Home / Blogs

8 Reasons Why Cybersecurity Strategy and Business Operations are Inseparable

Niel Harper

In modern society, there is one fact that is unquestionable: The hyper-connectivity of the digital economy is inescapable. A financial institution without an online presence or omni-channel strategy will cease to be competitive. Universities (for-profit or non-profit) must develop and continuously evolve their online learning capabilities if they are to stay relevant. Online retailers are quickly outpacing and rendering their 'brick-and-mortar' counterparts irrelevant. Travel agents have been largely relegated to dinosaur status in this era of online travel search aggregators and booking portals. A payments ecosystem mostly dominated by major card networks and processors now includes closed loop systems such as Apple Pay, Google Wallet and others. When we add the Internet of Things (IoT), robotics and artificial intelligence (AI) to the mix, the networked society has become a monolith that we simply cannot ignore.

What is most concerning about the ubiquity of technology is the multitude of cyber threats which organizations and individuals have to contend with. While the risks to individuals are relatively high as it relates to invasion of privacy, identity theft and financial loss, cyber-attacks can have a particularly critical impact on businesses. Depending on market and jurisdictional realities, the consequences can include heavy regulatory penalties, plummeting stock prices, lawsuits or mass layoffs — The effect on a company's bottom line can be catastrophic.

But how are corporations responding to this ever-evolving threat landscape? The resulting strategies fall mostly into the following categories. There are the large organizations which employ the '3 lines of defense' approach where an IT department owns and manages cyber risks, the operational risk and/or compliance departments specialize in risk management (including cyber), and the internal audit function provides independent assurance that cyber risks are being effectively managed. This approach is resource intensive and demands highly specialized (and costly) personnel. There are the generally under-staffed companies that limp along from day-to-day reacting to cyber-attack after cyber-attack, many of them not even aware that their systems and networks have been compromised. And finally, there are the SMEs that basically stick their heads in the sand and pretend that their operation is too small or insignificant to be the target of cyber criminals.

More often than not, business leaders across the board fail to recognize that cybersecurity is no longer the domain of the IT organization. Cybersecurity strategy is now business strategy, and the response to cyber threats is the responsibility of every individual that works for or runs a company. And here are 8 key reasons why this is undeniably the case:

1) Corporate governance – A 2016 survey by Goldsmiths that included responses from 1,530 non-executive directors and C-level executives in the United States, United Kingdom, Germany, Japan and Nordic countries showed that 90% of respondents admitted to not being able to read a cybersecurity report and were not prepared to respond to a major attack. Even more worrisome was the fact that over 40% of executives did not feel that cybersecurity or protection of customer data was their responsibility. Let that sink in for a moment. This is why ensuring that cybersecurity is a running topic at executive and board level meetings is imperative for organizations. Even more, greater ownership should be ascribed to all levels of personnel for cyber risks. Cybersecurity culture is a collective effort that starts at the top and works its way down through the organization.

2) Regulatory and legal compliance – Certain industries like banking, healthcare and energy are subjected to heavy regulatory burdens. And many of these regulations include requirements pertaining to privacy, data protection, and network security. In the US there are HIPAA, Gramm-Leach-Bliley, and FISMA. The EU has the NIS Directive and the GDPR. To address cross-border data flows between the EU and the US, there is Privacy Shield. To comply with this multitude of regulations, deep cyber and risk management capabilities must be embedded across organizations. Failure to do so can affect a company's ability to stay in business. Period.

3) Competitive advantage – Developing robust and effective internal controls to safeguard against cyber-attacks can equate to market leadership, brand strengthening, and product / service differentiation. For example, as more businesses look to AI, IoT and robotics to streamline processes and improve business performance, ensuring that these technologies are secure can increase revenues and drive bottom-line performance. In this respect, shareholders must not only expect cyber excellence, they should demand it.

4) Financial management – There is clearly a direct correlation between cyber-related risk events (e.g. reputation damage, business disruption, fines, etc.) and financial loss. The severity and impact of such risks can be mitigated by integrating business strategy with cybersecurity strategy. The importance here is even more pronounced given the global economic downturn and depressed profits being experienced by several businesses.

5) Public safety – An increasing number of companies are delivering products/services in the areas of smart grids, smart cities, automated public transit, power installations, autonomous vehicles, etc. Possessing core expertise in the alignment of cybersecurity and business operations will set these organizations apart in their respective market environments in terms of public safety. There are also distinct national security implications when we think of these technologies in the context of potential threats to human life.

6) Business development – In 2004, the global cybersecurity market was valued at $3.5 billion. In 2017, it is now estimated to be worth $120 billion. But this value is primarily based on the number of products and services delivered. And while there is huge growth potential within the existing paradigm, there is a massive economic opportunity in fostering a commercial ecosystem built on online trust. Take for example the growing popularity of global trust audit and scoring offerings. Increasingly, more and more organizations are developing solutions to combat the proliferation of fake news. As it relates to IoT, consortiums are being formed to fill the security gaps in product design (i.e. Existing markets can be strengthened through collaboration and coordination). And these are just a few examples of the emergent market for Trust-as-a-Service (TaaS).

7) Corporate social responsibility – There are numerous benefits to CSR programs, ranging from enhancing brand loyalty to securing and retaining investors to attracting/retaining engaged and productive employees. So along that vein, social responsibility investment in cyber-related areas such as child online protection, secure coding for women, hackathons and cybersecurity research is a savvy approach to cementing market position. As a result, companies can promote good security as a selling point for their products and services, create a pipeline for the best cybersecurity talent, and leverage their cyber-specific supply chains to build consumer trust.

8) Mergers & acquisitions – Businesses must recognize the importance of cybersecurity due diligence in the M&A process. Due to a low standard for due diligence, several corporations find out about major cyber incidents only after an acquisition deal has gone through. In actuality, serious cybersecurity issues around compliance, data breaches, poor security architecture or the absence of incident response processes should be uncovered before finalizing a transaction. In the case of Verizon's acquisition of Yahoo!, the final offer was cut by almost $400 million due to revelations about cybersecurity incidents. A 2016 survey by the NYSE indicated that over 50% of respondents regarded major security vulnerabilities as a 'show stopper' for a merger or acquisition.

Considering that end users are generally regarded as the weakest points in cyber defenses, logic dictates that cybersecurity should begin with the individual. Every single employee must be engaged and involved in defending the organization from online threats. It is they who most often access enterprise applications, networks and devices, and will undoubtedly serve as the first line of protection against hackers. Executives and board members are targeted due to their access to key digital assets; and because of the traditional fortification of the network perimeter, line workers are the focus of threat agents seeking to gain entry into the network or escalate their privileges to access sensitive information. Indeed, both executives and employees represent vectors to the same ultimate objective — the compromise of internal systems and access to critical data. Hence, development of an effective cybersecurity strategy must involve tight coupling of security practices with business operations to bolster an organization's overall security posture. The most damaging misstep organizations can make — and often do — is relegating this function to an understaffed and underfunded IT department.

By Niel Harper, Managing Director. More blog posts from Niel Harper can also be read here.

Related topics: Cybercrime, Cybersecurity, Internet of Things, Networks

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC

Cybersecurity

Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?