In the past, an enterprise’s cyber security team focused on IT security risks and threats, with little reference to business risks, objectives and strategy. The team would deploy controls within a defined corporate network boundary, driving a very technology-focused approach to cyber security. The team generally spoke its own language of cyber security terms and acronyms, little understood by the business.
Digital transformation, however, means that cybersecurity can no longer be handled as an after-the-fact bolt-on, separate from the rest of the business. Organizations must consider security as part of their strategic approach, viewing cybersecurity and resilience as business enablers that help enterprises safely embrace the benefits of digital transformation.
Even the World Economic Forum recognizes the importance of high-level responsibility for the strategic governance of cyber risk and cyber resilience. In a report for boards of directors, “Advancing Cyber Resilience: Principles and Tools for Boards,”[i] the forum concluded that “cyber strategy must be determined at the oversight board level.”
Aligning cyber security strategy with business objectives — and obtaining board-level sponsorship — is key to attaining and maintaining a strong security posture.
Most organizations are struggling to reduce the growing gap between their security posture and the threat landscape, with its ever-increasing cyber attack sophistication — and at the same time, they are trying to stay on top of changing security-related regulatory and legislative obligations that differ across geographies.
Spending more money isn’t necessarily the answer. Security budgets are increasing, but the security posture gap is getting wider.
Here are some reasons why:
- Lack of integration, with little or no understanding of the cyber security risk posture throughout the business, makes it difficult to reduce business risk.
- Lack of prioritization means security investments are often allocated to implement the latest security trend or technology, without first addressing security foundations.
- Bottom-up technical siloes cause a lack of alignment between the security solutions deployed and business objectives.
- Lack of optimization results in overlap of security controls and failure to take advantage of virtualization or new functionality in existing security tools.
- Reinventing the wheel increases time, cost, and risk.
Closing the gap requires upper management to set a clear cybersecurity strategy and requires the cybersecurity team to focus on managing cyber risk appropriately and proportionate to the business’s goals and risk appetite.
If they want to be truly cyber resilient, enterprises must also be prepared for the worst to happen. It’s no longer a question of whether they may be breached, but when, and what the likely consequences are. The legislative and regulatory implications of data breaches continue to increase, and the reputational damage they can cause to a business can be extremely damaging. A Juniper Research report estimates the cost of cybercrime to businesses will total $8 trillion by 2022.
A key strategy for addressing these challenges is the adoption of a cyber reference architecture (CRA), which is a framework of strategies, tactics, and capabilities that provides a common language, a consistent approach, and a long-term vision to help organizations align security strategies with the business and accelerate their digital transformation.
The CRA helps organizations to develop business-aligned security strategies and accelerate their digital transformation, including:
- Understanding which objectives matter most to the business
- Defining security requirements to achieve those objectives
- Mapping out the best approach for deploying targeted security capabilities to support the plan
This approach helps organizations in all industries move from a reactive mode to higher levels of cyber maturity. Organizations are become better equipped to visualize their future state and develop a roadmap of short- and long-term timeline for getting there.
As a result, organizations can develop a resilient and agile security architecture that supports a risk-based approach to business strategy. This crucial planning helps organizations:
- Define how to protect what matters and enable digital business initiatives
- Optimize security budget and operational cost
- Avoid financial loss by managing existing and emerging risks
- Ensure compliance with laws and regulations
Security organizations are constantly faced with decisions about upgrading tools and adding services to improve processes. Before the work begins, it’s imperative to understand all risks and the state of the organization’s security posture with a strong cyber reference architecture.