Increasingly, cybersecurity is not merely an IT priority. It is, inherently, a business issue. In today’s digital world, safeguarding intellectual property, financial information, and the online presence & reputation makes cybersecurity a crucial part of the overall business strategy. Suffice to say, at a time when DDoS take-down threats and malware attacks are rife, improving cybersecurity becomes a formidable challenge.
Cybersecurity is no longer tucked away in the tech pages or its own niche magazine – it makes the headline news. Server breaches with millions of records of personal information stolen as in the case of the OPM breach were among the biggest stories of the past year. An entire power grid in Ukraine was knocked offline due to malicious malware, the first known incident of a utility taken down due to malicious hackery.
The sweeping, expansive reach that cybersecurity (and the lack of it) has makes it an overwhelming and yet entirely critical business concern for companies. A proactive strategy is necessary for implementing good cybersecurity practices.
Cybersecurity – Reality Over Perception
In 2013, the common response from company boards, those outside the financial, aerospace, and defense industries was that cybersecurity was in the domain of the IT guy. The issue was delegated to technical experts. It was not seen as a governance issue.
Times are changing.
These days, cybersecurity is finally getting on the agenda of company boards which discuss the health and fortitude of their digital infrastructure throughout the corporate year. It is important that the board members, including non-executive directors, are fully trained and adept to scrutinize the performance of the company in this domain. It isn’t down to the “IT guy” any longer; everybody needs to become the “IT guy”.
Companies are taking up cybersecurity as a boardroom issue. The numbers prove it. A recent survey from the Enterprise Strategy Group (ESG) offers the following tidbits:
- The agenda of “Increasing Cybersecurity” is among the top business initiatives that are driving IT spending, with 43% of respondents pointing to it. The objective even beat “reducing costs” at 38%.
- When asked to identify the most important IT “meta-trend” in their organization, 42% of those polled chose “increasing cybersecurity.” Again, the agenda for cybersecurity came out on top, with “using data analytics for real-time business intelligence” coming in second at 17%.
- Remarkably, 69% of organizations are increasing their cybersecurity spending in 2016. Such spending is directly being approved by business managers as a business priority.
- Cyber-insurance policies even grew by about 35% last year.
In the UK, statistics show that 70% businesses that do not have an organizational endeavor to embrace cybersecurity or have well-ingrained cybersecurity practices suffered a breach in 2015. These numbers compare with just 40% of companies with a respectable level of cybersecurity awareness and preparedness.
Protecting Digital Infrastructure
An investor is arguably among the individuals most concerned with the best interests of a company, besides the management. The following pointers are directly prescribed by a long-term investor who expects companies where he has a stake in, to implement certain measures. The means to safeguarding a company’s infrastructure can be done in three ways.
- First, companies ought to identify and then monitor their information assets as a strategic issue. Proper governance and oversight over all asset types, including information, should be a collective responsibility of the board. Quite simply, the responsibility does not end squarely at the IT department. When the entire business is at risk, the board should take ownership.
- Secondly, companies should begin attaining documented evidence that confirms that cybersecurity risks are being managed. While this can be done in several ways, a rigorous, external cyber audit is mandatory. Investors expect scrutinized reports, even before they look at an internal, detailed report of the company. To underline the issue, investors seek hard evidence to show that these risks are taken seriously.
- Lastly, the culture of a company should be ingrained with cyber awareness. Employees need to be aware of the importance of managing cyber risk, thereby strengthening and integrating protocols to daily business operations. They need to be alert to the dangers of social engineering. This is perhaps the most crucial of all as companies routinely discover that the business problems or vulnerabilities are those brought on by their employees.
Cybersecurity can no longer be deemed a technical issue in its entirety; it is now what some would call a “people problem.” Ultimately, at the beginning and the end of every security breach, there is a person. The human factor in security cannot be overestimated enough.
Cybersecurity as a Business Enabler
Organizations that start thinking of security as a business enabler and a means of helping the business achieve goals in a secure way could result in a paradigm shift that will change the tide in favor of underlining the importance of cybersecurity.
In other words, leaders that run most businesses will understand the terms and numbers where it is evident that there are substantial gains to be made, by simply not losing.