Balancing risk and innovationBlog
There’s no question that digital is the way forward. It offers tremendous benefits to your business: faster speed to market, more business intelligence, improved customer relationships, productivity and efficiency – the list goes on. But as the pace of digital transformation quickens, it’s forcing a shift in how we think of and practice cybersecurity. It begs the question; how can cybersecurity enable innovation and move at the speed the business requires, while managing risk?
The fact of the matter is, it’s not if but when a cybersecurity attack will happen. We all know what a successful cyberattack can do to your business; the damage to brand reputation, trust, and profitability of the business can take years to recover from. So, how do you lower the risk of a successful attack on your business, while supporting the business to innovate through the use and adoption of technology?
Your digital footprint is growing, whether you know about it or not
It’s not easy to be innovative when you’re already dealing with so much risk. Your digital footprint is already growing, whether you know about it or not. Coupled with a global security skills shortage and limited budget, cybersecurity resources are being stretched, and are being asked to compete against an increasingly sophisticated and stealth cyber-adversary.
Moreover, a digital footprint is more than infrastructure you sanction to deploy (e.g. network, data centre). It’s the data that is shared between customers, suppliers and partners; it’s the BYOD policy implemented; its official and fake social media accounts, websites and applications that represent your employees and your business; and, key to this discussion, is the decentralised technologies business units deploy without checking with IT or security teams first.
Part of the challenge of being a security team that supports innovation, is being involved in the first place. Security professionals find themselves in this predicament for a number of reasons but fortunately, there are ways to fix this.
The changing role of cybersecurity
1. Building cybersecurity into your corporate and digital transformation strategies
The Digital Means Business Benchmarking Report showed that business leaders agree digital transformation is a key criterion for future business success. It’s surprising, then, knowing all that we know about the potential damage of a successful attack, that cybersecurity does not have a bigger presence in strategy. Afterall, it underpins one’s ability to realise the benefits and capitalise on the opportunities that transformation can bring.
In this regard, cybersecurity needs to be repositioned as the enabler of secure digital transformation and innovation, and an integral part of where your business is headed. This is more than simply stating ‘we’ll do A, B or C securely’. It sets the expectation to the rest of the business that you aim to be secure by design at the strategic level as the benefits of doing so are tangible and integral to your success. Moreover, it sends a message to the market that you’re investing in building a relationship based on trust with them.
2. Building a comprehensive risk-profile for the business
At a high-level, this requires your team to consider:
- What is our direction, goals and objectives as a business? Are we steady-state, in which case, fewer innovations are perhaps needed or are we truly trying to transform the way we do things, in which case there will be many changes across the business.
- What are our legal obligations? In other words, where can we make no exceptions and take zero cybersecurity risks – i.e. data and privacy regulations, ensuring we meet our compliance requirements.
- Where am I not willing to take risks? i.e. protecting your intellectual property.
- What types of risks are we willing to accept? i.e. bring-your-own-device or application, because the productivity and usability outweighs the potential known risks to our business.
Another area where you can lead change is in the development of a clear risk profile, which will help you to better understand which types of innovative activities you will prioritise and execute as a business. It will also serve to set the expectations on how to balance innovation and risk across the business.
Being willing to take risks does not mean you don’t provide a level of security. In fact, it often informs a nuanced requirement for security. Where traditionally, security might have said no to a BYOA strategy on the basis of security risks, there’s now room for further conversation around to what degree do we secure this? Or, how do we protect ourselves from the risk that it introduces? This provides a starting point for additional cybersecurity investments for the business, where risk is being introduced.
Changing perceptions about security at a programme and business unit level
The next area has to do with perceptions of IT and security teams with those who deliver or implement the transformation initiatives.
Often, IT and Security teams are viewed as the “no” people and are seen to operate in a silo and not execute at the pace a business requires. This can result in them being excluded from the business’ initial decision-making processes around technology to use as well as the innovation ideation process.
For example, a manufacturing team might have had a great idea for an application that will improve operational efficiency by 15%. But, they need to move quickly to launch this service to maximise their window of competitive advantage and as a result, take the approach to build/ develop the application first and to secure it later. Not only does this approach add cybersecurity risk to the business, it is also likely to be costlier in terms of redevelopment, or to repair damages of a successful attack/exploitation of the apps vulnerabilities. It’s hard to protect the business from vulnerabilities you didn’t know you had.
However, a new field is emerging – SecDevOps (also known as DevSecOps and DevOpsSec) is the process of building cybersecurity into new tools, processes and applications and represents the benefits of being secure by design at the operational level of innovation.
Innovating within cybersecurity itself
Fortunately, there are also innovations happening within the cybersecurity industry that make a dynamic cybersecurity posture possible.
Cloud-based security, for instance, holds much the same benefits and appeal of other cloud-based services: flexibility, scalability, agility and cost, to name a few. As your footprint grows and shrinks, cloud-based security technologies can respond accordingly.
Additionally, there’s an increasing need for predictive threat intelligence. You can get cybersecurity right 99% of the time, but cybercriminals only need to exploit the 1% to do damage. Predictive threat intelligence offers you visibility into what cyberadversaries are planning to do next, in the context of your country, industry and unique digital footprint. With this layer of intelligence, you can take proactive measures to keep your business secure. Investing in predictive intelligence is one way to consolidate your cybersecurity investments and make a clear ROI demonstration.
We know securing a digital business isn’t easy. It doesn’t pause for you to get up to speed, and it takes time to address the culture changes within the organisation. But it’s clear that innovation, risk and cybersecurity are not opposing concepts – they need to work together, and as your footprint expands and adversaries continue to plan attacks, you really can’t afford not to.