Wednesday 6 March 2019 11:39 am

Cyber security threats are a business risk, not a dark art

The term “cyber threat” has always carried an illicit ambiguity. It evokes a dark and secretive world populated by precocious teens in hoodies, organised crime gangs, and malevolent nation state actors.

By contrast, “operational risk” brings to mind sensible people wearing dark suits and making the world a little less unpredictable for us all.

To reduce cyber threats to operational risks may feel like pulling back the curtain on real-life science fiction, but it allows us to address a concern that has been growing for business owners and corporate boards.

As security threats have become more sophisticated, cyber defences have adapted to match this. Companies are targeting their investment to counter emerging threats, creating an arms race that has left some larger businesses deploying over 80 security tools on average.

Many of these tools operate as black boxes with narrow applications, forcing corporate security teams to switch frequently between products to cobble together a piecemeal view of security.

This arms race towards greater complexity increases risk in the form of blind spots and human error.

Instead, security tools should be flexible to allow for evolving threats, interoperable to remove blind spots, and grounded in a risk-based view to facilitate reporting to the board.

Security as a technical problem is inherently impossible to solve outright, but as a business problem it can be neatly described in the trusted language of risk.

Addressing cyber risks in the language of business rather than that of internet subculture brings it in line with other corporate priorities.

This framing allows for assessment of return on investment and operational progress, while ensuring that the security team is given the recognition they deserve in the context of the company as a whole.

While cyber threats continue to grow and advanced hacking tools are commoditised and made broadly available, changes in the security risk profile should be accounted for and addressed in the context of the business as a whole.

Changing the context of assessment can replace reactive spending with proactive investment; as with investment in financial markets, short-term cyber developments can appear overwhelming, while adopting a long-term outlook encourages sensible, strategic decisions.

Resolving cyber security issues is complex and intellectually challenging, but that does not have to be the case for the people it affects at every level of the business.

By providing a comprehensive view of a company’s security posture as an operational risk, board members can quantify and assess it, before adding value through their decisions based on language and processes that are familiar to them and more particular to the business.

Simpler is safer when it comes to protecting your business. Simplify strategy by expressing threats as operational risks, simplify tools by ensuring that they are flexible and easy to adapt, and simplify language by ditching cyber and talking about security. Simple might not be the same as easy, but at least it’s somewhere to start.