How cyber is shaping the future.
Much more than simply digitising existing processes, innovative business models are enveloping supply chains and creating novel realms of customer experience. This transformation also exposes enterprises to new forms of cyber risk, requiring new cyber strategies to protect evolving business models. To manage these risks, C-suite and Board members need to embrace the change, create effective governance across lines of business and evolve risk management processes to achieve end-to-end visibility of all newly connected areas of business, including those run by third parties. Success depends upon the commitment of senior management, their ability to understand cyber risk followed by effective investment in security.
When asked to rank their digital transformation initiatives in the next 12 months, survey respondents rated data analytics number one (16%), followed by cloud (15%) and new or upgraded ERP programmes (15%) as their top priorities. The addition of the OT/ICS response option and resulting response selection (14% designated this as a top priority) to this year’s survey is indicative of the efforts we are seeing across industry to digitise and modernise factories and operating technology environments.
The speed and scale of change is truly revolutionary. When the world rushed online at the advent of Covid-19 this became immediately apparent. Entire business sectors were transformed almost instantly as huge sections of the workforce suddenly began operating remotely. Fortunately, much of the required digital ecosystem—from cloud and shadow IT to industrial control systems—was already in place and ready to scale up rapidly. But less obvious are the myriad cyber risks underlying this transformation and few businesses currently possess the means to understand and mitigate them to an acceptable level.
Because today’s cyber threats impact entire businesses, potentially crippling operations and rapidly destroying hard-won reputations, it is vital that boards assess cyber risk in terms they can understand. They need to be able to compare cyber threats to risks they are experienced at handling. Analysing cyber risk profiles should be as familiar as grasping the health of their balance sheet. Once they can comprehend the nature and scale of the cyber risks they are exposed to, they will know where to invest to best mitigate dangers. According to our survey, 41% of respondents indicated cyber maturity assessments are used to guide cyber investment decisions, 35% said they employ risk quantification tools and 23% say they rely on the experience of the company’s cyber leadership. When asked how often they conduct risk analyses/ threat modelling for new and/or existing applications, 37% of CIOs and CISOs indicated they do so quarterly and 29% do so monthly. While the responsibility for these assessments typically falls to CIOs and CISOs, it is critical the broader set of stakeholders understand the relevance and importance of such efforts.
The pressure to compete at scale very often means business leaders’ digital transformation efforts focus on outcomes without fully contemplating cyber risks. Beating the competition to market creates tunnel vision with significant blind spots. With cyber permeating everywhere from customer touchpoints to intelligent factories and the remote devices of employees, the days of a siloed IT department managing antivirus software and passwords are over. It’s no longer enough to just keep the network running, broader and deeper thinking is required. Today’s CISO now needs the authority to influence all the lines of business, gather information from across the enterprise and be able to communicate directly with the board and senior management. Not to mention the investment of resources and talent to adequately safeguard the organisation’s most strategic priorities and assets. This is often a hard sell to the CFO, as what you hope to show from a large cyber investment is usually...nothing. Meaning, zero cyber incidents is money well spent. So how are CISOs planning their cyber budgets? In 2019, CISOs and CIOs told us that their cyber budget was evenly spread across various cyber programmes. In 2021, this hasn’t changed—CISO and CIO respondents again reported budgets are similarly divided. C-suite leaders should understand that to manage cyber risk there is not a one and done solution. Therefore, cyber budgets are increasing with greater attention given to threat intelligence, detection and monitoring, cyber transformation plus data security. Across the globe, CISOs and CIOs are consistently investing in scaled cyber solutions in/for the cloud; cyber/technical resilience; and artificial intelligence (AI)-driven threat assessment and identification, to build their organisations’ cyber defence.
It’s not realistic to expect board members or the C-suite to become cybersecurity experts. But it’s up to the board to build a cyber team that gives them the visibility they need and to provide pertinent information in terms they can understand. The key hiring decision needs to occur at the board or senior management level.
The main objective for C-suite and Board members must be gaining a full understanding of the actual risk that digital transformation is exposing their companies to, as well as having the levers to manage that risk on a level playing field with all other types of risk
Matthew Holt, Global Cyber Strategy & Transformation Leader, Deloitte Cyber