Thinkstock
cybersecurity

Rethinking Cybersecurity as a Business Priority

Feb. 2, 2019
Few companies take steps toward a business-led approach to digital risk.

A PwC study last year revealed that about 62% of global CEOs worry cyber threats will affect their company’s growth prospects. As a result, it is not surprising that potential cybersecurity risks “will pressure CIOs at [Forbes Global 2000] companies to increase IoT security spending by up to 25%, temporarily neutralizing business productivity gains.”

For industrial organizations undergoing digital transformation, security risk goes well beyond a sole connected object or database. The whole extended digital enterprise becomes implicated, including the supply chain and partner ecosystem. Indeed, cybersecurity is a critical business issue now, but many CIOs are still not treating it as such. According to Gartner, as few as 30% of organizations take cross-organization steps to drive a business-led approach to digital risk. It’s time to rethink cybersecurity as a strategic business priority and not just an IT decision.

Cybersecurity is a continuous, always-on, proactive activity—not a task or a single point in a process. As such, it calls for a holistic strategy including people, processes, and technologies that integrate security at every level, instead of downstream, which is often too late. The NIST framework is an incredibly useful reference for building an end-to-end digital risk strategy, as it defines multiple layers of defense, from the identification of risks to ecosystem-wide, fast recovery from incidents. Regarding security only as a matter of building a defense only creates barriers and slows progress. But if you think of cybersecurity as spanning all facets of your organization, you can take a proactive approach and drive digital innovation as an intrinsic part of your security framework.

Let’s take a closer look at the three main factors influencing a holistic digital risk strategy and how they impact the identification and mitigation of risks:

People – All employees, from new recruits to the C-suite, need to realize how a cyberattack can erode trust in the organization, and just how damaging and far-reaching the consequences may be. Intertwining security practices with business operations and ongoing training to improve an organization’s security posture is not a function relegated to the IT department. Instead, companies must cultivate a cyber-resilient culture company-wide. In addition, more attention needs to be paid to the identification of potential insider threats. 

Process – What happens when a security breach or attack does occur? While occasional incidents are bound to happen in digital environments, sticking to a thorough procedure for recovery is critical. Learn as much as possible about the incident and share debriefing information across your extended enterprise and digital ecosystem, including partners, customers, and authorities. Doing so allows you to correct processes, plans and risk scenario modeling. It is during the recovery phase of the NIST framework that your security posture improves, making you faster to beat the next event while engendering stakeholder trust.

Don’t forget about your organization’s partners, either; they can be your first line of defense. Require them to pass certifications while supporting a secure product development lifecycle approach – from product design, to integration of customer systems, and through to value-added services that monitor potential threats and neutralize incidents if they occur. 

Technology – R&D ecosystems, global supply chain, and solution deployment channels all play an important role in bolstering the overall cybersecurity posture. Solutions must be based on secure designs, and they must adjust quickly to correct identified vulnerabilities. This requires attention both at a product level and at a system level, as a perfectly secure product can become a threat if exposed through a flawed system design. Think of it this way: If you find a crack in a building, you would have to go back to the foundation, and perhaps the design, to fix it. Likewise, if you don’t consider product security in the beginning, you’d have to go back to the architecture itself — to the R&D white board and supply chain — to address the issue and course-correct. Imagine the challenges – and the cost.

Prioritizing high-value asset protection is key. At Schneider Electric, we conduct ongoing reality checks against metrics and targets and evolve them against the threat landscape to fortify our ongoing cyber posture. McKinsey notes that companies can realize 20% cybersecurity ROI savings by prioritizing crucial assets alone.

In a digital world, no company can become a castle. Every organization is exposed to the threat of cyberattacks in the age of the rapid convergence of IT/OT. And at this convergence, the technology aspect of cybersecurity only partially addresses the issue of ongoing cyber threats. Organization-wide changes, processes, and employee training must inform and bolster any company’s cybersecurity stance. Cybersecurity strategy must be an ongoing business conversation for every company engaged in digital transformation, and the chief security officer must have a regular seat the table. Digital innovation depends on it.

Cyril Perducat is executive vice president, IOT and Digital Offers, at Schneider Electric.

About the Author

Cyril Perducat | Executive Vice President, IoT and Digital Transformation

Cyril is a native of France with a background in engineering and international project management. Cyril joined Schneider Electric in 1994. Since then, he has held a number of roles – both in France and in China – across a broad area of the business, including marketing, manufacturing, supply chain, business development and acquisitions and alliances. Cyril is also the current president of ODVA Inc., the international organization that supports the development of open network technologies based on the Common Industrial Protocol.

Sponsored Recommendations

Voice your opinion!

To join the conversation, and become an exclusive member of IndustryWeek, create an account today!