Instances of cybercrime have risen in recent years, such that cybersecurity is ever so gradually becoming a more pressing concern for executives around the world. That said, there is still a strong sense that it hasn’t yet reached a level of maturity that ensures cybersecurity is a consideration in all business decisions our organizations make.
Instead, it’s far more common for executives to view cybersecurity as something the CIO can deal with and they don’t need to worry about. It’s a technical thing, not a business thing.
Of course, that’s not really how the world works, and especially not the increasingly complex world that most businesses operate in today.
So, if cybersecurity is to be truly effective it needs to become a sufficient business priority that it’s a full part of strategic discussions at the board level.
The business world has already been getting more and more complex as a result of the Internet, mobile, cloud computing, the Internet of Things, and artificial intelligence. This complexity has accelerated as digitization has occurred at often breakneck speed. The typical medium to large organization today has a complicated web of ecosystem partners to help them achieve their commercial ambitions, ranging from supply chain partners to those supporting data and marketing.
Covid-19 has spurred a huge uptick in the adoption of various digital solutions.
A particular focus on those involve data and networks, many of which are operated by external partners who are outside the official locus of control of the organization. This is often compounded by a technology stack within many organizations that consists of a complex web of legacy systems, many of which lack the flexibility required by the rapidly changing business landscape of today.
These legacy systems often have a Swiss cheese of holes and exploits that cyber-criminals can look to target, especially as the criminals are often far more adaptable than the lumbering organizations they target. The challenge for larger organizations has become compounded by the strategic desire for them to keep pace with digital native firms who have built more adaptive IT systems from the very start and so don’t have legacy millstones around their necks.
Cyber risk rises as complexity increases
As a result, the cyber risk posed to companies has risen to perilous new heights in recent years, with both the number and severity of attacks growing globally. Indeed, the complexity of IT systems can often result in attacks going undetected for months.
As an exit from the pandemic begins to present itself, it’s understandable that senior leaders will be thinking afresh about the cyber-risks they face and the costs associated with the huge complexity of their digital infrastructure.
One commonly used approach to manage this risk is the Coase Theorem.
It posits that companies should always use external suppliers until the transaction costs exceed the coordination costs of doing the same work in-house.
When this is applied to cyber-risk assessment, we can regard any cyber-risk that is generated via a partnership with an external supplier as an “external” cost, while “transaction” costs revolve around the establishment of different nodes of partnership. It’s a situation through which the costs of failure have gone up, whereas the costs of growing complexity have fallen.
As leaders attempt to grapple with this complexity, it can be helpful to focus efforts around some core principles. The first of these is to ensure that any strategic initiatives don’t increase the complexity risk faced by the organization. You shouldn’t be making the situation worse. The second principle is that any simplification of the IT infrastructure within the company may require fundamental modifications to the system so that they’re fit for the future. These challenges can often coalesce around three key areas:
- External partners. Challenges involving external partners are increasing in prevalence as our ecosystems become larger and more complex. The issue is often compounded by the fact that few organizations have staff whose role is to oversee the wider ecosystem so it's easy for things to grow in an ad-hoc manner and security considerations to fall by the wayside.
- Business models. It’s common for organizations to respond with shock and gravity to the latest cyberattack, before returning to business as usual shortly afterward without making any substantial changes. Given the severity of the threat posed by cybercrime today, however, it really needs a root and branch overview of the organization’s business models to place security at the core.
- Internal systems. As mentioned earlier, the in-house systems used by organizations are inevitably going to present both complexity and risk as they will have accumulated over many years with various legacy systems and applications in place. It might not always be the legacy technology itself that poses the risk but the processes that surround it. Suffice to say, replacing such systems is a significant undertaking, so it’s common for organizations to struggle on in the belief that if things aren’t broken then they don’t need fixing.
Reducing complexity can seem like a Sisyphean task in a world in which complexity is growing on a daily basis, but if cybersecurity is a key concern for organizations, then it’s something that warrants serious consideration.