“The cyber economy is the economy”
Those words were spoken by the US National Security Advisor way back in 2005, and it is remarkable to see how prescient they were. The economy is not only supported by the cyber world, but that world is entirely data driven. Data has become a primary focus, not just for regulatory fodder, but for business survival.
Rethinking cyber risk for business transformation
Organisations that recognize the value of data also recognize the need to protect it. This is something which is highlighted in the latest IBM research paper, “Prosper in the cyber economy – Rethinking cyber risk for business transformation”.
Typically, IBM has highlighted an issue which we have known for a very long time, namely; We need to think differently about cyber security if we are to change the current risks we face.
Before I explore some of the highlights and insights, I think it’s worth saying that the report shouldn’t be read by Information Security, Cyber security or Data Protection practitioners. It should be mandatory reading for every member of the C-Suite. Remembering that every function within a business creates, uses, shares, and depends on data, the issues this report raises should give everyone in the C-suite cause to pause for thought.
Report Insights, highlights and lowlights
At just 32 pages long, I believe the report provides valuable information and insights on the current state of global cybercrime, but on initial reading I was concerned that we were once again falling into the trap of shouting about the extent of cybercrime and the associated (and expected) costs. The opening paragraph presents grim statistics that over the next four years, the costs associated with cybercrime (currently $10.5 trillion annually) are estimated to exceed worldwide cybersecurity spending (currently $267.3 billion annually) by 40 times!
Now I don’t know about you, but I can’t even begin to imagine what one trillion looks like, but forty trillion?!
The problem with statistics like this is that they offer no context or sense of scale, and secondly they look like numbers that I can’t do anything about. Remembering that we are talking about cyber security risk here, and risk is the likelihood or probability of something happening. Yes, we calculate risk in many different ways, but principally we calculate risk every minute, hour and day of our lives.
If the risk is so big that it is a foregone conclusion, then I may as well not take any action to avoid it. Right? This is why security practitioners should stop saying “It’s not a matter of if, but when you’ll suffer a breach”. What you’re telling me is that if I’m going to suffer a breach anyway, then I might as well spend my time and money on other things because it’s a waste of both resources if it’s going to happen anyway(!)
PMA – Positive Mental Attitude
What I appreciate in this report is that IBM quickly moves from the negative to highlighting the positive impact cybersecurity can have on an organisation, and it’s these highlights which I think we should be discussing with the C-Suite. These highlights include;
- 66% of respondents view cybersecurity primarily as a revenue enabler.
- Mature security organizations see a 43% higher revenue growth rate over five years than the least mature organizations.
- 43% of organizations report outsourcing their security program governance and operations to partners.
What we’re seeing from the report is that organizations are moving cyber risk management from a cost centre and budget line item, to a value enabler. This is encouraging and demonstrates that many organisations are now recognising that having good cyber security and information security in place will increase trust in them, their products and their services.
A statement in the report emphasises this perfectly. Speaking of how placing security at the core of its digital transformation program for a US Airline, they state, “the airline can move operations to cloud confidently and surpass competitors by enabling more tailored customer experiences and more efficient, cost-effective operations.”
If you were to approach your C-suite and tell them you could achieve all the above, they wouldn’t ask how, they would just tell you to do it!
Change is coming. Change is already happening. The report demonstrates this, and it’s worth remembering that if organisations are changing their way of thinking about cyber security, then sooner or later these organisations will use this to their economic advantage.
It’s also worth noting that these organisaitons may be your suppliers or customers, and if they are changing their approach, then they will expect you to do so too.
Change is coming but that requires us all to rethink cyber security and cyber risk. Moving from negative to positive change.
About the Author:
Gary Hibberd is the ‘The Professor of Communicating Cyber’ at ConsultantsLikeUs and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from international security standards such as ISO27001 Dark Web to Cybercrime and CyberPsychology. He is passionate about providing pragmatic advice and guidance that helps people and businesses become more secure.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.