The word “cyber” has always carried an illicit ambiguity. It evokes a dark and secretive world populated by precocious teens in hoodies, organised crime gangs and malevolent nation state actors. By contrast, business or “operational” risk brings to mind sensible people wearing dark suits and making the world a little less unpredictable and exciting for us all. To reduce cyber threats to operational risks may feel like pulling back the curtain on real life science fiction, but it allows us to address a concern that has been growing for business owners and corporate boards.
Security threats have become more sophisticated and cyber defences have adapted to match this. Companies are targeting their investment to counter emerging threats, creating an arms race that has left some larger businesses deploying over 80 security tools on average. Many of these tools operate as black boxes with narrow applications, forcing corporate security teams to switch frequently between products to cobble together a piecemeal view of security.
Move from fear to clarity
This arms race towards greater complexity increases risk in the form of blind spots and human error, leading some companies to push back on the industry norm. Instead security tools should be flexible to allow for evolving threats, interoperable to remove blind spots, and grounded in a risk-based view to facilitate reporting to the board. Security as a technical problem is inherently impossible to solve outright, but as a business problem it can be neatly described in the trusted language of risk.
Addressing cyber risks in the language of business rather than that of internet subculture brings it in line with other business priorities. This framing allows for assessment of return on investment and operational progress, while ensuring that the security team are given the recognition they deserve in the context of the company as a whole. It is a more nuanced and evolving risk than others, but a risk none the less.
The value of a new perspective
While cyber threats continue to grow and advanced hacking tools are commoditised and made broadly available, changes in the security risk profile should be accounted for and addressed in the context of the business as a whole. Changing the context of assessment can replace reactive spending with proactive investment; as with investment in financial markets, short-term cyber developments can appear overwhelming, while adopting a long-term outlook encourages sensible, strategic decisions.
Resolving cyber security issues is complex and intellectually challenging; but that does not have to be the case for the people it affects at every level of the business. The recent surge of interest in cybersecurity at board level represents welcome progress. To make the most of this companies should provide a comprehensive view of their security posture as an operational risk. This allows board members to quantify and assess it, before adding value through their decisions based on language and processes that are familiar to them and more particular to the business.
Simpler is safer when it comes to protecting your business. Simplify strategy by expressing threats as operational risks, simplify tools by ensuring they are flexible and easy to adapt, and simplify language by ditching cyber and talking about security. Just remember that simple is very different to easy.