Keeping Business and Cybersecurity objectives aligned
The Challenge
An increasing threat faced by many businesses is that of a cybersecurity breach. Many organisations combat this by ensuring they have cybersecurity skilled IT staff or even better dedicated cybersecurity teams along with an allocated budget to manage cybersecurity threats. Whilst this is unquestionably a very positive thing it does confront companies with a different challenge: separate and often inconsistent approaches to risk management. On the one hand, cybersecurity professionals are very focused on cybersecurity risk, ensuring compliance requirements are met to the letter and applying adequate governance to maintain the requisite posture. On the other hand, corporations are focused on implementing strategy, achieving business goals and managing the risks around successful implementation. All too often these risk objectives clash, and frequently at the operational team level, leading to frustration, inefficiencies and potentially poor risk or investment decisions.
Example of a Clash
An example of this could be as simple as the treatment of USBs on organisational laptops/PCs. See the two requirements below:
- Compliance Requirement (internal or external): USB ports must be locked down (Data Loss Protection (DLP), malware infection vector lockdown).
- Business Requirement: Legacy application that relies upon information sourced from a USB (authentication, encryption key).
Clash: Cost to replace legacy applications vs cost of non-compliance.
The Solution
In an ideal world, the clash could be addressed by ensuring consideration of cybersecurity is included/integrated into business strategy planning and thus flowed down to all levels of the organisation and integrated into enterprise risk management. For the many organisations not already doing this an alternative is to integrate business and cybersecurity risk management. The best way to do this is to translate cybersecurity risks into business-focused risks so they can be compared against other business risks.
Taking this approach helps ensure cybersecurity risk impacts are described in business terms and not in security/technical terms or as compliance failures. For example, the compromise of credit card data could result in monetary fines, increased merchant fees (in extreme cases loss of ability to take credit card payment!) not to mention reputational damage (loss of consumer confidence, loss of existing and future business).
This may result in a little more work upfront and the need for a broader set of risk skills within the cybersecurity team, but the benefits are improved business outcomes and a lot fewer clashes between business-focused teams and their cybersecurity colleagues.
Please reach out to see how Osmodal can help you address cybersecurity and risk management in your organisation. Osmodal is a professional services organisation with specialist experience in transportation, automated fare collection and contactless payments system implementation.