Cyber security is not only good ethics, but quite simply good business.
Cyber security has clearly made its way to the frontstage of the global risk landscape in recent years. Cyber-attacks are proving increasingly threatening to both the public sector and to the private sector which finds itself facing an ever-growing risk of data breaches resulting in losses of ever-growing magnitudes, both in financial and reputational terms.
Companies, however, seem to be consistently lagging behind when it comes to protecting themselves against these risks – favouring all-too-often a complacent or reactive approach to cyber security where a proactive, holistic one is badly needed.
For organisations where lip-service and knee-jerk reactions are still prevailing today, the true adoption of cyber security good-practices is not going to happen overnight, and it could take several more years – if not decades – of InfoSec scandals and severe data breaches before this issue finally tops organisations’ agendas in real terms.
In that sense, the parallel with the sustainability movement, and more largely with the growing trend of Corporate Social Responsibility (CSR) over the last two decades is becoming more and more pertinent.
Cyber security has become essential to protect the hyper-connectivity that the digital transformation will require to be successful, and the colossal amounts of data it will generate. Beyond the trillions of dollars of economic value that could be created, it is the transformation of society that is at stake, in a manner that many have been comparing with a 4th Industrial Revolution. Meanwhile, at the junction of the various technology layers involved (IoT, BIgData, Cloud, Artificial Intelligence, Robotics), it is also the personal data and the right to privacy of consumers and citizens that has become vulnerable. And they have started to react to ruthless data monetisation, as the widespread use of ad-blockers is illustrating.
Taking cyber security seriously today and driving adherence to security and privacy good-practices is key to engineering the trust of consumers and citizens, which in turn will be the cornerstone of a truly successful digital transformation that can deliver fundamental economic and social benefits in fields as diverse as healthcare, transportation or public services. Failure to do that would simply prevent progress and kill value.
It is in that sense that cybersecurity has actually become a matter of CSR for most firms— and as such it is presenting them with similar challenges and opportunities.
The challenges are evident: Changing mentalities takes a lot of time and efforts, especially in very large organisations paralyzed by internal politics, poor governance and short-term thinking. The advantages of a proactive and consistent cyber security practice are indeed hard to perceive when only looking at short-term profit maximization, just like funding sustainability programs was once seen as a waste of resources and energy that could instead be dedicated to maximizing the bottom line. This is a deep matter of management culture and corporate ethics that might take a generation to emerge and needs to be embedded today in the way management is taught from business school onwards.
The opportunities and advantages that long-term, sustainable cyber security programs can yield are however tremendous. Companies making the move early on can indeed foster a great competitive advantage by building up and preserving consumers’ trust – increasingly valued by customers and, as such, a highly precious asset for any company wishing to make the most of the digital transformation. Top that with the increasingly high costs of recovering from a cyberattack, and the argument for the long term, viable benefits that sustainable InfoSec programs have the potential to unleash is simply a no-brainer. Just like sustainability and other CSR programs have often helped companies save money, including in the short run, good cyber security is not only good ethics, but quite simply good business.
InfoSec reforms and initiatives can follow the example of how organisation have managed to successfully incorporate other areas of CSR such as sustainability into their business models. Integrated reporting, for example, could include measures of cyber-resilience just like it now includes measures of socio-environmental impact, and as such become an area of focus for companies. The creation of public cybersecurity certification schemes or rankings would also incentivize companies to move InfoSec up their agendas by better signalling firms actively concerned with this issue. To an extent, this is partly what the UK Government initiated with its “Cyber Essentials” scheme, but those initiatives will always remain worthless if they do not go beyond self-certification. In that sense, the role of policymakers both at the national and international levels could be key, as their capacity for shifting and steering market forces remains one of the most potent drivers of change.
Just like for sustainability before it, the incorporation of InfoSec into coherent CSR programs will not happen in one day and may rightfully seem like a daunting task for most organisations whose top executives all-too-often lack even a basic understanding of what cyber security entails. The potential rewards are so huge, however, that those companies who take up that task early on will likely prevail over the mid to long-term, while those who missed the InfoSec train could find themselves struggling.
We should all remember that as we look towards the cybersecurity challenges of the year ahead.
JC Gaillard
Managing Director
Corix Partners
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.
This article was written in collaboration with Vincent Viers.