Cybersecurity is the bedrock of tomorrow’s intelligent business. If companies are to succeed by using digital capabilities to develop superior customer knowledge, unique insights and proprietary intellectual property—the hallmarks of an intelligent business—they will need a robust cybersecurity strategy to underpin it all.
To bring about the cyber-resilient enterprise, we believe changes are necessary in four areas:
- Leadership and governance
- Organizational culture
- Debates about funding
- The way security is measured and monitored
CEOs need to find answers to the following four questions to drive the capabilities that will realize cyber resilience:
Do you understand what is at stake?
CEOs and boards are ramping up their engagement in cybersecurity—to a point where they are assuming accountability for the cyber risks facing the company. But, with security programs only covering 67 percent of the organization on average, most have much more to do—and their relationship with the CISO is a critical component of the right kind of engagement.
Do you put cybersecurity first?
Many companies believe that their cultures already “get it” when it comes to cybersecurity. For example, 83 percent of respondents we surveyed said they have “completely embedded cybersecurity into their cultures.” And yet, 71 percent report that cyberattacks remain “a bit of a black box.” They do not know how or when they will affect the organization. Business leaders need to decide if they are paying lip service to cybersecurity or whether it really is at the front and center of their strategy.
How much is the right amount of funding?
Companies need to be “brilliant at the basics”—that is, investing properly to resolve challenges of any magnitude, whether from intruders who want to target a particular customer, use the infrastructure, or even trumpet a cause, to attackers after the organization’s “crown jewels,” the data that is most critical to their operations and its differentiation in the market. Funding means not only getting the basics right, but also using innovation to improve cybersecurity and data protection.
Are you measuring your cybersecurity efforts for business resilience?
The metrics used in the past will not help in the future. Being “low, medium, or high” on compliance scores does not say enough about the risk to business resilience. A senior security executive for a bank told us what is needed instead: “We do not present the board project plans on encryption. We present the board with metrics on data protection for our customers. And we don’t have metrics around patching. We have metrics around maintaining the integrity of our production environments.”