Cybersecurity has been on board agendas for at least a decade, but the recent coronavirus outbreak puts a spotlight on the disconnect between executive understanding of cybersecurity and their organisation’s actual capabilities.
The stories that we have seen during the Covid-19 outbreak are the latest example highlighting the failed approach to cybersecurity that many organisations take. While executives were focused on ensuring compliance and stopping hackers, simple opportunities like enabling secure remote access technologies, which have a much larger business impact, were ignored. Now, organisations are scrambling to catch up.
These missed opportunities detected during the coronavirus outbreak are just the most recent example of how the disconnect between security and business outcomes is often underestimated. Organisations should focus on the creation of adequate, reasonable, consistent and effective controls in a business context.
The stories we have seen during Covid-19 outbreak are examples of the failed approach to cybersecurity.
The Covid-19 disconnect should create a wakeup call for CIOs, CISOs and IT executives about the critical need to address cybersecurity in a business context and as a business decision. But IT leaders can build an executive narrative to change how cybersecurity is treated in their organisation.
Many organisations take an ineffective approach to cybersecurity. These failed approaches lead to poor decisions and bad investments. Here are the four key challenges that limit cybersecurity’s business impact.
#1 Perception is cybersecurity is a technical problem
This results in a lack of engagement with executives, unproductive exchanges and unrealistic expectations. Ultimately, leads to poor decisions and bad cybersecurity investments.
#2 Organisations ask wrong questions about cybersecurity.
Questions like how much should I spend on cybersecurity? Or how can I comply with regulations, do not reflect the organisation’s level of protection. These misplaced questions drive attention away from improved priorities and better investments.
#3 Current investments are not productive
Organisations are focused on new approaches that have great promise, but through a combination of failed execution and poorly set expectations, these investments are only delaying activities that will better improve cybersecurity.
The Covid-19 disconnect should create a wakeup call for CIOs, CISOs and IT executives.
Many companies use quantification to present risk and security in terms of money – is that a $5 million risk or a $50 million risk? and likelihood of damage – what is the percentage chance of getting hacked?
However, these calculations are often based on assumptions and expert opinion that essentially dictate the result, rather than real quantitative business assessment. Using the veneer of quantification to get what you want does not support improved cybersecurity.
#4 Real failures are not getting enough attention
For instance, the manufacturer of a medical monitoring device ignored cybersecurity in the development of its Internet-connected product to cut costs and speed up production time. The foundational software was riddled with vulnerabilities, and once discovered, cybercriminals exploited the devices to deploy ransomware. This rendered the devices unusable to medical professionals and created a critical shortage during a time of peak need.
The disconnect between executive decision making and effective cybersecurity should encourage both business and security leaders to focus their attention on new ways to approach the problem.
Missed opportunities during Covid are examples of disconnect between security and business.
To create a business context around cybersecurity, first identify the business context of your organisation. Every organisation has budgets and costs, desired outcomes and supporting business processes, sources of revenue and customers. Each of these components comes with key technology dependencies. Understand the organisation’s most important processes and business outcomes, and identify how technology maps back to them.
Then, using business context as a guide, shift toward an outcome-driven approach to cybersecurity. An outcome-driven approach is a governance process where priorities and investments are determined based on their direct impact on protection levels in a business context. This approach helps the organisation see how well the organisation is protected, rather than just how it is protected.
Organisations should focus on the creation of reasonable and effective controls in a business context.
For example, an organisation can manage ransomware risk by measuring the operational outcomes of the primary controls it uses to address ransomware: Backup and restore, business continuity and phishing training.
If these tools are delivering outcomes that meet stakeholder expectations for readiness to address ransomware, it creates a business context for continued investment. Executives can then participate in decisions related to how much ransomware protection the organisation wants and how much it is willing to pay.
An outcome-driven approach creates an entirely new lens for non-IT executives and other stakeholders to consume information about cybersecurity issues in a business context. Priorities and investments can be adjusted to balance the needs to protect against the needs to run the business.
CISOs must engage decision makers to change how cybersecurity is treated in the organisation and drive investments that impact business outcomes.