Building a Cyber-Resilient Business
September 4, 2024
Cyber-attacks, and the wide-ranging impact they have on businesses, are now common enough that they should be considered predictable. They are not an unexpected event. No significant business is now operating without some form of interaction with IT systems and the internet, and these attacks exploit weaknesses in digital business strategies and the transitioned or transformed processes that underpin those strategies.
You may be directly attacked, caught in the broadside of an attack that is fired simply to see who it hits, or be caught up as collateral damage of an attack against someone else. But in all cases, you will feel the impact, because it spirals out across the spider’s web of digital interaction that is today’s business economy.
Cyber is now a constantly evolving arms race between those seeking to attack corporates, and individuals as a means of gaining access to corporates, and defenders looking for the next tool to mitigate new forms of attack. Attacks across the internet are constantly conducted, with increasing sophistication, and AI is only going to increase the speed of change and velocity of those attacks, which will again create a requirement for defences to evolve.
Cybersecurity as a Strategic Business Objective
Cyber is still seen as an IT operational issue, because in many companies that is where any expertise in assessing and responding to attacks resides. The premise here is wrong. Cyber can no longer be simply seen as an IT ‘operational’ issue. Cyber-attacks are not an ‘IT issue’ to be owned and managed by IT and Security teams. The changes in our economy, locally, regionally, globally mean the Business is reliant on IT, its online presence and the vast connectivity the internet provides for all manner of connected services. Any successful attack will mean impact to operations, revenue, and reputation. Partners, suppliers, customers will move on and may never be regained. How long can any business survive without an inflow of revenue, or having its brand and reputation severely tarnished.
The shift in business operations, to the point where there is now wholesale reliance on digital infrastructure and processes signals the fact that business leaders need to engage and manage the threat of cyber-attacks as a strategic business risk, one that could see a business go under, virtually overnight.
Cyber should no longer be seen as simple sunk cost to satisfy regulators or third party contract requirements. It is a direct investment in preventing the potential loss of the business altogether.
CISO’s and security teams have long argued for and implemented defence in depth A concept of layering defences so if an attacker bypasses one defence, they will likely meet another. However, in isolation, this good practice is no longer enough if simply conducted within and by IT and security teams. The first step in looking at the security of any company is to determine the critical processes, what are core processes that deliver the business offering and underpin its reputation. From a business perspective Cyber can then be seen in a similar fashion to other potential threats to a business’s operations, translating the usually incomprehensible language of Cyber security, into that of strategic business risk and associated remediations.
Utilising an approach where business management are fully engaged and invested in identifying cyber threats to business operations firstly broadens insight and understanding of the challenges faced, but secondly uncovers weakness in business structures and processes, providing the foundations for adopting the concept of cyber and organisational resilience.
It initiates and facilitates the required shift away from a simple securing of IT assets to determining the critical processes a business relies upon delivering capabilities that will allow a business to anticipate threats, and to respond, withstand and adapt to them when they occur.
To Summarise
The nature of today’s interconnected and interdependent digital economy means the consequence of cyber-attacks, direct or indirect, are a strategic business risk to requiring senior management governance and direction. Cyber security should now be seen an extended business activity, requiring broad partnerships and cohesion, and not something isolated as an IT responsibility.
The fact that digital infrastructure and processes now underpin the vast majority of business operations means cyber-attacks and their potential impact on revenue, reputation and stakeholders, need to be prepared for in a cohesive partnership that encompasses internal business, IT and Security functions, partner organisations, suppliers, vendors, auditors and insurers.
Creating an inclusive cycle of risk management, engaging all areas of the extended business on cyber threats, with each function inputting their expertise while being made aware of wider challenges, treats Cyber as a direct challenge to business operations and elicits adequate and appropriate responses to address a threat that could see the business go under. This approach also uncovers general weakness in structure and processes that can then deliver improvements in both cyber and organisational resilience.
Senior management oversight, governance and direction is required to enforce this amalgamation of disparate roles, responsibilities, and accountabilities to deliver consistent insight into the changing nature of a business and the threats those change create exposure to.