Managing Cybersecurity as a Business Strategy
Scrolling through the newspaper headlines on any given day will likely yield an article about another company that has fallen victim to a large-scale cyber-attack. And while the intricacies of each attack and the root causes may vary, the common thread among all of these incidents is that companies are inadequately prepared to identify and manage cybersecurity risk. Two of the most common challenges visible today in corporate information security risk management are the lack of adequate planning and the absence of a formalized cybersecurity risk management strategy.
Several factors may explain why many companies are struggling to implement information security throughout their organizations. First, information security has historically been viewed as a technical problem under the purview of the CIO. For years, companies operated under the false premise that they were successfully equipped to ward off attacks if their information technology systems were properly designed, architected, and supported by routine maintenance and system updates. Recent data breaches, however, have shown that this approach is ineffective because hackers are constantly evolving their techniques to identify new vulnerabilities and attack vectors. A second factor is the underinvestment in corporate cybersecurity. Corporate investment in cybersecurity personnel and technologies has not kept pace with increased cyber threats, partly due to an overriding emphasis on investing in revenue generating projects in order to enhance profitability.
Although the cybersecurity environment makes it impossible to completely eradicate risk, many organizations are now working to strategically integrate cybersecurity into their corporate strategy and management functions. Here are the four factors that are emerging as critical for successfully managing cybersecurity risk:
1. People: Employees are the first line of defense against malicious attacks when properly and adequately trained. Security training must be adaptive to the need and risk level of the end-user depending upon their role within the organization and the information to which they have access. Employees should learn the importance of identifying potential threats to the organization and how to respond appropriately to a cybersecurity incident. Security training programs should also reinforce the firm’s information security policies and be delivered continually to ensure that employees remain up to date on security trends and emerging threats.
2. Processes: Firms should establish and implement a cybersecurity governance framework comprised of information security processes, policies, guidelines, and standards that can be used to support business decision-making and to minimize exposure to cybersecurity risk. It is imperative that executive management participate in the development of this framework to ensure that it properly aligns with the firm’s business strategy and objectives. An effective practice for firms is to incorporate relevant cybersecurity standards and industry best practices which include the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, NIST Special Publication 800–53, Revision 4, and the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) Information Technology 27001 and 27002 Framework.
3. Technology: Advancements in technology are driving fundamental changes in the way that companies now operate. Over the past two decades, businesses have increasingly integrated information technology into corporate governance and operations which has resulted in reduced costs, increased efficiency, improvements in product and service quality, and expanded market presence. However, any gains that organizations might derive through technology-driven advancements must be balanced against the demand for enhanced security measures. New systems and processes should be designed with security and privacy in mind and supported by proper implementation and monitoring to promptly identify security vulnerabilities.
4. Culture: The culture of a company plays a critical role in how it manages cybersecurity. An effective cybersecurity strategy requires strong organizational discipline and full support and commitment from the very top management. Boards need to reflect on how to make cybersecurity a foundational component of their business strategy. They should also strive to create an environment and visible culture in which security is viewed as an essential element for business success.
Strong cybersecurity is becoming increasingly important in today’s corporate environment. Security breaches are on the rise and can have significant reputational, financial, and regulatory impacts on an organization. The increasing sophistication and maliciousness of cybersecurity threats will undoubtedly continue to create unique challenges for companies in the future. But with adequate preparation and a proactive cybersecurity risk management strategy, it is possible to keep your organization safe and minimize its threat exposure.
Velvet Johnson is an attorney and risk consultant that specializes in helping clients to develop cutting-edge strategies to manage cybersecurity and data privacy risk. She formerly served as an Obama Administration appointee at the U.S. Department of Defense where she developed policies, strategies, and plans to guide the Department’s information security efforts.
