Cybersecurity as a Business Strategy

This article also appears on Corporate Board Member

A smart board of directors understands that cybersecurity is a management issue—not just a technical one.

Today’s business world is becoming ever more interconnected. New threats are emerging every day—not just from bad actors, but from the vulnerabilities created by a widening attack surface as well as from enhanced communications.

Today, employees can be tracked easily from their mobile phones or fitness watches. Their laptops can be hacked, as well as their cars, watches, TVs and even their hearing aids. Greater Internet connectivity is constantly widening the attack surface, including everything from light bulbs in the office, alarm systems at home, appliances, planes and pacemakers, leaving them vulnerable to manipulation.

Most people assume the main function of cybersecurity is to reduce operational risk by eliminating the dangers posed by viruses and hackers. But it’s time to reposition cybersecurity and for management and boards to see it for what it really is: a growth enabler as opposed to a growth inhibitor.

Digital transformation has created an environment of increasingly intense competition. Agile organizations can get the upper hand by using cutting-edge technologies to create new products and services, provide better customer experiences, and much more. The key enablers for digitization involve cloud, big data, mobility, and collaboration. Security needs to be embedded in the entire business ecosystem and it needs to be sufficiently agile to adapt to the speeds and volume of data required by daily transactions, while being able to handle the complexity and multiplicity of threats in a digital world.

Security and governance are more complicated today as more potential attack surfaces increase vulnerability. While developing new products and services, a company needs to strike the right balance between innovation and risk. In most cases, the more that security is increased, the less user-friendly and convenient the product or service becomes. A strong cybersecurity posture is essential to ensure that innovation is not curtailed due to security concerns. A sound cybersecurity strategy must promote innovation as well as customer trust—both essential for continued growth. A well-developed cybersecurity strategy keeps the operational wheels of business rolling.

Effective cybersecurity is needed to enhance product integrity, customer experience, operations, regulatory compliance, brand reputation, and investor confidence.

The business landscape is becoming ever-more interdependent. Business strategies are therefore focused on widening and deepening links to resources outside the firm. Competitive advantage is no longer the sum of all efficiencies, but rather the sum of all connections. Companies need to manage a complex ecosystem of stakeholders: partners, suppliers, investors and customers. Partners for their network must be selected with governance and fiduciary processes that are aligned with their own. If one link is broken anywhere in the ecosystem, the others will weaken too, and business will suffer. It is important to adapt cybersecurity technologies that assess behavior in order to identify potential problems before they can cause harm.

When things go wrong—in a major or minor way—the ability to quickly identify and respond to a problem will determine the company’s ultimate recovery.

It’s no longer a question of whether a company will be attacked but more a question of when it will happen, and how your organization is going to prevent it. Smart network surveillance, early warning indicators, multiple layers of defense, and lessons from past events are all critical components of true cyber resilience.

When it comes to corporate crises, the only thing people remember is the outcome. A good outcome is the result of a well-developed, disciplined process that demonstrates collective wisdom and commitment to corrective results. Cybersecurity cannot be guaranteed, but a timely and appropriate reaction can.

The specific needs of an effective cyber-wellness and security program include: careful planning, smart delegation, and a system for monitoring compliance—all of which the Board of Directors should oversee.

Long term, the Board needs to understand and consider the strategic business implications of cybersecurity, foster the right corporate culture regarding security, and encourage the integration of cyber risk management practices into all governance and approval processes. Bottom line: a smart Board of Directors understands that cybersecurity is a management issue—not just as a technical one.

In the world of the Internet of Things, there are few competitive advantages more critical than trust—and excellence in cybersecurity is a distinguishing factor.

In our fast-paced, anonymous digital world, information on a company’s product is readily available. As one customer service expert puts it, “customers are wired and dangerous.” Bad news travels faster than ever before. Being “different” is less and less of a competitive advantage. Instead, customers’ trust in your company’s credibility is the new coin of the realm – probably the most important competitive advantage you can have.

Prior the digital era, customer trust was engendered by personal relationships, a handshake, or a rock-solid credit rating. Today, trust is earned with a consistent history of receiving the exact product you ordered, delivered at the near exact time it was promised, without any payment issues.

Equally important—perhaps even more so—trust includes safeguarding your personal data. To gain business, every company must win customers’ trust by actually being trustworthy. With the increasing velocity of information-sharing via social media, even a minor cybersecurity incident can go viral, causing rapid, widespread customer defection.

Having an effective business cybersecurity strategy is so important that the SEC will soon mandate it.

Now working its way through the Senate, the Cybersecurity Disclosure Act is a simple bill that will have a far-reaching effect. The intent is to ensure that companies publicly disclose the steps they are taking to protect themselves and their customers from cyber-attacks.

As part of their annual reporting to the Securities and Exchange Commission (SEC), public companies will have to disclose whether a member of the Board “has expertise or experience in cybersecurity.” And, if not, be able to cite “what other cybersecurity steps” were taken by the company. Requiring board expertise in information security would be a novelty in corporate America, other than companies in the information security business.

More significantly, the Disclosure Act will hold Boards of Directors responsible for protecting their companies and their investors from data breaches, hack attacks, and other cyber threats. This legislation will elevate cybersecurity to the list of other risk factors that public companies must disclose – litigation, high debt levels, or labor problems

In short, to compete and win in today’s technology-driven world, companies need to get cybersecurity right. And boards must provide the oversight to ensure that they get there.