What will it take for business leaders to understand the true value of cybersecurity?
Business decision makers (BDMs) and IT leaders have rarely seen eye to eye. Back in 2020, an analyst report revealed that 69% of execs perceived cybersecurity to be an entirely or mostly technology area. Yet this attitude is increasingly unsustainable in a world where businesses must fight for every last contract and every last staff member.
As new research reveals, security means business today. But even when presented with this reality, many senior BDMs are failing to make the connection. They need to get better at framing cyber in a positive business context, just as IT and security leaders must try harder to articulate risk in business terms. Hopefully somewhere in the middle organisations will start to see effective cyber risk management as a differentiator, rather than a drag on profits.
Time to rethink
These are difficult times in which to run a business. Having weathered the storm of a pandemic-era global recession, business leaders could have been forgiven for thinking the worst was behind them. They would have been wrong to do so. A pandemic supply chain hangover combined with generous stimulus payments in the US and then the war in Ukraine have put paid to any notions of a post-COVID bounce back.
IMF forecasts are for advanced economies to grow at just 1.2% year-on-year in 2023, with some predicted to dip below 1%, perilously close to full-blown recession. High inflation, rising interest rates and surging energy costs have hit hard across European businesses and consumers. Meanwhile, the jobs market remains extremely tight, with unemployment at near-record lows in many OECD countries.
BDMs must set a course through this economic storm, ensuring they attract the brightest and best without letting any of their talent jump ship. They must keep costs under control while making the right bets in key areas to drive sustainable growth. Yet alarmingly few see a role for cybersecurity in this. Traditional views of cyber as a primarily technology-centric part of the business prevail. Research reveals that around half see it not as a revenue generator, but an area limited to threat prevention. A sizeable minority (38%) even view security as a barrier as opposed to a business enabler.
Business leaders are confused
These findings are made more surprising by the fact that the same research reveals global BDMs are already coming face-to-face with the reality of security as a strong business enabler. A fifth say poor security posture has already lost them business, while 71% say the topic is increasingly being raised in negotiations with prospects and suppliers. Yet only 57% of BDMs see a strong connection between cyber and client acquisition/satisfaction.
The same contradiction can be seen in talent acquisition and retention, which only around two-fifths of BDMs believe has a link to cybersecurity. Yet in the same breath, three-quarters claim the ability to work from anywhere has become vital in the battle for talent, and even more (83%) admit that their inadequate security policies have affected remote employees’ ability to do their jobs.
Why Security Matters
The well-worn analogy of car brakes is instructive here. Without them, we’d all be driving painfully slowly, or else crashing at every turn. In a similar way, cybersecurity is about allowing businesses to move faster, but at the same time to do so safely. Organisations are too often afraid to build security into business processes, for fear that they will slow things down. But when done right, cyber is an essential enabler and driver of business resilience and growth. Unfortunately, many firms are choosing to accelerate digital transformation without putting the requisite safeguards in place – making it more likely they’ll end up “crashing” by suffering a serious compromise.
This is where security by design comes in. It could be something as simple as scanning open source code for malware and vulnerabilities before it enters production. Or continuously assessing cloud environments for compliance with policy, to ensure there are no misconfigured accounts left open. It could also mean micro-segmentation of networks to protect high-value assets and limit the blast radius of attacks. They all speak to the value of effective cybersecurity, in reducing business risk.
The good news is that, in spite of their reluctance to join the dots between security and several critical areas of business operations, 64% of BDMs see a strong connection between cybersecurity and business risk. Yet at the same time, only a third say they report cyber as a business risk, while 28% don’t even record cyber risk at all.
While no two organisations are the same, there are some general best practices that would help most to enhance their approach. First, understand those assets that require prioritising from a cybersecurity perspective, by calculating the business risk of compromise, loss or unavailability. Second, continually monitor and mitigate cyber risk across these assets. Third, regularly update the board on these efforts, in business risk language.
Of course, it’s not as simple in practice as this. But BDMs shouldn’t lose sight of the fact that by managing cyber risk effectively, they are going a long way to managing business risk. It’s an increasingly important way to help win new business, acquire and retain talent, and unlock strategic growth.