The Need for Business-Driven Security
The Digital Revolution and the Emergence of New Risks
Business processes have digitalized at an accelerated pace over the past decade. While business executives leveraged this digitalization to enable phenomenal business efficiencies and growth, it also brought a new range of technology risks that need to be understood and managed.
- The impact of cyber threats is no longer limited to IT. The potential and the actual damages to the business have increased to the point where they are impacting the bottom line and have become a source of major concern for most business executives and corporate boards.
- There has been little financial accountability for cybersecurity. Most often, cybersecurity has been treated as a technical concern and simple business questions such as "Are we doing enough?" or "Are we spending too much or too little?" get unsatisfactory responses or none at all.
- There is no such thing as perfect security. It's all about balancing the digital opportunities with the associated risk and achieving a sustainable risk posture.
The Digital Revolution Has Changed How Risk and Security Deliver Value to the Business
The overall governance of cyber risk is undergoing a deep transformation. Board and executives can no longer delegate risk decisions to IT and must 'own' cyber risk.
- Cyber risk = business risk: as part of their fiduciary responsibility towards shareholders and customers, boards and business executives are expected to incorporate the management of cyber risk as part of their business strategy
- The changing role of the risk profession: risk and security professionals are no longer the
defenders ofthe organization. They are no longer the arbiters of what is good and what is bad. They must become the facilitators of a balance between protecting the organization and running the business
- Talking the language of business: risk and security professionals must learn about and communicate the impact that cyber risk has on business outcomes in a language that the business can understand, e.g. dollars and cents
- The organizational impact: interestingly, an increasing number of
CIROsand CISOs no longer work in IT and are transitioning to the business risk side of the organization