Cybersecurity and risk management as an inherent part of business

Cybersecurity has been defined as the strategy and practice of protecting computer systems, networks, applications, and data from digital attacks.

Cybersecurity was – and often still is – primarily considered a technological matter, as this definition seems to indicate. But those who know the role of systems, networks, applications, and data/information in today’s digital economy immediately see the importance of protecting these enablers and assets from a business perspective.

Shared responsibility for cybersecurity and its impacts will come about when CIOs and CISOs equip the business to actively participate in decision-making

Cybersecurity has grown into a condition sine qua non for business in an increasingly connected and data-driven digital business landscape.

The ubiquitous connectivity we see in business is present in just about all areas. However, its importance often becomes apparent when this interconnectedness disappears or, conversely, when it becomes even more crucial due to unexpected events.

Just think, for example, of the consequences of an impactful cyber attack or the temporary unavailability of an essential service that renders frequently used services inaccessible. The corona crisis, which forced us to work more remotely, use digital services more intensively, and speed up digital transformation, is another example of a situation in which the importance of ‘cyberspace’ became obvious.

88% of Boards of Directors now report that cybersecurity is viewed as a business risk (Paul Proctor at the Gartner Security & Risk Management Summit 2021 Americas)

Cybersecurity and the connectedness of digital business

In the technological sense, connectivity is only one of the ‘enablers’ of the true interconnectedness that makes cybersecurity a business matter: the connectedness of business at various levels in our world of ecosystems and the extended enterprise.

Of course, not all business is digital. Yet, even without taking the speed at which digital adoption and transformation have evolved in recent years into account, it’s clear that, at the very least, virtually all business is digitally enabled business.

It’s equally evident that securing the critical digital assets, connections, and systems enabling digital business in this data age is a matter of protecting the business, and thus so is cybersecurity.

The acceleration of digital adoption – crises and their impact on cybersecurity

Organizations let more and more of their business go digital. This is due to various factors, such as the fact that people – i.e., customers – themselves desire and adopt more digital services.

Here too, the corona crisis has played an accelerating role. The ITU (International Telecommunication Union) even speaks of a “COVID connectivity boost” with an estimated 782 million additional people going online since 2019, a 17 percent increase due to COVID measures and increased adoption of digital platforms and tools, among other factors.

As mentioned earlier in an article about digital transformation in a so-called new normal, the number of people who used digital tools for the first time for tasks such as banking or online shopping (e-commerce) has risen sharply.

And then, of course, the whole shift – temporary or otherwise – to remote working and hybrid working models where another layer of technology and decentralization was added.

These are not new evolutions, but they have all grown faster in recent years, along with the importance of all these digital services – and their security and availability. If business is digital and (digital) data is indeed a business asset as we have long known, everything associated with it, including those systems and networks, is ultimately a matter of business and business risk.

The purpose of a security program is not to ensure we don’t get hacked; that’s an impossible goal. The purpose of a security program is to balance the needs to protect with the needs to run the business. (Paul Proctor at the Gartner Security & Risk Management Summit 2021 Americas)

The shadow side of digitization and transformation – risk extension

Next are the characteristics and consequences of increasing automation, digitalization, and digital transformation. These have to do with the customer experience, evolving stakeholder expectations, and relatively advanced goals regarding innovation, enabled by myriad technologies. In practice, more immediate purposes such as cost reductions and the desire to focus on activities that create more value remain most important.

The efforts to achieve these goals and transform, however, come with their own set of ‘practices,’ in which one usually sees much more decentralization and ecosystems – an extension of the risk in all senses. The technological evolutions themselves, how digital transformation leads to decentralization, and how just about every department often takes digital initiatives without IT’s involvement increase the pressure regarding security and risk. It also often makes it challenging to maintain a central overview regarding the protection of all aspects of the business – ideally in a holistic manner.

It’s no wonder, then, that there is an increasing focus on components of cybersecurity that should help gain better insights into what businesses all “have” and therefore need to protect. The growing emphasis on external attack surface management (EASM) is an excellent example of this.

But digital business is also very interconnected at the level of the business whereby, as said, we work more through ecosystems and with partnerships which also creates risks because these partners also have their environments. So we see, for example, increasing attention for third-party risk management (TPRM) and vendor risk management. After all, we live in a time where there are more and more supply chain cyber-attacks, as all cybersecurity reports indicate.

Business and cybersecurity: an inseparable whole

We could go on and on, but the essence is clear. The risks increase in today’s more connected world with its platforms, ecosystems, API economy, and focus on data sharing. Cybersecurity and risk management are therefore becoming increasingly important for the business.

We are doing more business in digital ways, have employees work remotely, migrate workloads and assets to the cloud, decentralize and thus increase our digital footprint; the list is endless.

We often don’t even know what digital assets we have on the Internet anymore, unlike hackers who are always looking for new loopholes.

Treat Cybersecurity as a Business Decision – from the presentation of Paul Proctor Gartner at the Gartner Security & Risk Management Summit 2021 Americas – source, courtesy and more information
Treat Cybersecurity as a Business Decision – from the presentation of Paul Proctor Gartner at the Gartner Security & Risk Management Summit 2021 Americas – source, courtesy and more information

In such circumstances and knowing the importance of trust – and the pernicious influence of cyber attacks or even poor security scores – cybersecurity must be at the heart of the business. Digital business is secure business, while cybersecurity becomes increasingly complex.

In summary, while the mentioned evolutions are certainly not the only ones affecting cybersecurity and how we see it as a business and even board priority (a development that has also been going on for a long time), they have gained momentum in 2021 – and before.

Successful digital business transformation is impossible if cybersecurity is not put at the center of the business part of “digital business transformation.” The same goes for your digital transformation strategy: all too often, security is still overlooked, with the consequences we know.

Thinking back to those accelerations we saw through the corona crisis, by the way, a new challenge is already presenting itself.

The speed with which organizations made several digital business changes during the pandemic, hastened by the devastating effects of the crisis, will prove to be a challenge for years to come. Unfortunately, the pressure to digitize and digitalize quickly is rarely conducive to cybersecurity. We are already seeing this happen in several areas. Just think of the impact of more remote work and shadow IT.

Without trust, the digital economy and our digitally equipped world cannot flourish. And with the continued expansion of the attack surface in an economy of ecosystems and connections, cybersecurity plays in ever more business areas.

Cybersecurity in a cyber-physical industrial reality

Another essential element is the increasing blurring of boundaries between the cyber world – or cyberspace – and the physical world.

The term cybersecurity has its roots in the traditional cyberspace concept. We traditionally meant a “separate” world of a highly connected digital network reality by cyberspace. That concept, too, has since become obsolete. The lines between what we call the cyber world and the “physical reality” have blurred, and the cyber-physical systems (the name says it all) of Industry 4.0 and IoT are yet another step in that evolution.

Cyber and physical (two artificial distinctions in the end) have been ‘converging and integrating’ since we started building bridges in various domains, with the retail sector being one of the first areas. Remember the rise of all kinds of in-store technologies and evolution to omnichannel and multichannel approaches.

Today this goes much further. We don’t even want to talk about hip concepts like multiverses or the rapidly increasing applications regarding augmented reality in various sectors. After all, the areas where IT and OT converge with cyber-physical systems and IoT as enablers are de facto countless.

It goes without saying that IT security and OT security increasingly require a holistic approach, as noted in previous articles (IT stands for information technology, OT for operational technology).

The existential question for many companies will be whether they can manage the security challenges in the digital economy (TÜV Rheinland)

The role of cybersecurity in business and the board explored

As mentioned, the call to view cybersecurity as a business and board issue is anything but new. Cybersecurity experts have known this for a long time.

Just one example: in an interview conducted many years ago, Ben Azvine, Global Head of Security Research at BT, pointed out that security is also a business and board-level issue. In fact, back then, cybersecurity was a top-three priority for companies.

In a previous article on cybersecurity evolutions, we mentioned ample other research and surveys confirming the increasing attention of the board for cybersecurity and the view of security as an enterprise risk.

In 2016, for instance, ISACA found that 82 percent of respondents “report that their enterprise board of directors is concerned or very concerned about cybersecurity.” Yet, this didn’t translate into actions.

We reported on similar findings from PwC, IDC, Cisco, Dimensional Research, and far more, in the same article.

Security is not just a technology issue; it is also a business and board-level issue (Ben Azvine, Global Head of Security Research at BT)

Cyber risks and the corporate agenda

The realization that digital evolutions also come with increased risks is certainly not new either. Those who follow risk barometers have long seen cybersecurity rise to the top of priorities.

For example, in the Allianz Risk Barometer 2016, cyber incidents appeared in the top 3 business risks for the first time.

Then, it should come as no surprise that analysts ask that cybersecurity be viewed as a business issue for years. Ultimately, they base their views and decisions on what professionals, be they CISOs or risk managers, see, say, and expect.

Also in OT security, people have long realized that cybersecurity is becoming a top priority for industrial companies. For example, in 2019, Kaspersky found that this was the case for 87 percent of surveyed decision-makers. Also in 2019, TÜV Rheinland had stated unequivocally that the existential question for many companies would be whether they can meet the security challenges in the digital economy. And that was all before the corona crisis.

Gartner on cybersecurity and the board

As mentioned, there is a difference between the realization that cybersecurity is a board-level matter and what happens in practice.

Gartner, one of those analysts who has long advocated a business approach and board involvement in cybersecurity, summarized some findings and recommendations in late 2022. So let’s take a look.

According to Garter, eighty-eight percent of Boards of Directors view cybersecurity as a business risk instead of a technology risk.

Yet, as said, a view doesn’t necessarily translate into actions or organizational measures. While 88 percent of the respondents surveyed for The 2022 Gartner Board of Directors Survey stated they see cybersecurity as a business risk, there is little dedicated board-level attention for that business risk.

Gartner found that only twelve percent of Boards of Directors have a dedicated board-level cybersecurity committee.

Moreover, if cybersecurity would be effectively treated as a business risk, one could expect that organizations might hold a non-IT senior manager accountable for cybersecurity. Yet, this is only the case for ten percent of organizations. In eighty-five percent of organizations, the highest-level person responsible for cybersecurity is the CIO (or equivalent), followed by the CISO (or equivalent) despite awareness that cybersecurity is a business/board issue and the organization needs to be protected against threats.

Highest-Level Person in the Organization Accountable for Cybersecurity – Gartner November 2021
Highest-Level Person in the Organization Accountable for Cybersecurity – Gartner November 2021

The role of the CIO and CISO: rebalancing accountability for cybersecurity

That, of course, brings us to the position of CIOs and CISOs. The emphasis on the business role of the CIO isn’t new at all, and we know it has evolved over the years.

However, as Paul Proctor, distinguished research vice president at Gartner, comments: “IT and security leaders are often considered the ultimate authorities for protecting the enterprise from threats. Yet, business leaders make decisions every day, without consulting the CIO or CISO, that impact the organization’s security.”

What would be a better way? First, Gartner recommends CIOs and CISOs rebalance accountability for cybersecurity so that it is shared with business and enterprise leaders.

IT and security leaders are recommended to work with executives and boards of directors to establish governance that shares responsibility for business decisions that affect enterprise security.

For Proctor, the influx of ransomware and supply chain attacks seen throughout 2021, many of which targeted operation- and mission-critical environments, should be a wake-up call that security is a business issue and not just another problem for IT to solve.

Second, CIOs and CIOs are advised to work closely with executives to ‘reframe cybersecurity investment in a business context.’

This is especially the case because boards want to see what has been achieved with security investments, and security budgets are expected to slow through 2023, per Gartner (with 66% of CIOs intending to increase cybersecurity investments in 2022, however).

At the Gartner Security & Risk Management Summit 2021 Americas, held in November 2021, Paul Proctor took a deeper dive into how to treat cybersecurity as a business risk and especially a business decision.

“The purpose of a security program is not to ensure we don’t get hacked,” Proctor said. Instead, “the purpose of a security program is to balance the needs to protect with the needs to run the business.”

Purpose is essential here. All too often, the focus is not enough on the result – the actual protection offered – but “on the existence of a tool or a capability.”

It is recommended for CIOs and CISOs to present different solutions to the business to protect the enterprise, with the costs and risks per option.

Emerging laws aim to hold Board members personally accountable for cybersecurity failures, and the effect is that it’s become unacceptable to point out risks in a Board presentation. This lack of transparency is the antithesis of treating cybersecurity as a business decision (Paul Proctor at the Gartner Security & Risk Management Summit 2021 Americas)

More on Proctor’s presentation at the Gartner Security & Risk Management Summit 2021 Americas here.

Gartner clients can learn more in “CIOs Need to Rebalance Accountability for Cybersecurity With Business Leaders.”

Also read “Whose Job Is It to Manage Cybersecurity? Hint: Stop Pointing at the CIO” (Kasey Panetta)

Top image purchased under license Shutterstock (by jijomathaidesigners). All other illustrations by their respective mentioned owners, serving illustration purposes only.