How to make cybersecurity a strategic asset?

REBOOT YOUR STRATEGY: CYBERSEGURITY

The prestigious Sloan School of Business Administration and Management at the Massachusetts Institute of Technology (MIT) publishes a series of studies facing the exceptional situation we are experiencing and analyzes how companies, when faced with unprecedented disruption and uncertainty, must expand the reach of their strategy if they want to survive and prosper.

The study published at MIT emphasizes that by elevating cybersecurity from operational need to source of opportunity, leaders of organizations can drive resilience and competitive advantage.

Make Cybersecurity a Strategic Asset

Despite the fact that we regularly witness numerous examples of devastating cyber attacks against all types of organizations, many of the companies (including some of the largest in the world) remain unprepared

Although executives recognize cybersecurity as an important part of IT planning, they do not understand the strategic nature of cyberattacks, as a serious threat to profits and operations, but also as an opportunity.

The study underscores that what executives need to understand is that organizational resilience to cyberattacks requires a fundamental mindset shift: Executives must view cybersecurity as strategic rather than operational , and as an opportunity rather than a cost. 

A mature cybersecurity strategy provides the basis for securing critical assets and business processes, enhancing learning at all levels of the organization, as well as detecting and capturing new strategic opportunities. It can reveal new fundamental strengths and weaknesses in teams, their leaders and in general discover organizational capabilities.

Reboot Your Strategy MIT

Why are executives treating cybersecurity as operational, not strategic?

It’s easy to understand why executives fail to recognize cybersecurity as a strategic priority, even as many have embarked on digital transformation strategies.

Cybersecurity is delegated to IT. Maintaining secure systems has traditionally been the responsibility of IT, and in many cases IT itself is not seen as a provider of strategic advantages, but rather as an internal service provider primarily responsible for keeping systems running. Despite the fact that the cyber threat to companies has been drastically magnified, and given that technology in many cases has been recognized as highly strategic for the company, cybersecurity has remained delegated to IT operations, where the necessary technical expertise resides to assess and respond to cyber threats. 

The authors of the study launch warn that companies misunderstand the strategic nature of cybersecurity risk . Many executives fail to elevate the risk of a cyber attack to a strategic consideration because they mistakenly characterize the threat as a random and unpredictable event, when, in fact, no organization is immune and cyber attacks are “predictable surprises” that exploit weaknesses in structures. and organizational strategies

Some companies are more attractive targets than others, but in reality, cybercriminals directly attack organizations of all kinds , and many other companies suffer collateral damage in the course of attacks on other companies.

How our psychology and biases are affecting

MIT points out the impact of management biases and department heads, since the vast majority of executives assign strategic priorities based on their own areas of specialization. We also found that executives have not included cybersecurity among their strategic priorities because their strategic plans and major investment decisions have focused on areas in which they had prior experience or technical knowledge, such as engineering, finance and marketing. Cyber ​​attacks are not routine and difficult to plan, and many executives have not experienced a serious cyber attack. The cognitive trendis to continue with the same strategic priorities, interpreting the absence of a cyber attack as evidence that the company is on the right track. After recent cyberattacks, such as NotPetya, executives understood the importance of defining strategic issues according to their potential impacts on company performance.

Changing the narrative on cybersecurity

Senior executives who guided their companies through cyberattacks experienced a fundamental mindset shift, transforming their perceptions of cybersecurity from operational to strategic , from reactive to proactive, and from threat-driven to opportunity-driven . In practice, this means taking cyber threats seriously at the highest levels of decision-making. 

Before being attacked, executives make the mistake of viewing cybersecurity investments as a lose-lose situation. They think that if their company is attacked, they will lose reputation and profits; But if the company is not attacked, investments in cybersecurity are wasted. As a result, companies have invested little in cybersecurity.

After a real cyber attack, executives appreciate the strategic value of investments in cybersecurity, not only to mitigate risk or minimize damage, but also to strengthen the core strategic capabilities of the company . For example, one of the executives who participated in the MIT study indicated that the cyber attack “was an existing threat to our business, and one of the things it shows is where there is strong or weak leadership.” 

Improve organizational learning

Research shows that executives can leverage cybersecurity strategy to enhance organizational learning and create new opportunities. Businesses that experience cyberattacks find that an attack exposes weaknesses not only in cybersecurity but in many other aspects of the business, such as leadership development, external communications and process innovation. Consequently, the process of developing a comprehensive cybersecurity strategy can similarly uncover weaknesses and opportunities.

Gaining a more strategic understanding of cybersecurity creates the opportunity for closer integration and understanding between business and IT teams.

Proactivity

Senior executives who guided their companies through cyberattacks experienced a fundamental change in mindset,  transforming their perceptions of cybersecurity from operational to strategic , from  reactive to proactive,  and from  threat-driven to opportunity-driven . In practice, this means taking cyber threats seriously at the highest levels of decision-making.  The companies that participated in the MIT study that suffered the most long-term damage from a cyberattack – competitive, financial, and reputational damage – were those that neglected one or more elements of the “holistic” model that the researchers propose. By far the most common mistake was to focus solely on protection and neglect the other elements . All companies had made prior investments to protect themselves against cyber attacks and (to a lesser extent) to plan for cyber responses. However, these investments were largely wasted because leaders viewed the threats as having consequences only within their IT departments rather than potentially paralyzing the entire business.  After a cyber attack, all companies expanded their cybersecurity strategies by significantly increasing investments to increase awareness and manage the consequences of a cyber attack. Research shows that companies can exponentially improve resilience to cyber attacksby interrogating  different  elements of organizational resilience as part of the company’s strategic planning process . From Kymatio we provide one of the necessary sources, creating visibility about the cyber risk of  employees. Asking questions now, before a cyber attack, allows companies to work proactively to capture new opportunities provided by the context of the cybersecurity strategy.  By adopting a strategic mindset toward cybersecurity, executives can leverage the cybersecurity strategy to enhance organizational resilience and build new capabilitiesfor strategic advantage . This is where cyber risk metrics should be obtained in various areas, but especially about people.
Based on REBOOT YOUR STRATEGY: CYBERSEGURITY Published open (Register) by the  MITSloan Management Review. Manuel Hepfer. PhD candidate at Saïd Business School of the University of Oxford. Thomas C. Powell. Professor of strategy at Saïd Business School. Comment on this article at https://sloanreview.mit .edu / x / 62120.