Gary Hibberd

20190729

It’s a truism that organisations need to embrace digital transformation to remain competitive and relevant and even survive. Yet the process of digital transformation is about more than just moving your business’s data to the cloud. It’s about implementing technology that will help a business to adapt and evolve quickly in today’s fast-moving business world, and above all, offer increasing levels of value to customers.

But when businesses cast off their legacy technology and reinvent their processes and IT in pursuit of digital transformation, it comes at a price. Greater digitisation creates a correspondingly larger surface area for hackers and other malevolent actors – both external and within the organisation – to try to breach. And once a hacker is ‘in’, increased digital connectivity means they are often able to move around the business’s network with relative ease.

McKinsey’s cybersecurity report

International business consultancy McKinsey & Co has this month published a paper exploring the tension between keeping business data safe and maintaining smooth business operations. Read it here.

The tension between security and efficiency

This McKinsey paper asserts that if cybersecurity teams are to become enablers of (rather than barriers to) digitisation, they need to improve risk management, applying quantitative risk analytics. Quantifying risk has always been a difficult challenge. After all, the majority of cyber security specialists come from an IT background, and often have no formal risk management training.

Cyberfort’s clients overcome this difficulty by benefitting from our more balanced risk management perspective. Our experienced business analysts, business continuity managers, IT managers and of course risk & compliance managers are well equipped to help identify the threats and vulnerabilities and real risks businesses face. 

Yet quantifying cyber risk is not always straightforward, so we also find it useful to incorporate a more qualitative approach to our risk assessments. For example, where an actual numerical figure on potential losses just isn’t possible to pin down, we help clients understand more qualitatively the full impact of particular business risks (eg. ‘Loss of data would have a significant impact on our reputation’).

Making cybersecurity your business enabler

Cybersecurity has a reputation for being a bottle-neck that slows down processes and speed to market, but this tends to be because businesses over-complicate their risk management approach. Cyberfort’s pragmatic approach to risk management can help. We see risk management as simply the removal of doubt or uncertainty. So whilst many consultancies focus on ‘What is the risk?’ at Cyberfort we seek to identify ‘What are we trying to protect?, How is it currently being protected? Where are there weaknesses?’.  By finding answers to these simple questions, we identify what the risk is. By using traditional ‘impact vs likelihood’ calculations we can then ‘rank’ the risk. 

The McKinsey report explores various different quantitative tools to analyse signs of ‘possible insider threats’ and ‘suspicious email activities’. The authors point out that these weapons are only as good as the person wielding them, are often complex to deploy and manage, don’t come cheaply and these tools take time to ‘learn’ the behaviour within the organisation and report back. 

However at Cyberfort, we believe that applying tried-and-tested risk management methodologies can reap rewards almost immediately, without creating unnecessary bottle-necks in your business.

Advise, detect and defend against cyber threats

Cyberfort Group offers a matrix of global cyber advisory, detection and defensive security solutions providing the assurance integral to business growth. Cyberfort’s ADVISE services can create real insight into where a business’s cyber risks exist, by identifying where you are vulnerable to attack and then identifying what you need to do to manage that risk (by removing doubt or uncertainty).

A major point the McKinsey article makes is about how development teams are frustrated by the slow response of cybersecurity specialists, who don’t operate at ‘Cloud Speed’. Here at Cyberfort, we would argue that the reason for so many toll-gates is because quite often developers aren’t adhering to the idea of ‘privacy by design and default’. Speaking as an ex-developer I know the pressures being brought to bear are focused on functionality and innovation, and security (until recently) has been placed in a poor third place. 

Digitised organisations need to incorporate and embed security into the culture of the development life cycle. Cyberfort helps organisations do this by running Secure Coding Workshops where we train developers to understand how to develop in a secure way. With such complex systems operating in such complex environments ensuring coders have skills to DETECT vulnerabilities ensures they don’t miss these gaps. Empowering developers to spot weaknesses significantly shortens the security testing phase. It also gives developers additional tools (and who doesn’t like to learn new things?!)

The authors at McKinsey discuss building cybersecurity into the value chain of the business. This is because good cybersecurity is a valuable asset. Being able to demonstrate you have considered cybersecurity at every level in your organisation means that you can demonstrate to your clients and customers that you care about their privacy and security. 

Security at every link in the chain

Demonstrating good cybersecurity practices means looking internally as well as externally. This means looking to your suppliers and partners and making sure that those you trust to hold your data are equally as concerned about cybersecurity risks as you. This is why we are so fortunate to have The Bunker as part of the Cyberfort family. The Bunker’s state-of-the-art Tier 3 data centres are the technical and physical embodiment of what cyber security is all about. Ultimately, The Bunker leads the way in helping organisations in their digital transformation programmes, whilst keeping a keen eye on the security surrounding client’s data that we hold.

Finally, it is important to return to a fundamental belief of Cyberfort, and that is that cybersecurity is becoming less and less about technology, and more and more about business protection. You need someone who can ADVISE you on the potential risks your business faces, help DETECT if these risks exist within your organisation, and DEFEND you against those risks should they crystallise.

Remember, cybersecurity is a business issue, not an IT issue. Indeed, to quote author and cryptographer Bruce Schneier: ’If you think technology can solve your security problems, then you don’t understand the problems, and you don’t understand the technology.’

Other resources

Case studies

Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >

Video

See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >

Whitepapers

In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >