Think of Cyber Assurance and Risk Management as Fundamental Enablers to Your Business
You need to put things into a context where their potential impacts to revenue stand out sharply, and their correlation to other aspects of the business are clear in context.
By Francis Cianfrocca
My friends have gotten used to hearing me rant about how the practice of cybersecurity is undergoing rapid change. We need to soon arrive at active cyber defense and spherical awareness, with costs and management loads that are far lower than today’s.
But today I was thinking about a different kind of change: how cybersecurity is perceived and justified by business leaders and boards.
Everyone who is engaged in selling cybersecurity technology or services knows how difficult it is to get the attention of senior business leaders. That goes double for the CISOs who see the needs and the potential business impacts and have to get the resources to do something about them.
Focus on Risk Management
My friends and I talk a lot about risk management. This is a better approach than “cybersecurity,” which is geeky and very disconnected from actual business needs. With risk management, there is a recognition that cyber incidents produce reputational damage and slow down business processes.
But when you expand into the cyber-physical realm, with converged IOT, digital transformation and even industrial control systems, you move up to a much more immediate range of impacts. Most notably, managing cyber risk means protecting revenue, and to a lesser extent (depending on the company), safety and compliance.
This is getting more interesting. But there’s yet another step to take, which is to think of cyber assurance and risk management as fundamental enablers to business. Cybersecurity falls into a similar category as finance: it’s a horizontal business function that impacts all phases of operations, supply chains, and customer engagement.
If you have really good cyber risk management, all of your other market initiatives and capital projects can move faster and more efficiently, because you’ve hedged a major risk category off the table.
Quantify the Risk
The first step in this is to quantify the risk. You can’t manage what you can’t measure. And to do this, new tools are needed. We believe the focus of cybersecurity technology evolution is not just to keep bad things from happening. It’s to put bad (or even just suspicious) things into a context where their potential impacts to revenue stand out sharply, and their correlation to other aspects of the business are clear in context.
Just as an example, I often reach for: what if your automated security systems detect and block network recon in some number of manufacturing plants, or managed smart buildings in more than one city. That’s fine and dandy, but no one needs to see a report on that. What they do need is a deeper level of understanding about why those events were linked.
Wouldn’t it be great to trace them back to that new vendor or supply chain partner you just picked up in one of your geographies? That kind of spherical awareness leads to actions that have highly leveraged effects. And the accumulation of these behaviors leads to extremely useful trend analysis that can drive strategic decisions.
Don’t call it “cybersecurity,” that’s two or three levels down the stack. Call it active risk management. And when you have that, you can be a lot more confident that new capital projects, market initiatives, and partnerships will succeed more quickly and cost-effectively.
And that’s something a CISO can talk about in her next board meeting.
Francis Cianfrocca is CEO of InsightCyber.