Recent Searches
In “EY Board Agenda 2021” publication 81% of responders identified cybersecurity as “highly relevant” with 19% as “relevant”. While the inclusion and impact at board level discussion increases, organizational cybersecurity practices and strategic thinking remain technical and operational.
Board level publications and think-tanks topics still focus on operational resilience impacting best practices such as patching on time, controls frameworks and recovery from incidents. While these fundamental practices remain relevant, to close the gap between organizational direction impacting decisions and cybersecurity inclusion and ability to enable, more strategic approach is needed.
Lack of emphasis of cybersecurity in strategic planning, as well as strategic planning of cybersecurity, could have multangular impacts, for example
There is also another side of the coin: the role of security experts. Lack of cybersecurity emphasis is not, as shown by the EY board level study, because of lack of interest and concern. The challenge is more on how cybersecurity is viewed and presented by experts and professionals: technical and complex with similar messaging.
This difference in thinking is also seen in transactions – cybersecurity is, if at all, viewed as a subset of IT even though practices and reach extended throughout business processes and supporting functions.
Similar to observations from board level research, interest by M&A leaders is growing. However, the way cybersecurity is embedded via traditional methodologies and models in due diligence and, for example, in integration planning often remains technical and covering only the surface of the cybersecurity measures and practices.
To approach cybersecurity in transactions with insights for better decision making, methodologies should change. Regardless of organization type, size or the sector, transactions embedded cybersecurity activities should cover entire enterprise. Traditional audit like controls reviews, focus on only core capabilities or, for example, support for meeting compliance requirements no longer respond to growing questions, nor the threat landscape of digital era. Key word is resilience - now and in the future.
While as-is understanding is relevant, more burning questions are directed at to-be, objectives impact and changes needed.
To ensure both understanding of cybersecurity posture and business impact, the following questions should be asked and verified during transaction activities
If the answer is no or unknown, the likelihood for unplanned costs, lack of fit for the future state, and missing link to business activities is higher.
The good news is that there can be visibility to uncertainty. It does, however, require changing how cybersecurity is approached starting from models and practices and involving experts in the processes.
Cybersecurity by definition is about providing confidence and avoidance of threat. While this goal might be ambitious, inclusion in organization impacting business processes improves decision making, preparation, potential value and ability to support transformations.
With increasing awareness to outcomes of global cyber threats and events, business leaders and investors are increasingly concerned of cybersecurity posture and uncertainties. By changing how cybersecurity is approached, included, and aligned with business objectives, more long-term impacting and enterprise level clarity is reached.
Metaphorically, while it makes sense to point at a visible hole on a boat and fix that, reaching the destination is sum of multiple aspects. Clear direction, knowledgeable crew and for example fit for purpose machinery become “a make it or break it” when heading towards a storm.
Cybersecurity on the digital seas requires similar attention.
