Exclusive: Risk by Risk, Business to Business – Part 1
James Thorpe
Share this content
In the first instalment of this International Security Journal series, Mo Ahddoud, CEO, Chameleon Cyber Consultants, explains why good cybersecurity starts with the business strategy.
Good cybersecurity is a fundamental part of being a responsible business – but what is good cybersecurity? The answer to that depends on what a business wants to achieve and those decisions start with the business strategy.
Once the business strategy has been crafted with defined business goals it then needs to be implemented. For this to be successful it requires three things – people, process and technology, all of which bring a level of risk.
Unfortunately, many business leaders are not informed or even have visibility on what these risks are or how they might impact the business as, although important, cybersecurity is not seen as something that should be included at the strategic planning stage.
In many cases, it is seen as an issue that sits with IT, an anti-virus product or it is not relevant to a business as its not deemed to be a target for cyber criminals.
But, by including cybersecurity in strategic planning, business leaders can gain knowledge on these risks and how they might affect their business enabling them to make informed decisions on how to manage them.
This approach also enables security budgets and resources to be focused in the right areas, ensuring businesses remain compliant and protected without effecting the strategic objectives of the business.
What does strategic planning look like for cybersecurity?
We recommend the cybersecurity team or provider not only understands the goals of the business but also how the business wants to achieve them; this enables them to identify stakeholders, dependencies on technology systems and areas that may involve data privacy.
Next, they need to work with stakeholders and business units to understand the current state of cybersecurity across the business. This enables them to identify any gaps that might impact the overall business objectives.
Using this information, they can provide visibility to the leadership team on what the risks to the business are. This allows the leadership team to make informed decisions on the desired target state, so the business is compliant but still able to achieve its goals.
Once these decisions have been made, a prioritised roadmap of how to achieve the desired target state can be crafted. This should include owners, costs, headcount, external resources and technology. Without this, implementing the plan will be difficult.
Once the business strategy has been crafted with defined business goals it then needs to be implemented. For this to be successful it requires three things – people, process and technology, all of which bring a level of risk.
The benefits of a cybersecurity strategy
A cybersecurity strategy that is clearly aligned to a business not only helps protect against threats but is also paramount to a business being prepared should such an attack take place.
This preparedness alone can significantly reduce the cost implications and reputational damage a business might incur. Research has shown that a business that understands their risks and is well prepared not only respond quicker and more effectively to a breach, but it can also reduce the costs of a breach by 34%.
And with the cost of a data breach alone rising by nearly 10% in the past year, the highest rate in over seven years, it is more important than ever for businesses to not only understand risks, but also be prepared for the worst.
This starts with each business unit knowing how to play their part – but to do this they need instruction and guidance and this is where the cybersecurity strategy comes in. Without it, a department’s interpretation of what is expected of them could be different to that of the business.
Think about baking a cake without a recipe. You have all the ingredients but, without the recipe to follow, the end result will inevitably turn out different to the intended one. So, the cybersecurity strategy is the recipe, the plan that all business units can follow to ensure that the business is as secure and compliant as it can be.
What does a cyber strategy look like in practice?
Take a marketing department as an example. This is a department that you may not traditionally associate with cybersecurity or risk. However, most marketing departments do collect data and it is how this data is collected, stored, protected and used that is important.
The cybersecurity strategy will inform the Marketing Director of the expectation on their department when handling this data and it is therefore his or her responsibility to ensure this is enforced. This ensures their department is playing their part to keep the business secure and compliant whilst following business expectations.
In short, a cybersecurity strategy can reduce risks, costs and educate business leaders and their teams on their operational responsibilities when it comes to the security of the business. It is the plan that guides the business to be compliant, secure and ready for the worst.
Compliance management
But, this is not the end of the story. Building a security compliance program into your cybersecurity strategy is critical. It provides senior management with a structured framework for making business decisions on allocating costs and efforts related to cybersecurity and data protection compliance obligations.
And, with the cost of compliance rising and businesses spending at least 25% of their budget on compliance obligations, having this knowledge is key. Without it, the costs could be such that it could act as a barrier for some businesses to enter new markets or, worse, be non-compliant where the costs are almost three times greater.
Having a cost-effective approach to security compliance is not only essential, it can provide businesses with a clear strategic advantage.
Cybersecurity is a key asset
The cybersecurity strategy should not sit in isolation from the business strategy. It should be a key part of supporting business success and should constantly evolve as the business does.
Business leaders who take responsibility for ensuring the cybersecurity strategy is appropriate and aligned to the business objectives will not only be assured that the business is compliant and protected, but also set up for success.
By Mo Ahddoud, CEO, Chameleon Cyber Consultants
At Chameleon Cyber Consultants our mission is to use the very latest security thinking, practices and technology tailored to your specific business needs and objectives. So, if you need help facilitating business success through secure environments please visit: www.chameleoncyberconsultants.com
