Cybersecurity isn’t just a technology problem it has become a business problem.
The rapid digitisation of organisations across many industries has led to an increase in corporate cyberattacks. This costs organisations in terms of money, employee downtime, direct costs of remediating the breach, and far-reaching reputation impacts that damage customer and investor confidence.
CISOs and CSOs must take a strategic approach to cybersecurity to protect the organisation, and not just individual assets, said Corne Mare director, security solutions at Fortinet.
“Taking a more strategic approach to cybersecurity means spending more time educating company boards and other executives on the impact that cyber risk has on their companies,” he said. “Cybersecurity is a business problem, not merely a technology problem. The threat affects the entire business’s ability to operate and mitigating the risk should form part of the company’s overall strategy.”
Cybersecurity needs to work on three different levels to be truly successful in mitigating business risk:
- Protecting company assets: cybersecurity on a tactical level protects and defends the network and the company from cyberattacks and threats. Protecting company assets means putting solutions in place to prevent unauthorised access.
- Protecting business operations: by protecting the company’s assets and preventing unauthorised access to, or interference with, digital systems the organisation preserves the value of the work it does. Avoiding costly downtime and the reputational damage that a successful cyberattack can cause should be a key goal for any cybersecurity strategy.
- Contribute to wider business objectives: each business function contributes to the organisation’s overall goals. CISOs and CSOs should understand how these functions contribute to business operations so they can determine which assets and processes must be protected at all costs, versus those that present less risk or milder ramifications if compromised. This lets CISOs and CSOs maximise the resources they have available to protect the business.
Mare told CIO Tech Asia a good cybersecurity strategy will protect the employees, clients, financial status, reputation, and the future of a business as well as its digital assets.
“It’s easy to understand that poor cybersecurity can lead to data breaches and downtime, both of which can be expensive. But it can also have a negative impact on the image and reputation of the company, which can affect customer confidence and even lower the share price. The financial impacts of this can be far more significant than the direct, initial costs of dealing with a cyberattack.”
C-level executives must understand that, by investing in cybersecurity, they’re investing strategically in their business and helping to reduce corporate risk, said Mare.
“Cybersecurity professionals need to be able explain the financial cost of not investing in good cybersecurity measures, and executives need to consider if they can afford the potential losses in the event of a cyberattack. To do this, relevant performance metrics and KPIs that evaluate and demonstrate the wider business value of this strategy are essential.”
Mare recommends CISOs and CSOs work collaboratively to identify how security investments integrate with wider business objectives to demonstrate the business value of a good cybersecurity strategy.
“Reframing cybersecurity approaches and looking at strategy through a business lens can let executives see that investing in cybersecurity strengthens their investment in the future of the company,” he said. “Recent cyberattacks have seen large organisations targeted through third parties.
The threat factors for businesses are evolving as they innovate, making it critical for CIOs and CISOs to strategically manage new elements,” he said.