Is your organization’s cybersecurity posture tightly aligned with the overall strategic objectives of the business? How long would it take for the cybersecurity team to know if the organization has been compromised by an attack? Does the organization have cybersecurity insurance and, if so, does it truly transfer risk and provide adequate protection?
You may think these questions are the domain of the cybersecurity professionals in your organization. Today’s reality, however, is that business leaders in the boardroom and executive suite must not only be asking these questions; they must also make sure their cybersecurity teams can stand by their answers and provide proof that they have their fingers on the cybersecurity pulse.
Earlier, I wrote an article for SecurityRoundtable.org focused on Cyber Risk: What Questions to Ask—and How to Ask Them. That article provides a basic framework for what board members and executives should ask to determine whether their organizations are following cybersecurity best practices and adapting regularly to a changing threat landscape.
I believe it is now necessary for business leaders to probe deeper. Just about every organization is fully embracing digital transformation. The research firm IDC predicts a “digitized economy,” by 2022, whereby more than 60% of global GDP will be digitized by and “growth in every industry will be driven by digitally enhanced offerings.”
In order to operate successfully, business leaders are under pressure to explain what the future digitized state of their organizations will look like and how their business models will evolve over the next few years.
It is important to do this type of strategic digital planning now so the organization can begin putting the right pieces in place. This planning typically involves decisions such as building and moving certain applications to the cloud; modernizing on-premises IT so it is more cloud-like; upgrading supply chains to be more automated and autonomous; and adapting the corporate culture to be more digitally native and responsive.
Digital transformation initiatives must also focus on cybersecurity—immediately and strategically.
If the foundation of the business is built on digital technologies; if the customer experience is shaped by digital interaction; if employee productivity is a result of ubiquitous access to applications and data; then cybersecurity must be built into every aspect of the business.
It starts in the boardroom and executive suite. Business leaders should be striving to articulate the future state of the business so they can understand what the organization is actually trying to achieve. In other words, what is the measure of business success, how are business models changing, what is unique about the business that will set it apart from the competition.
When you look at digital transformation from that perspective—and communicate your strategic goals to your cybersecurity leaders—only then can you determine how much cybersecurity risk the organization is willing to take.
And how do you ensure that you are aligning cybersecurity with your digital transformation business goals?
Every company is becoming a data company. Because your data is no longer in one central location, you need security everywhere, automatically, to assure there is visibility into the data and no third-party is causing harm to the organization.
Here are some of the key questions you need to ask:
- How is the organization managing data, protecting it, controlling it, utilizing it for strategic advantage?
- Where is the data, where are the data islands, where are the different clouds?
- Can the organization gain visibility to the data wherever it is located to ensure governance, confidentiality, privacy and protection?
Another important consideration in mitigating risk is cybersecurity insurance. With digital transformation, more companies are investing in cyber insurance. But just having insurance is no guarantee that the organization is adequately transferring risk.
For example, there are reports that some companies impacted by the NotPetya ransomware attack of 2017 have been unable to collect their claims because the insurance carriers are saying that the attack with an act of war and thus excluded from their policies.
So it is necessary for business leaders to probe more deeply into cybersecurity insurance. For example:
- Do we have insurance?
- How are we transferring risk?
- Have we read the fine print?
- Do we have an act of war exclusion, i.e., can that happen to us?
It’s important for business leaders to understand the fundamentals of cybersecurity. But you also need to probe deeper and ensure that cybersecurity is tightly aligned with the overall strategy of the business.
How is your organization going to compete, evolve and innovate in a digitized economy? In making those judgments and assessments, cybersecurity leaders must be part of the planning and strategizing.
Sean Duca is Vice President, Regional Chief Security Officer, Asia Pacific and Japan, for Palo Alto Networks.