For most organisations, addressing the challenge of cyber breaches – real and potential – is a technology issue. And, for this reason, responsibility for cybersecurity is largely left to CISOs and CSOs, with other members of the C-suite having little, if any, involvement. A recent article in the Harvard Business Review (HBR) suggests that business leaders need to take a different approach and re-think the issue of cybersecurity entirely.
Titled “Why Security Isn’t Only a Tech Problem”, the article takes the form of a Q&A with Thomas Parenty and Jack Domet, cofounders of cybersecurity company Archefact Group. They have also written for the HBR. They were interviewed by Alison Beard.
Parenty begins by comparing the current situation with trench warfare in World War One, saying “the progress is negligible, and the casualties are high.” To address this he suggests that companies should first consider their most critical business activities and how cyber attacks could disrupt them. Once this is done they can begin prioritising the whole process of risk mitigation. He adds that, too often the focus is on fixing computer vulnerabilities without ever addressing the fundamental issue, “which is protecting the business activities for which the computers were procured.”
Domet suggests that the origins of this approach may lie in an “attack and defence” approach to cybersecurity – which may have originated with technology departments and may not be precisely aligned with other, complex business risks. In addition to a lack of protection, many companies of his acquaintance are failing to obtain value for money from their cybersecurity spending.
The key to changing this may be to revise the nature of conversations about cybersecurity – something that Parenty and Domet are doing. They outline their approach, which makes use of a “cyberthreat narrative”.
They are also working to change the perception of cybersecurity as complex and even impenetrable to anyone but subject matter experts – CISOs and CSOs in particular.
The human factor
Employee behaviour is an area that remains both vulnerable and hard to change. Parenty and Domet recommend raising employee awareness of the implications and relevance of cybersecurity to their own work but going beyond familiar “best practice” training. As Parenty says: “… this requires actually going beyond a list of generic good things to do, to actually looking at how an employee functions in their day to day work life, and how the actions they perform either discourage a cyber attack from being successful or lay the groundwork for a cyber attack on the critical business activity that they are involved in from being affective.”
The interview also considers the many variables that might attract threat actors. Several of these might be less than obvious, such as location, the wider nature of the company’s activities and the wider business sector in which the company operates. It’s clear that there are far more variables and factors that need to be considered – and addressed – to achieve good cyber health.
Although a consultancy approach is one way of doing this, Domet recommends building an “internal capability to recognise what really, truly drives your cyberrisk going forward”.
While much of the article considers how large companies – with typically large cybersecurity budgets – can improve things, it also considers how smaller organisations, with proportionally smaller budgets can better protect themselves. Parenty’s advice for companies of any size is the same. “Focus on your company’s most significant activities and the business risks they face. And then you can think about how a cyber attack could cause these risks to materialise.”
The full article is now available via the link.