In cybersecurity, it is common to use the famous saying that “if it doesn't come from love, it comes from pain.” Unfortunately, some companies have suffered from cyber incidents and have had to implement a cybersecurity program immediately. This type of reactive implementation is often done in haste, yet it is essential to go beyond the post-crisis and think about the long-term strategy.
Before implementing a cybersecurity program, it is vital to understand the current risks, trade-offs, and business opportunities that a security strategy can optimize. The program must relate to the short-, medium- and long-term organizational goals.
The Strategic Role of Cybersecurity
A cybersecurity program is nothing more than a journey of definition, education, awareness, and execution of the roles to be played by different organizational actors, including the Board of Directors. They deliberate the topic strategically, giving the tone over the right balance for business, innovation, and risk appetite.
The information security team supports technical and operational plans, which are today, in the new economy, intrinsic to the core business and needs to permeate the entire organization. It requires ensuring compliance, bringing reliability to operations, enabling business, and providing trust and transparency to customers, partners, shareholders, and other stakeholders in the ecosystem.
The Board should ensure that all senior management is diligent with cybersecurity matters, not only the CIO and CISO. While Board members don’t have the cyber competence in the boardroom, they can leverage the cyber ecosystem resources such as consultants, advisors, external auditors, and other CISOs on this journey.
Besides that, Boards must expand their knowledge to have an active voice in the conversation, bringing their drivers and expectations to the table. Cybersecurity is complex and should be divided into different perspectives, such as connecting business drivers to risks and regulatory requirements. These four elements are critical to ensuring an efficient and effective cybersecurity strategy.
- Business Strategy
Evaluate how the cybersecurity matter connects to the business lifecycle, on strategy definitions, operations, products, M&As, JVs, services, and technology, and validate which benefits it generates.
Check how the organization structure responds to the theme and how the culture is reacting by discipline. Understanding whether the value generated aligns with the long-term objectives is essential.
- Risk Management
Comprehend current risks by understanding the main internal and external threats to the business, existing vulnerabilities, the likelihood, and the organization’s business and ecosystem impacts on cyber risks. Then discuss the strategies taken over the risk portfolio, confronting the risk appetite, and whether the decision was to accept, mitigate, transfer, or avoid the risk.
- Evolution and Maturity of the Program
Understand at what stage the organization is facing its program and how it compares with the industry, considering the levels of cyber maturity in its identification, protection, detection, response, and recovery capabilities.
In the face of the current scenario of attack campaigns aimed at organizations and ransomware’s paralyzing operations, look to comprehend the company’s capabilities from a resilience perspective.
Monitor and ensure compliance with laws and regulations, such as data privacy laws, cybersecurity regulations, or standards demanded by the market, such as ISO 27001 or PCI-DSS for the credit card industry. They require structured and focused programs to help implement and sustain conformity.
Going beyond Protecting the Business
Helping to build digital businesses with cybersecurity in the equation requires looking at different perspectives, such as protecting and sustaining operations, complying with laws, mitigating risk, and enabling business prosperity.
Addressing one or more of these perspectives in isolation without connecting to the organization’s strategy can have an interesting short-term effect. But it is better for the organization to think about these elements as interconnected in the overall strategy.