Cyber security: essential part of modern business
4 ways to engage executives in cyber risk and opportunities
Business executives begin to recognize that accountability for cyber risk –and opportunities - cannot rest solely with IT. Cyber security should really be regarded as an essential part of modern business.
Jelle Niemantsverdriet - 3 March 2016
Cyber security: staying ahead of your competitors
A Deloitte survey among CIOs (Chief Information Officers) shows that many American retailers are making progress toward strengthening their cyber risk management programs. However, engagement from business leaders still needs improvement. In the Netherlands, the situation is similar. In order to fight cyber risks and use its opportunities to stay ahead of your competition, engaging your business leaders is crucial. The survey identifies four ways to do so: heat-mapping sessions, performance indicators, simulating an incident and scrutinizing the security implications of new technologies.
1. Heat-mapping sessions
According to the American survey, 71% of respondents cite a lack of sufficient funding. Dutch CIOs and CISOs (Chief Information Security Officers) do not fully agree, but they do identify another problem: how much funding is actually sufficient? How can you quantify your value at risk? One of the solutions to this problem is a heat-mapping session: bringing senior business leaders together with threat intelligence experts to identify the top areas of cyber risk for your company. What data and systems – your organizations’ crown jewels - need extra protection?
Determining your value at risk
Based on the results of this session, your value at risk can be quantified. For instance, our Deloitte teams combine information such as your ‘crown jewels’, your industry and company size to determine the value at risk. We then make a model and change the variables: if your organization spends more on prevention or on monitoring, how does this affect the value at risk? This provides you with valuable information that you can use when discussing funding for cyber security with your business leaders.
2. Key performance indicators
When discussing cyber risks with your business leaders, you should highlight the most serious risks to your business, the risk indicators that signal your company’s level of exposure to them, and the methods you are employing to manage these risks. Performance indicators and metrics provide you with a common language to discuss these matters and help the leadership make decisions about funding and priorities. Since the implementation of the Dutch Data Breach Notification Law, more and more companies will probably provide these performance indicators anyway, raising awareness at the top.
3. Simulating a cyber incident
Incidents will happen. But when they do, you need to be prepared. Simulating a cyber incident helps executives to see the impact of such an incident on your business. Simulations surface your organization’s blind spots and weaknesses in its response capability and make it aware of the many varied challenges it can face. Also, it highlights the fact that response is not exclusively an IT issue, but one that requires the collective capabilities of at least the CEO, legal counsel, CIO, and Communications department. And it assures that you have an accurate approach available in case of an actual incident.
4. Scrutinizing the security implications of new technologies
New technologies spell opportunities, but they also present a number of cyber risks that your organization needs to understand and mitigate. Security and innovation are often perceived to be mutually exclusive – but with security done right, they will actually be a joint accelerator. Reducing cyber risks associated with strategic technology innovations should be a fundamental part of both your cyber security and product development programs.
One final advice
These four ways to engage your executives are crucial. I’d like to add one more advice: as a CIO or CISO, you should play a more strategic role. It is vital to your organization that cyber security is part of the strategy. This might require a different approach or different qualities. But if you really want to be in control of cyber security, and use its opportunities to stay ahead of your competitors, it is the next and decisive step to take.