
What we would like to see from board members in cyber-terms is what we expect in other areas of decision-making. When examining a digital initiative, amongst the first questions any board director should ask include: if we rely more on technology, what could go wrong? And, how do we safeguard that investment? Not examining these areas and therefore not fully understanding them is to increase risk, but without quantifying it.
Highlighting digital risk
The reality of the situation is that digital risk is one of many competing business priorities. For CIOs, project leaders or risk managers, it can be an uphill battle when competing with colleagues for mindshare and budget.
In many ways, there is no better time than now to build awareness about cyber-attacks and associated digital risk. Digital is central to so many organizations that the task of increasing understanding about what poses an existential threat is much more achievable. Digital, and the security processes surrounding it, are is no longer sideshows or a nice-to-have, they’re fundamental.
When speaking to board members, it is important for CISOs to take messaging and language beyond technical conversations. Real examples help. As mentioned, the SolarWinds attack just five months ago drove cyber to the top of the news agenda. The breach shook businesses across the globe and has since been pinned on the avoidable actions of an intern. When presenting the risks of a project, digital risk can often translate easily to reduced revenue, reputational issues, share price hits, and operational interruptions. Case studies from unfortunate victims are, sadly, very easy to find.
If the board, for example, learns an upcoming investment in automation technologies can potentially be leveraged by malicious actors to ‘automate’ fraudulent business transactions, more questions are likely to be asked. It might be the same if it becomes clear that every IoT device added to a business’s ecosystem could potentially be used as a convenient access point by hackers, allowing them to access and compromise privileged corporate IP.
Security is a digital transformation requirement
It’s no secret businesses must embed cybersecurity into digital transformation projects from the onset to protect data privacy, mitigate threats and manage risk.
By improving board and executive communications, creating a security-first culture, and fusing security into product planning, development and operations practices, CISOs can help their companies unleash the full potential of digital transformation, with digital risk a known and managed component of it.
- We've featured the best business VPN.