Cyber risk represents not just a threat, but an opportunity. The upside will materialize in two ways: competitive advantage and operational efficiency.
The rapid ascent of cyber threats and risks to the pantheon of topics considered “board-level issues” has created a massive market for solutions and services. Thousands of contenders in a crowded market have generally defaulted to an age-old tactic for grabbing attention: fear. Early in our life as a young company, we were guilty of this as well. Fear of cyber breach is a natural response to what is quite clearly a big, scary problem – why not place a solution in that pathway of that response?
But the seller must ask himself – fear of what? Malicious hacker syndicates? Nefarious foreign governments? Well-meaning but hapless employees? The truth is, potential threats are everywhere. This is not a secret or a revelation. Despite our collective efforts in cybersecurity, the problem is increasing. The number of bad actors and their potential to do bad things continues to grow. When you consider that all of the cybersecurity solutions combined have failed to reduce the volume of threats, a selling proposition that promises a reduction in scary things isn’t exactly an honest position.
We have evolved to hold a contrary view: cyber risk offers an opportunity not just to solve the problem, but to turn the marketplace energy around cyber risk into an advantage for every organization. Effective cyber risk governance (cybergovernance) creates two predominant advantages:
- it gives the organization in a competitive advantage with customers who tend to care about security, and
- it leads to broad, synergistic improvements in operational excellence.
Competitive Advantage from Effective Cybergovernance
It isn’t difficult to imagine a world where brands attract customers based on their leadership in security. Just look at Apple’s highly publicized legal battle with the FBI over encryption controls on the iPhone. Apple appears to have decided that the opportunity to win with consumers is greater than the threat of federal intervention. Their bold move is changing the way people think about privacy and security.
Selling to consumers is far different that selling to businesses. While Apple’s case plays out in a consumer market, businesses tend to care far more than consumers about security. This is highlighted by business concerns around cyber supply chain risk management. How can an organization’s leaders know whether their vendors and suppliers are capable of managing cyber risks? Is cyber supply chain risk something that corporate managers should be concerned about? How can they know more?
Imagine turning that risk scenario, i.e. uncertainty, completely around. Imagine operating in an environment where supply chain partners compete not on price alone but also on the basis of demonstrated competence in cyber risk management. An organization would be capable of preferentially selecting vendors using those vendors’ own demonstrated leadership in cybergoverance.
This same opportunity exists in every company – think of your own business. No matter what industry you operate in or what type of value you deliver, you are an important part of your customers’ supplier network. Imagine how powerful a position you might hold with those customers as a demonstrated leader in cyber risk management.
Operational Excellence from Effective Cybergovernance
The second opportunity, making broad operational improvements, is a consequence of pursuing the first. Firms who improve cyber risk management necessarily improve overall operations at the same time. Effective cyber risk management, by definition, prioritizes cross-functional collaboration, situational awareness, response and continuity planning, and continuous improvement.
Organizations can proactively craft policies and command-control structures that create a “human firewall”. In addition to improving resilience in the face of a cyber incident, these efforts cultivate a workforce that is awake, alert, and aware of the role they play in the larger operation. A leader would be challenged to ask for a better outcome of workforce development than that.