The prestigious Sloan School of Business Administration and Management at the Massachusetts Institute of Technology (MIT) publishes a series of studies facing the exceptional situation we are experiencing and analyzes how companies, when faced with unprecedented disruption and uncertainty, must expand the reach of their strategy if they want to survive and prosper.
The study published at MIT emphasizes that by elevating cybersecurity from operational need to source of opportunity, leaders of organizations can drive resilience and competitive advantage.
Despite the fact that we regularly witness numerous examples of devastating cyber attacks against all types of organizations, many of the companies (including some of the largest in the world) remain unprepared .
Although executives recognize cybersecurity as an important part of IT planning, they do not understand the strategic nature of cyberattacks, as a serious threat to profits and operations, but also as an opportunity.
The study underscores that what executives need to understand is that organizational resilience to cyberattacks requires a fundamental mindset shift: Executives must view cybersecurity as strategic rather than operational , and as an opportunity rather than a cost.
A mature cybersecurity strategy provides the basis for securing critical assets and business processes, enhancing learning at all levels of the organization, as well as detecting and capturing new strategic opportunities. It can reveal new fundamental strengths and weaknesses in teams, their leaders and in general discover organizational capabilities.
Why are executives treating cybersecurity as operational, not strategic?
It’s easy to understand why executives fail to recognize cybersecurity as a strategic priority, even as many have embarked on digital transformation strategies.
Cybersecurity is delegated to IT. Maintaining secure systems has traditionally been the responsibility of IT, and in many cases IT itself is not seen as a provider of strategic advantages, but rather as an internal service provider primarily responsible for keeping systems running. Despite the fact that the cyber threat to companies has been drastically magnified, and given that technology in many cases has been recognized as highly strategic for the company, cybersecurity has remained delegated to IT operations, where the necessary technical expertise resides to assess and respond to cyber threats.
The authors of the study launch warn that companies misunderstand the strategic nature of cybersecurity risk . Many executives fail to elevate the risk of a cyber attack to a strategic consideration because they mistakenly characterize the threat as a random and unpredictable event, when, in fact, no organization is immune and cyber attacks are “predictable surprises” that exploit weaknesses in structures. and organizational strategies .
Some companies are more attractive targets than others, but in reality, cybercriminals directly attack organizations of all kinds , and many other companies suffer collateral damage in the course of attacks on other companies.
How our psychology and biases are affecting
MIT points out the impact of management biases and department heads, since the vast majority of executives assign strategic priorities based on their own areas of specialization. We also found that executives have not included cybersecurity among their strategic priorities because their strategic plans and major investment decisions have focused on areas in which they had prior experience or technical knowledge, such as engineering, finance and marketing. Cyber attacks are not routine and difficult to plan, and many executives have not experienced a serious cyber attack. The cognitive trendis to continue with the same strategic priorities, interpreting the absence of a cyber attack as evidence that the company is on the right track. After recent cyberattacks, such as NotPetya, executives understood the importance of defining strategic issues according to their potential impacts on company performance.
Changing the narrative on cybersecurity
Senior executives who guided their companies through cyberattacks experienced a fundamental mindset shift, transforming their perceptions of cybersecurity from operational to strategic , from reactive to proactive, and from threat-driven to opportunity-driven . In practice, this means taking cyber threats seriously at the highest levels of decision-making.
Before being attacked, executives make the mistake of viewing cybersecurity investments as a lose-lose situation. They think that if their company is attacked, they will lose reputation and profits; But if the company is not attacked, investments in cybersecurity are wasted. As a result, companies have invested little in cybersecurity.
After a real cyber attack, executives appreciate the strategic value of investments in cybersecurity, not only to mitigate risk or minimize damage, but also to strengthen the core strategic capabilities of the company . For example, one of the executives who participated in the MIT study indicated that the cyber attack “was an existing threat to our business, and one of the things it shows is where there is strong or weak leadership.”
Improve organizational learning
Research shows that executives can leverage cybersecurity strategy to enhance organizational learning and create new opportunities. Businesses that experience cyberattacks find that an attack exposes weaknesses not only in cybersecurity but in many other aspects of the business, such as leadership development, external communications and process innovation. Consequently, the process of developing a comprehensive cybersecurity strategy can similarly uncover weaknesses and opportunities.
Gaining a more strategic understanding of cybersecurity creates the opportunity for closer integration and understanding between business and IT teams.