Embed cyber security into digitisation projects from the outset
With digital transformation in full swing, it’s imperative for board members to truly understand digital risk, so as to mitigate the threat of an attack on your digital infrastructure.
Risk is part of doing business and is thus something every organisation needs to take into account. Whatever the strategic business decision is – whether a simple product launch or a complex entry into an entirely new market – it will require some level of risk analysis. Since boards already have a clear understanding of risk due to this, it is strange that cyber security’s role in business outcomes remains so misunderstood.
New stories of cyber breaches and malware attacks appear regularly in the press, along with news of critical data and assets being compromised. This tells us that a key aspect of the business has not been properly assessed for risk. Mitigating such risks and preventing the damage they can cause an organisation relies, at least in part, on far greater executive-level understanding.
According to David Higgins, Technical Director for EMEA at CyberArk, the situation is made even more dire by the fact that digital is considered to be an essential building block for so many key business initiatives. As part of their digitisation drives, businesses are thus embracing DevOps methodologies, cloud-based services, and on-demand applications to increase business agility and improve efficiencies.
“Add to this the developments in artificial intelligence (AI), Internet of things (IOT) and robotic process automation, designed to help businesses transform raw data into meaningful insights, increase productivity and automate tasks, and you have a clear risk problem. All of these areas help to increase both an organisation’s exposure to threats and the potential risk levels associated with an attack on digital infrastructure,” he says.
“Remember too that another major challenge is the fact that at board level – although the executives understand digital risk as a concept – they nonetheless lack the widespread technical or digital literacy required to understand the big picture of how all-encompassing a devastating cyber attack could be for a business.”
To this end, says Higgins, any discussion on digital transformation simply must include digital risk as a component. Without this, he adds, you will not be able to have complete understanding of the risk associated with a decision. It's far better, after all, to have a pre-existing strategy that has considered the risks and acted on them, than to only be calling in the experts after a breach has occurred, he points out.
When examining a digital initiative, he continues, among the first questions any board director should ask should be things like ‘what might potentially go wrong if we rely more heavily on technology alone?’ and ‘how do we safeguard such an investment?’
“It is the failure to interrogate questions of this nature, and thus the inability to fully understand them, that leads to an increase in the risk, because it is not properly quantified.
The reality, of course, is simply that digital risk is one of many competing business priorities.”
“The nature of the digital revolution is such that there is no better time than now to build awareness about cyber attacks and associated digital risk. Digital is central to so many organisations at present that the task of increasing the understanding of the concept, one that is often viewed only as an existential threat, is much more achievable.”
Of course, indicates Higgins, when explaining such risks to board members, the CISO needs to move beyond the typical technical conversation. Real-world examples help a lot – so explaining it in terms of a cyber attack that was recently in the headlines is often a good option.
“It can also be explained by presenting the digital risks as issues that translate to reduced revenue, reputational issues, share price hits and operational interruptions. In such instances, case studies demonstrating these impacts are, sadly, very easy to find.
“Ultimately, in order to protect data privacy, mitigate threats and manage risk, businesses need to embed cyber security into digital transformation projects from the outset. This can be achieved by improving board and executive communications, creating a security-first culture, and fusing security into product planning, development and operations practices. In this way, the CISO can help the business unleash the full potential of digital transformation, because the digital risk is a known and managed component of it,” concludes Higgins.