The rapid digitisation of organisations across many industries has led to an increase in corporate cyberattacks, which cost Australian businesses over $140 million in 2019 and an estimated $36 million by March this year, according to the Australian Competition and Consumer Commission. The true impact of these attacks on businesses is yet to be seen.
The costs can include employee downtime, direct costs of remediating the breach, and far-reaching reputational impacts that damage customer and investor confidence. CISOs and CSOs must take a strategic approach to cybersecurity to protect the organisation as a whole, and not just individual assets, according to Fortinet.
Corne Mare, director, security solutions, Fortinet, said, “Taking a more strategic approach to cybersecurity means spending more time educating company boards and other executives on the impact that cyber risk has on their companies. Cybersecurity is a business problem, not merely a technology problem. The threat affects the entire business’s ability to operate and mitigating the risk should form part of the company’s overall strategy.”
Cybersecurity needs to work on three different levels to be truly successful in mitigating business risk:
- Protecting company assets: cybersecurity on a tactical level protects and defends the network and the company from cyberattacks and threats. Protecting company assets means putting solutions in place to prevent unauthorised access.
- Protecting business operations: by protecting the company’s assets and preventing unauthorised access to, or interference with, digital systems the organisation preserves the value of the work it does. Avoiding costly downtime and the reputational damage that a successful cyberattack can cause should be a key goal for any cybersecurity strategy.
- Contribute to wider business objectives: each business function contributes to the organisation’s overall goals. CISOs and CSOs should understand how these functions contribute to business operations so they can determine which assets and processes must be protected at all costs, versus those that present less risk or milder ramifications if compromised. This lets CISOs and CSOs maximise the resources they have available to protect the business.
Corne Mare said, “A good cybersecurity strategy will protect the employees, clients, financial status, reputation, and the future of a business as well as its digital assets. Therefore, CISOs and CSOs must develop a cybersecurity strategy to protect the business as a whole and not only the network itself.
“It’s easy to understand that poor cybersecurity can lead to data breaches and downtime, both of which can be expensive. But it can also have a negative impact on the image and reputation of the company, which can affect customer confidence and even lower the share price. The financial impacts of this can be far more significant than the direct, initial costs of dealing with a cyberattack.”
C-level executives must understand that, by investing in cybersecurity, they’re investing strategically in their business and helping to reduce corporate risk. CISOs and CSOs need to demonstrate in numbers for the board how cybersecurity is as important to the organisation as business insurance.
Corne Mare said, “Cybersecurity professionals need to be able explain the financial cost of not investing in good cybersecurity measures, and executives need to consider if they can afford the potential losses in the event of a cyberattack. To do this, relevant performance metrics and KPIs that evaluate and demonstrate the wider business value of this strategy are essential.”
CISOs and CSOs must work collaboratively to identify how security investments integrate with wider business objectives to demonstrate the business value of a good cybersecurity strategy.
Reframing cybersecurity approaches and looking at strategy through a business lens can let executives see that investing in cybersecurity strengthens their investment in the future of the company.
