How do you and your IT teams view cybersecurity? If your organization views cybersecurity as a “necessary evil” to mitigate risk and meet compliance obligations, you are in good company. That is the approach that many business executives have adopted. But is it the right approach?
Not anymore, says Mark Rasch, a leading cybersecurity and privacy attorney who, earlier in his career, started the computer crime unit within the U.S. Department of Justice. Rasch says it’s time to think about cybersecurity as an asset that can empower and differentiate the business.
“When you look at the concept of cybersecurity strictly through the lens of preventing harm, it will only get you so far,” says Rasch. Instead, business leaders should talk about cybersecurity “in a language that ties into the goals of the business—profitability, customer retention, corporate culture, brand reputation and product innovation.”
Cybersecurity as a Business Enabler
Changing the language—and the thinking behind the language—is probably easier than you think. You wouldn’t consider making most decisions without thinking about business enablement. So why not take the same approach to cybersecurity?
“Say the company is considering opening a plant in a country where it has never before done business,” Rasch says. “Management will address a series of questions: What are the risks? Is the government stable? Is there sufficient electricity and transportation? Is there a large enough pool of workers? How will this decision affect our profitability, revenue growth, customer relationships and partner relationships?”
Cybersecurity must be included in those discussions.
“Does the country have cybersecurity laws? What are the data retention requirements? Can we safely do business on the internet? Can we hire cybersecurity professionals in the region? Is there a legal structure that will protect the confidentiality of our data? Will law enforcement work with us if we are attacked?”
Building a Culture of Cybersecurity
That’s just one example. Rasch urges business leaders to go a step further and attach a cybersecurity component to everything that gives the company value. Writing in the upcoming book, Navigating the Digital Age, Second Edition, Rasch argues that cybersecurity touches every aspect of the business and therefore must be a vital part of the corporate culture.
“It means looking at products, services, solutions, and new technologies and asking what data is being collected? How is it being collected? What is the impact of collecting, storing, and processing this data? How is the data to be used? How long will this data live? From a security standpoint, it means asking who has access to the data. How do I audit access to the data? Is the data encrypted or secured, either in whole or in part? How do I protect data confidentiality, integrity, and availability?”
The Language of Business Enablement
Most of these questions will be posed by your cybersecurity teams. But can they talk the talk of business enablement? What does the language even sound like? Rasch offers some examples to get your IT people on the right path:
- Security reduces costs because it increases the efficiency of moving data and enabling collaboration.
- Security accelerates speed to market, which means we can make more profit.
- Security empowers us to do things routinely today that we couldn’t have done a few years ago.
- Security enables us to hire the best people because we are not limited by geographic constraints.
- Security allows sales and marketing to leverage analytics and be more responsive to customer needs.
Talking the Talk
Rasch also provides advice you can offer to your security professionals to help them get focused on the bottom line:
- Closely examine the overall goals of the business and develop a framework for articulating the role of cybersecurity in key business functions—hiring, operations, sales, marketing, distribution, etc.
- Focus on where is the company going and how cybersecurity can be a business enabler. Let security drive the conversation.
- Take an expansive view of the regulatory environment. Don’t view privacy as a separate discussion; embed it in your security posture.
- When seeking investment, the selling point shouldn’t be that nothing happened; it should be that security enabled and empowered the business to achieve specific quantifiable and measurable results.
- Quantify the value of risk reduction. You change the culture when you attach real numbers to risk mitigation and combine that with values associated with profits, sales, speed to market, hiring, product development and improved operational efficiencies.
Rasch stresses that business enablement through cybersecurity is no longer an option; it is a fact of life of doing business.
“If you are involved with other companies, they will demand that you have a comprehensive cybersecurity program,” he says. “Failure to have one means you won’t be able to do business, period. However, if you merely place cybersecurity in the bucket of either ‘cost of doing business’ or ‘risk mitigation,’ you may be missing the real opportunity at hand.
“Cybersecurity can and should be about driving revenue, achieving greater profitability, attracting and retaining new customers, operating more efficiently, empowering innovation, hiring the best people, transforming the workplace,” Rasch concludes. “ Only when we think of cybersecurity in those terms, can we truly leverage the power of the Digital Age.”