Cyber as a business priority (not just IT priority)
In recent years, and much more so as of 2020, it is impossible to remain unaware of the cybercrime outbreak, which is evolving at exponential proportions, and unlike the COVID 19 pandemic – it is here to stay. A new cyber-attack is taking place somewhere every few seconds, and the major and “successful” ones are covered daily and elaborately in all media channels. Companies get caught off-guard, their business grinding to a halt, bleed cash to recover the systems, pay significant ransom, face huge fines and penalties, have their most sensitive data published, and often get their reputation tarnished. Ultimately, in many such cases – we note the inevitable stepping down of C-levels and top leadership from their positions.
Yet despite all that, far too many C- level managers, mostly from less cyber regulated and evolved sectors such as maritime and logistics, still regard cyber as an “IT issue”, or worse – as a burden (“let’s tick the box and be done with it”).
While most CEOs and business owners that we meet “talk the talk” and acknowledge the importance of cybersecurity, a very typical response is – “let me get you in touch with my IT person in charge” when they get approached to discuss about the resilience of their company to cyber-attacks.
On the other side of that coin, most organizational IT leaders that we talk to, often feel that the entire weight of cybersecurity rests upon their shoulders (some even have it in their personal KPIs…)
But is ownership of cybersecurity by the IT department, as good as it may be, can still be considered as a viable business approach in 2021?
Several key trends that are rapidly taking shape, clearly demonstrate that clinging to this paradigm is a very risky approach:
Likelihood – Cyber criminals are becoming highly sophisticated. Unfortunately, cybercrime pays well and comes at low risk, therefore it attracts some of the smartest and most resourceful people on the planet. This means that hiding behind a wall of technology is not going to make do, certainly when a persistent enough attacker is after your company. Technology will only take you so far, but you WILL get hacked eventually – as the frequently used but so true cliché says – it is a matter of when, not if.
When the inevitable happens, IT will be in a state of chaos of its own and focused on addressing the IT aspects of the crisis. What about the business aspects – customer service? Vendors? Production lines? Supply chain? Cashflow? Surely you would agree that none of these issues is part of the IT domain. As all cyber events have demonstrated, every company should be prepared to perform and address critical business processes and communications without functioning IT systems.
Business impact – the outcome of a cyber breach has shifted dramatically, from relatively marginal disruptions such as denial of service and website defacement, to major data thefts, ransomware, and even just for the sheer destruction. Such attacks can slow or stop business critical processes for days, even weeks – and sometimes permanently. In other words, cyber became an existential threat, even more so to SMBs that may lack the deep pockets required to recover.
Regulation – simply put, the regulator’s role is to force companies to take the necessary measures to protect systems and data. Whether International, local, or sectorial, cybersecurity regulation is now evolving faster than ever before, and every organization must be able to comply or risk severe fines and penalties, and possible also personal liability of leadership. And while cybersecurity for the maritime and logistics sector is gravely behind those of other sectors, it is beginning to catch-up (see recent guidelines from IMO, BIMCO, US coast guard guard) as well as the recent declarations from the US white-house on the maritime cybersecurity criticality, which will surely be translated to more strict and elaborated regulation in the near future.
Key stakeholders – each company has customers, vendors, partners, investors, employees, debtors. During the course of ongoing daily business, and certainly far more during a cyber incident, these stakeholders are highly impacted and have significant reciprocal impact on the business. Moreover, in recent years such stakeholders are increasingly developing higher cybersecurity demands, requirements and expected standards from all companies.
And companies must adapt or soon face the consequences of being considered as too big a risk to do business. Such strategic considerations and agenda cannot be left to IT, and it is also not their professional duty or proficiency, to address them.
Rush to digitization – many businesses today are undergoing “digital transformation”. Digitalization is a very positive trend, that can help most business achieve efficiencies such as cut costs, open new sales channels, and work remotely. It therefore easy to understand why it became a top item on the agenda of many CEOs.
However positive, digitization will always come with a higher “price tag” of cyber risk. While IT is naturally the key enabler of digitation, the process and the strategy of digitization is usually led by the business. But when it comes to the cyber risks it created by digitization, they are often dismissed by the business or the entire risk management of it is shifted to IT. Cybersecurity ownership must start at the top and be fully aligned with the business and the digitization strategy.
To conclude, we determine here that cyber is first and foremost a business priority. We reviewed the key trends and driver which stand behind it – increasing likelihood, severe impact, evolving regulation, key stakeholders’ interest, and the rush to digitization.
The organizational IT unit is a primary component of the cybersecurity program and the cyber resiliency of every company. However, we claim that perceiving the IT as its sole owner, and the CIO as the main and only “go to” person in the organization on cyber – is an outdated and risky approach. In fact, truly cyber mature companies tend to segregate their cybersecurity team from the organizational IT altogether and have the CISO report directly to the CEO or to the relevant C-level in charge of risk and BCP, so that IT can be observed neutrally by the person in charge of information security.
In our next piece, we will review what steps need to be taken in order to change the “cyber is an IT issue” mindset and how to apply a business-led approach to cyber strategy.