Business Strategy: Cyber Strategy - A Closer Relationship Than Ever
Discover actionable strategies for enhancing stakeholder trust and for providing effective cyber risk oversight of the SEC Cyber rules.
Milk and expiration dates and shelf life. How long do you keep your carton of milk? No expiration date, just drink it and risk falling sick first and then let’s get new milk
The strategy of no-strategy has an unknown shelf life and expiration date. It’s true in life, business and in cyber.
What is business strategy? According to Richard Rumelt (giant in strategy), it is simply problem solving. It’s understanding the nature of a challenge and then applying an organization’s strengths to the problem. An undefined problem implies an undefined strategy. This is the central issue when it comes to cyber risk mitigation strategies. For businesses that can’t truly define the cyber problem comprehensively or that can’t appreciate the implications of the problem, there’s a tendency to adopt a default strategy of not defining an intentional strategy. In other words, adopting a no-strategy strategy. And as long as everything continues to work well and no material incidents occur or emerge, then this no-strategy strategy works well.
There are fires without smoke but there’s no smoke without fire and it’s easy to confuse the two.
Everyone has a strategy whether it’s intentional or not. It’s somewhat like culture in this way. Every organization has a culture whether it’s intentional or not.
There are three fundamental problems with a no-strategy strategy. Difficult to detect inflection points and market transitions since there’s no intentionality, unknown expiration date - every strategy has a shelf life but not an unknown expiration date, can’t withstand the storm - when the inevitable storms arrive, the no-strategy strategy falls apart.
But here’s the problem with this mindset, just because a problem hasn’t revealed itself doesn’t mean there isn’t one. This is a very insidious and intractable problem. A lot leaders say of course we know that, yet their actions say otherwise. Because most leaders are operational and therefore have to see tangible proof of the challenge or problem. Also, nobody wakes up in the morning and says my goal today is to not have a cyber strategy or to implement a no-strategy strategy. It just kind of happens by default. Cyber gets relegated to the back burner until an incident or event occurs. Alternatively, organizations assume having technology solutions is sufficient for a strategy. Again, the problem with this perspective is that unless you can really define the problem you’re facing , what you have may be a plan of projects you want to implement but may not necessarily translate into a compelling strategy.
There’s good news and bad news. The bad news is that the no-strategy strategy has an unknown shelf life and expiration date. This implies that at some point, an event is going to force the creation/definition of an intentional strategy. The most common even is a material cyber incident or data breach or near miss. Others include board action and/or customer dictates as well as industry threats. Regardless of the event, there’ll come a point when a cyber strategy definition and implementation will be required. As opposed to a set of uncoordinated isolated projects.
So what’s the good news, well the good news is although there’s an unknown shelf life and expiration date by default, it doesn’t have to be that way. You can set the expiration date yourself by proactively defining and implementing a cyber strategy before an event occurs. Instead of waiting for the event, you can initiate action. This can be difficult for the reasons we highlighted earlier but it is doable and necessary.
Sometimes leaders will argue that they do have a cyber strategy. They tell us things like we have moved to the cloud or we have all the necessary technology tools (e.g. firewalls, intrusion detection systems, anti-malware, etc.) They say we believe we’re doing all the right things. Then we ask them a question “If sensitive data was leaving your organization, would you know about it and how would you respond?” They tell us that they don’t expect that to happen but if it did they would activate their crisis management or incident response plans. When we ask to see the plan, it’s usually doesn’t exist on paper and hasn’t been tested.
This is just one of the questions that implies a no-strategy strategy. Other questions include:
What’s the biggest risks your organization faces in the future. What’s your risk velocity
We encourage you to consider these questions also.
In other cases, leaders tell us that their MSP has defined and implemented a strategy for them. This is the case for many organizations and is completely valid and understandable. However, outsourcing your cyber strategy without oversight and validation is like outsourcing your parenting duties without oversight. It may work for a while but ultimately it doesn’t yield the desired outcome. Here’s an example that illustrates the need for validation and periodic oversight of outsourced cyber functions.
Outsourcing cyber function(s) can be beneficial but it requires periodic, independent validation for sustained success
Side Bar: This is true in cyber and also in business. How businesses have gone bankrupt because they couldn’t see a market transition event and decided to wait until they could see the event. By then, it was too late.
However,
This article is the first in the series of three articles that are designed to equip board directors with three distinct, meaningful and actionable insights outlined below:
Three distinct insights are:
The strategy of no strategy has a shelf life and an unknown expiration date
Outsourcing cyber function(s) can be beneficial but it requires periodic, independent validation for sustained success
Cyber strategy validation reviews lead to better risk mitigation and resiliency outcomes
In this article, we focus on the first. The primary objective of this article is to help directors avoid the common pitfall of focusing on compliance (in this case SEC Cyber rules) and inadvertently neglecting the required commitment to the underlying intent and stakeholder trust. Ultimately, our hope is that these insights will inform intentional actions that will increase effectiveness of cyber risk oversight.
1. Compliance (SEC Cyber Rules)
Outsourcing cyber function(s) can be beneficial but it requires periodic, independent validation for sustained success
Depending on several factors including the digital maturity and business life cycle of an organization as well as other factors, outsourcing cyber security functions may be very beneficial as part of an overall strategy. It can have tangible benefits in cases where the organization lacks capabilities, talent or where the organization simply wants to focus on business functions that are core to their mission. Although, we would argue that digital is core or should be core to most organizations. In either case, the point here is that outsourcing is beneficial.
However, when outsourcing oversight is missing, then things can go bad. When leaders decided to be completely hands off with the outsourced provider, problems arise. Of course, no one intentional plans to be hands off. It just seems to happen gradually over time. An outsourced contract just automatically renews from year to year and before you know it, it’s been 3 or 5yrs with a provider without any explicit oversight or with limited oversight contained to cost and financial metrics. There hasn’t been an intentional effort by the organization to ensure that the service provider is in fact delivering on the services promise.
This is especially important and unique to cyber services because certain services only become apparent after an incident or intrusion occurs. With services like help desk support or electric utilities supply power, it’s easy to tell that you’re receiving adequate service (the power is on and working). But with cyber, just because the device is on doesn’t mean things are working as they should. A client painfully discovered that their MSP wasn’t monitoring security incidents even though the client believed that was what they were getting.
When it comes to outsourced cyber functions, without intentional and proactive oversight, there’s no easy way to tell that things are functioning as intended until it’s too late. In other words, if an intrusion or material incident occurred, you wouldn’t detect and respond to it until it was too late.
However, when periodic oversight exists, deliberate plans are made to keep the MSPs honest and to explore new and effective ways to mitigate risk. But too often, the only limited oversight is when leaders approve budget items or projects proposed by the MSPs. Often times these leaders have limited cyber expertise and knowledge of the underlying cyber risks and implicitly trust their MSPs. We would encourage a trust but verify approach.
Now granted, there may be situations when more oversight just isn’t possible (e.g. peak seasons for organization, leadership vacancies or employee turnover) but in the majority of the cases, active and proactive oversight is possible but passive oversight is what occurs.
Oversight means the following and can occur in a variety of ways: stress testing processes and capabilities, techn, etc. Independent audit of outsourced functions. The key is that oversight should be performed by an independent entity with knowledge and expertise separate from the MSP.
Transition to good cyber strategy
Good Cyber Strategy Principles & Practices
What is the well defined business problem that the cyber strategy is attempting to solve? What business challenges are informing the cyber strategy? The emphasis here is business problem and not cyber problem, not ransomware threat or cyber criminal or nation state activity but the business implications and impact of such activity. It’s about focusing on the biggest problem(s) facing the organization within the context of digital capabilities and cyber security.
Here are a few examples of business problems and strategic challenges that can inform good cyber security strategy.
Business growth through Mergers and Acquisitions (M&A)
Organic business growth by growing the customer base
Global geographical expansion
Getting a bigger buy
Improving customer loyalty
Increase market prominence
Business survival and cost cutting
In each of these examples, there’s a role for digital capabilities and consequently an important need for an integrated and cohesive cyber strategy. Some organizations may say that they want to do all these things at once and all the time but we would encourage them to pick the top three to focus their efforts and investments on and to sequence appropriately to achieve measurable impact. These strategic business challenges may also help provide a perspective on if cyber/digital should be viewed as a cost center or a strategic asset. For example, in survival mode, when the business just wants to stop a stabilize a financial decline and stop the bleeding, then having a cost center mindset of cyber may be most effective. However, when an organization is trying to increase market prominence or improve customer loyalty, view cyber a profit driver and strategic asset may be best.
Regardless, the business and cyber strategy have to be well aligned. If there’s a mismatch between both, it generally results in a poor cyber strategy that doesn’t serve the business well.
Set of questions that a good strategy should address include:
Biggest initiative - cyber could derail and what’s the future initiative
Cyber as a cost center or strategic asset
Biggest risk impact and risk velocity areas or dimensions
Measurable outcomes and success metrics
Well defined outcomes of the strategy (to avoid any material cyber incidents - compliance fines, etc, be resilient and respond to ever changing risks and threats, etc.)
Come back to the strategy of no-strategy and the unknown shelf life and expiration date.
What are the top 3 business impacts of material cyber incidents for the organization? Facilitate an engaging discussion about this. Not just for the current business but also for the future business. It’s not enough to say that the business impact will be quantifiable financial losses (although that’s included) but it should include second and third-order consequences and implications. The idea here is to connect the dots for both the short and long term.
Are we making the right investments in cyber (time, treasure, talent, culture, leadership bench, etc.)
How can cyber security become a strategic asset for the organization now or in the future
The SEC cyber rules can serve as a catalyst for change in the boardroom. It can help directors adopt a more forward thinking perspective of cyber risk oversight and may offer hidden advantages for those organizations whose boards adopt this mindset. The questions above go beyond compliance to a commitment mindset. The board has to cultivate this mindset intentionally and proactively to increase their effectiveness. Directors and especially, the chair or lead independent director, can’t rely on accidental or reactive events to toss them back and forth based on compliance rules and/or data breaches.