by Greg Day*
Planning for months ahead can seem like an eternity in the current climate. But as the world continues to leverage digital innovation ever faster, company boards must ask themselves the tough questions to make the right risk-reward decisions for the future of their businesses.
Asking the right questions shows a grasp of the knowledge sphere. Yet listening and comprehending the answers isn’t always so easy. Cyber security is said to be full of acronyms, so it can seem like a foreign language. This makes it tougher to get useful answers. This may explain why so many boards look to their own staff for the appropriate way to manage cyber risks.
Beyond the terminology, there are other factors that shape the way security and business leaders approach cyber security and nuances that affect the quality of security that is eventually provided.
Mismatch of goals
Boards think strategically about how to maximize profit and minimize losses, which typically requires taking calculated risks. Cyber security officers (CSOs) on the other hand focus on how to maximize risk management and mitigate risk. To put it simply, boards think in dollars, cents, and shades of grey, and CSOs take a binary approach to risk, which leads to them to think in absolutes. They focus on questions like how to keep businesses safe and how to quickly respond to security incidents. So, while boards are thinking about cost, CSOs are thinking about action. My suggestion is to always challenge your CSO and security team to come back with 2-3 solutions to each security risk, with different costs and criteria of success.
Different timelines
Cyber security management is constantly evolving thanks to changes in technology, changing processes and changing cyber threats and risks. As such, CSOs do not make long-term plans and like to frequently update their boards. By contrast, business leaders tend to plan in much longer cycles. It can be frustrating for board members who want CSOs and their teams to adopt steady and predictable planning cycles. But business leaders must recognize that the cloud and cyber threats are dynamic and that solutions will vary day-to-day and month-on-month.
Defining key terms
Many of the technical terms used by CSOs and their teams are static and yet what they describe continues to change. One example would be ’ransomware’; this is a term that many non-specialists have heard of, but the way it functions, and the damage it can cause continues to evolve. The ransomware of two years ago is very different from the advanced ransomware we have today, and it will evolve further in the years to come. Both CSOs and business leaders must work towards capturing the same understanding of key technical terms.
Understanding the risks of the cloud
Many businesses believe that the best way to operate is to make everything digital so that they can ensure both speed and efficiency of business processes. Analysts continue to flag digitization as the door to new markets and cost reductions, which is sweet music to business leaders’ ears. On the other hand, CSOs and their teams approach the cloud from a security perspective. For example, many businesses have shifted customer records to the cloud to reap operational gains and increase profits by leveraging client data in new and innovative ways.
From a security perspective, the focus would be on managing the risks that come with uploading customer data to the cloud. And there would be cost implications around new security controls, processes, and training to protect that data from attack. This protection would extend beyond just the company itself to third party infrastructure, which can be a challenge for in-house CSOs and their teams to roll-out.
All things considered, cloud security should be a priority for all concerned. Here are some key areas that CSOs, boards, and third-party providers must consider as they manage the risks that come with the cloud.
-The dynamics of every business process, and how frequently those processes should be reassessed for opportunities and risks
-The third-party dependencies of cloud processes and what they mean to the business from a risks and delivery perspective
-The metrics used to measure the successful delivery of cloud functions and the risks around that. Every team member needs to know what those metrics are and to understand exactly what they mean
-The ‘how’ is as important as the ‘what’. Business leaders must challenge their teams to understand cloud process and to appreciate the inherent opportunities and risks that could happen at various stages of the chain
Takeaways
Knowing the right questions to ask is key, but only if you can understand the answers. Digital innovation continues to evolve at pace, which can make it hard for business leaders to fully appreciated the risks and opportunities that come with it. Therefore, everyone on the team needs to understand how to measure the efficacy of digitalization vis-a-vis the risks. Every company will have its own metrics, based on individual questions, and demands, and provision of the right answers and solutions.
*Vice-President and Chief Security Officer, EMEA, Palo Alto Networks
**first published in: www.weforum.org