Malware. Phishing scams. Encryption. Patches. Firewalls… Over the last few decades, big business has gotten very familiar with the lexicon, and the reality, of cyber security. In most of these organizations, cyber security is thought of as something that lives solely in the IT department. The typical approach to cyber security is very ‘bottom-up’, meaning companies are looking at the specific risks that are posed to devices, networks, apps or data and then trying to plug those holes.
But what if there’s a better, more efficient and cost-effective way to think about cyber security?
I can tell you firsthand, based on our work with leading companies around the world, these organizations are much better served when they approach cyber security as a business issue instead of a technology issue. Allow me to elaborate with an example…
In the consumer electronics business, intellectual property is arguably a company’s most important asset.
If your competitors figure out how to steal the details around your upcoming product, you stand to lose a lot of money and market share. We were asked by the board of a prominent manufacturer to review the security of their operation in the lead up to a big launch. Instead of starting by looking at how they were using technology, however, we set out to examine how various elements of the business operation could lead to the loss of their IP. It didn’t take us long to find a gaping vulnerability.
Like most companies in this space, this company has a series of global manufacturing partners. We discovered that many of these partners, however, had not been properly reviewed through the lens of cyber security. One of the reasons these partners hadn’t been vetted properly stemmed from a difference of opinion between the head of manufacturing and the CIO. This stalemate meant that these suppliers had never been thoroughly reviewed from a cyber security perspective.
We undertook a review of one of these suppliers. And literally within 30 seconds of being in the facility, we identified a very, very simple vulnerability that gave us full control of every device in their manufacturing facility. The vulnerability we found wasn’t particularly sophisticated. It was a cyber hygiene issue. And any hacker who wanted to do the company harm would have had a field day.
We shared these findings with the COO. But we didn’t present it as a technology vulnerability. Instead, we chose to present it as a business issue.
We told him they had a huge potential risk regarding customer confidence in one of their flagship devices. We talked about the difference of opinion between two leaders that led to a blind spot in their quality control process. And we explained that if that weakness had been exploited, a bad actor could have modified or deleted their IP. They would have had a class action lawsuit (and a sizable reputational crisis) on their hands. In addition, they would have had zero defensibility in court.
We could have talked about the technological vulnerability and how we found it. For the inner geek in all of us, that would have actually been kind of cool. Instead, however, we zeroed in on the business implication of that risk. We made it exceedingly real to the executives in the room. The result of that discussion was a very shocked expression on the COO’s face. The COO stood up and asked the head of manufacturing and the CIO if this was true. They said yes. I can tell you that the vulnerability was resolved very shortly afterward.
Behind all of this is the concept of capital efficiency when it comes to cyber security. Many organizations spend time trying to do the math of how much future ROI they can get by spending $1 on cyber security today.
The problem is that these numbers are guesses. And far too many companies are spending their capital inefficiently, treating cyber security as an IT issue and going around trying to plug holes. Instead, let’s start thinking of cyber security as an element and expense of the larger business. And when we think about the health of cyber programs, let’s think about the entire business and not just technology. In companies where we’ve seen leaders do this, the risks are better articulated and the use of capital is much more efficient.