It shouldn’t come as a surprise that experts predict damages caused by cybercrime could reach $6 trillion globally by 2021. As tech develops so does the ingenuity of those seeking to exploit it, which is why risk management and cybersecurity must be top priorities for any future-thinking company.
A solid security strategy will not only protect your business but enhance your reputation. However, taking a traditional protectionist approach can inhibit innovation. Instead, companies need to change their mindset around risk management, understanding that security can actually enhance value creation, rather than stifle it.
Changing how we think about risk management and cybersecurity
The whole point of a strong risk management strategy is to make your company resilient and trustworthy – and make it appear so to customers and clients – while still creating value.
Traditionally cybersecurity has been inward-facing – only concerned with protecting the company’s infrastructure from threats such as malware, hacking or ransomware. In 2017, a ransomware attack called ‘WannaCry’ targeted computers running Microsoft Windows. Amongst other businesses, it hit a third of hospital trusts in the UK, locking users out and demanding a ransom in Bitcoin. It’s estimated to have caused billions of dollars in financial damages worldwide. Meanwhile, the Cambridge Analytica Facebook data scandal offers us an effective risk-management case study on three fronts: firstly as an example of how catastrophic the repercussions can be of woefully inadequate data protection; secondly, how difficult it can be to police tech; and finally, as a study in the reputational damage that comes from disregarding people’s right to privacy. The fact this was then followed by an entirely separate data leak by Facebook a year later is fairly extraordinary but shows the inherent risks associated with rapid tech development.
As tech develops so do threats and so should risk management and cybersecurity. However, progressive times demand a progressive mindset. Focus can’t only be directed inwards, but outwards too: how does your risk-management system and security tech enable and enhance value? Rather than limiting information, it’s about freeing it up responsibly – and there’s no excuse not to do so with the technology now available. This means check-box compliance is out and risk-based decision-making is in. Security experts must work side-by-side with executives and creatives to decide which measures can facilitate as well as protect.
The drivers behind your new risk management strategy
These are the things you need to address and consider when working out your new strategy – the areas that will drive and influence what security is needed and how it’s implemented.
Technical drivers:
- Adaptive architectures
- Digitalised ecosystems
- Identities and transactions
- Applications and data
- Technological infrastructure
- Business continuity management
Environmental drivers:
- Local and international governance
- Internal governance
- Policy and processes
- Integrated risk management
- Structural ecosystems
- External disruptions (i.e. data breaches, Brexit or Coronavirus)
- Staffing (i.e. having the appropriate number of skilled staff in the right positions)
Your new value-driven risk-management strategy
Your strategy should prioritise adaptability, confidentiality, integrity, privacy, safety, reliability and accessibility. It must combine protecting against attack with protecting access and productivity. To do this effectively, the current threats your company faces must be continuously monitored and analysed – are they mutating as your tech evolves, and is what you’re currently using the best option available? You also need to be vigilant against potential future threats and risks. As your business becomes more sophisticated, so will the tech you use… and so will the criminals you’re up against. Appointing someone whose role it is to oversee these prediction processes, making sure they’re up-to-scratch and constantly adapted according to changing demands, is a smart move.
Behavioural analysis comes to the fore when changing up your strategy. Knowing how both staff and clients use your tech, and how that behaviour changes over time, is an integral part of any risk-based decision-making process. Value creation is dependent on the analysis of authentic case studies – on how people actually behave online, not how you think they behave – and these case studies should be constantly updated.
Research security options available to you that will free up data responsibly. Executives, creatives, developers, and analysts, should work together to establish where value is gained and lost and at what cost. Do the rewards outweigh the risks? Also, make cybersecurity a focus of any internal tech-development strategy. Any API portfolio should include security-focused products that will not only add value internally through your own use, but externally, with developers and clients.
Once you have all of this information, follow the below guidelines to create a risk-management strategy that enables value creation.
Three steps to successfully balance protection with productivity
1. Create an ‘information security charter’
This charter will set out your security objectives clearly. Almost like a vision statement, it must be the result of collaboration between all areas of management, and include the results of your value-driven risk-management strategy. This charter must be accepted by everyone in the company to avoid any conflict or mixed-messaging.
It will include a detailed description of your current information security management system – its features, components and capabilities – as well as your future plans. It will also clearly define the hierarchy of risk-management responsibility within your company.
2. Be on top of governance and compliance
You need to be constantly on top of governance and compliance – internal, local and international. Cybersecurity is one of the biggest concerns for law enforcement, yet rapid tech growth means governments are constantly playing catch-up. They are also often led by societal and environmental disruptions and public movements.
3. Educate and upskill your staff (and hire new people if necessary)
Upskill current leaders in new security approaches and compliance. You’re negotiating uncharted territory when it comes to the rate of tech development and the implementation of new security measures on outdated platforms. Staff need to be constantly upskilled, not necessarily replaced, as their knowledge and business acumen will be essential to successfully integrate both new tech and new workers.
Securing and protecting digital innovation
Continuing to take a traditional defensive and protectionist approach to risk management and cybersecurity will limit creativity, innovation and possibly create conflict between security teams, developers and clients. Instead, adopting an attitude that recognises how security can work alongside value creation will not only future-proof your business, but keep you well ahead of the competition. Your security programme needs to be adaptable, with a view that it will constantly evolve as the tech evolves. But your company’s mindset also needs to be adaptable, acknowledging how digital is changing how we work and how we protect that work. We need to respect how risk management doesn’t mean today what it did even just a year ago. Rather than an impediment to be overcome, security can and should be viewed as an essential part of enhancing digital value creation.
More Insights?
View all Insights
Questions?
Director of Cloud EMEA