A PwC study last year revealed that about 62% of global CEOs worry cyber threats will affect their company’s growth prospects. As a result, it is not surprising that potential cybersecurity risks “will pressure CIOs at [Forbes Global 2000] companies to increase IoT security spending by up to 25%, temporarily neutralizing business productivity gains.”
For industrial organizations undergoing digital transformation, security risk goes well beyond a sole connected object or database. The whole extended digital enterprise becomes implicated, including the supply chain and partner ecosystem. Indeed, cybersecurity is a critical business issue now, but many CIOs are still not treating it as such. According to Gartner, as few as 30% of organizations take cross-organization steps to drive a business-led approach to digital risk. It’s time to rethink cybersecurity as a strategic business priority and not just an IT decision.
Cybersecurity is a continuous, always-on, proactive activity—not a task or a single point in a process. As such, it calls for a holistic strategy including people, processes, and technologies that integrate security at every level, instead of downstream, which is often too late. The NIST framework is an incredibly useful reference for building an end-to-end digital risk strategy, as it defines multiple layers of defense, from the identification of risks to ecosystem-wide, fast recovery from incidents. Regarding security only as a matter of building a defense only creates barriers and slows progress. But if you think of cybersecurity as spanning all facets of your organization, you can take a proactive approach and drive digital innovation as an intrinsic part of your security framework.
Let’s take a closer look at the three main factors influencing a holistic digital risk strategy and how they impact the identification and mitigation of risks:
People – All employees, from new recruits to the C-suite, need to realize how a cyberattack can erode trust in the organization, and just how damaging and far-reaching the consequences may be. Intertwining security practices with business operations and ongoing training to improve an organization’s security posture is not a function relegated to the IT department. Instead, companies must cultivate a cyber-resilient culture company-wide. In addition, more attention needs to be paid to the identification of potential insider threats.
Process – What happens when a security breach or attack does occur? While occasional incidents are bound to happen in digital environments, sticking to a thorough procedure for recovery is critical. Learn as much as possible about the incident and share debriefing information across your extended enterprise and digital ecosystem, including partners, customers, and authorities. Doing so allows you to correct processes, plans and risk scenario modeling. It is during the recovery phase of the NIST framework that your security posture improves, making you faster to beat the next event while engendering stakeholder trust.
Don’t forget about your organization’s partners, either; they can be your first line of defense. Require them to pass certifications while supporting a secure product development lifecycle approach – from product design, to integration of customer systems, and through to value-added services that monitor potential threats and neutralize incidents if they occur.
Technology – R&D ecosystems, global supply chain, and solution deployment channels all play an important role in bolstering the overall cybersecurity posture. Solutions must be based on secure designs, and they must adjust quickly to correct identified vulnerabilities. This requires attention both at a product level and at a system level, as a perfectly secure product can become a threat if exposed through a flawed system design. Think of it this way: If you find a crack in a building, you would have to go back to the foundation, and perhaps the design, to fix it. Likewise, if you don’t consider product security in the beginning, you’d have to go back to the architecture itself — to the R&D white board and supply chain — to address the issue and course-correct. Imagine the challenges – and the cost.
Prioritizing high-value asset protection is key. At Schneider Electric, we conduct ongoing reality checks against metrics and targets and evolve them against the threat landscape to fortify our ongoing cyber posture. McKinsey notes that companies can realize 20% cybersecurity ROI savings by prioritizing crucial assets alone.
In a digital world, no company can become a castle. Every organization is exposed to the threat of cyberattacks in the age of the rapid convergence of IT/OT. And at this convergence, the technology aspect of cybersecurity only partially addresses the issue of ongoing cyber threats. Organization-wide changes, processes, and employee training must inform and bolster any company’s cybersecurity stance. Cybersecurity strategy must be an ongoing business conversation for every company engaged in digital transformation, and the chief security officer must have a regular seat the table. Digital innovation depends on it.
Cyril Perducat is executive vice president, IOT and Digital Offers, at Schneider Electric.