The inconspicuous threat to business strategy
As a board member or C-level executive routine challenges will include defining and executing business strategy, and presenting the success of these to shareholders or investors. They want to see the bottom line... bottom line. Business goals are set to stay ahead of competitors, retain good talent, develop, build and market new and exciting products, and keep the company relevant in a sometimes unpredictable market. With all these responsibilities it’s no wonder their thoughts are purely focused on the business outcomes.
?As an IT professional, however, and specifically in the cybersecurity space, the challenges are slightly different. The attention needs to be laser-focused, technically driven, and with one specific goal in mind – to protect the company from any potential attacks.
The goals and challenges in these two worlds are equally important but they often don’t overlap. The chasm between the two worlds communicating could often be the most significant missed danger to a company’s success. This seemingly inconspicuous threat comes from the inability to understand the connections between the technical goals of a company and its strategic aims.
What organisations need to consider is that cybersecurity is not a technical problem, it’s a business problem, a problem that can derail the best strategic plan for success. Being an IT professional and working with IT professionals daily it is easy to grasp the magnitude of threats out there. The landscape is ever-evolving, and cybercriminals are getting more sophisticated in their threats, but not in the way you would assume. Rudimental corporate issues don't get addressed, like end-user behavior, lack of understanding around phishing or even buying the correct security technology but not having the skills to understand or utilise it correctly.
"If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology."
Bruce Schneier
?
领英推荐
Over the last few years, I have chatted with my C-level executives who know that security is important but a lot of the time the response is “I’m not technical, that’s what my IT manager is for”, or “I know that it is something we need to address but I don’t think we are a high-risk company”.
There is not an organisation out there that is not vulnerable, in fact, your smaller companies are just as much at risk as anyone else. They are easy targets, often don’t have correct security measures in place, and are a great way to reward a novice hacker learning the ropes of hacking - Never underestimate the determination of a kid who is time-rich and cash-poor.
So what then is the solution? Well, it's two-fold.
In order to bridge this chasm IT professionals need to educate board members on the effects a poor security posture will have on business. To get this right IT professionals will need to be made aware of how the strategy works, and how business goals are set and aligned, and then, position cybersecurity as part of a bigger strategy. The communication needs to be open and the concerns raised by the IT professional not be overlooked or taken as a grudge purchase, but rather more a part of the very culture of the business.
Cybersecurity needs to be ingrained in an organisation, and throughout the business. Technology must follow education, and, there must be a large focus on awareness. You can’t patch people, but you can do your best to align everyone to believe that cybersecurity is what you do as a business (outside of what you actually do as a business). In strategy, it needs to be a front-runner consideration in setting budgets and end goals.
?
Founder and CEO at @CyberIntelligent Systems (CIS) | Empowering Africa's Cybersecurity Landscape through 1000 Pentesters for Africa
1 年I absolutely agree with your sentiments @Tarryn. Well said. A well-formulated security program is aligned and continually fulfils business objectives. A business strategy must consider all the factors mentioned, including the risks to the successful execution of the strategy – otherwise, the strategy is not well formulated. Risk to a strategy is just as important as revenue. Businesses that don’t understand the cyber risk don’t have a cybersecurity problem. They have a business problem. Some organisations still need help to see IT as an enabler and force multiplier that facilitates business processes. With effective IT governance, information security governance will be able to reach its full potential.