Most people’s introduction to cybersecurity begins with a dramatic video displaying a balaclava-clad criminal hacking their way into a business and wreaking havoc from a dark room with no windows. Unfortunately, this image tends to create a fear-driven mindset that promotes counter-productive behaviours.
Whilst it’s completely true that threats from cyberspace pose significant risks to business operations, combatting threats is not the key value proposition that cybersecurity offers; and hence should not be the primary driver behind cybersecurity investment.
Let’s change our perspective
We’ve all had enough of hearing about massive hacks and reputation-crushing information leaks. Everyone knows this is the reality of living in a modern, inter-connected, and digitised world. So why is it that we can still walk into so many organisations just to find out that cybersecurity is under-resourced and under-valued? Why is it that the security function is almost always considered a sub-function of ICT?
The answer is that cybersecurity is seen as a necessary evil. It is merely a ‘nuisance’ that hinders an organisation’s ability to get stuff done. It’s expensive, it’s complex, and it takes more effort. Security is perceived as an operational cost that provides no direct value to the business, other than an insurance of sorts.
This view of the world creates a failure-avoidance mindset towards cybersecurity, which drives behaviours such as tick-and-flick compliance, corner cutting, and cover-ups. Inevitably, such an apathetic, or sometimes even negative, attitude doesn’t actually do much to protect anything.
Accelerating growth through security
Let’s consider two competing businesses – Alpha and Bravo – who are both investing heavily in their innovation teams with a view to rapidly grow and expand their business operations. Business Alpha sees cybersecurity as an ‘IT problem’ and a hindrance to their ability to rapidly develop their new solution. They therefore decide to do the bare minimum required to meet whichever regulations are imposed on them. Business Bravo, on the other hand, sees cybersecurity as a business-enabler that enhances stability, giving them a secure platform to then focus on innovating confidently and without interruption. Accordingly, Bravo sets up an executive-represented security function that is integrated into the innovation and business processes.
Both solutions hit the market and perform exceedingly well, with Alpha breaking-even slightly earlier than Bravo due to the cheaper cost of insecure development. With more and more publicity, inevitably both businesses are targeted by cyber criminals. Alpha is hit hard and confidential documents regarding the new solution are published, leading to mass reputation damage. Their team are suddenly thrust into damage control and profitability is heavily impacted. Bravo is also targeted, but they are able to quickly respond and minimise losses due to their well-resourced security function.
Post-attack, Bravo continues innovation and their business grows even more rapidly due to the increased market-confidence compared to their competition. Alpha, however, have found themselves preoccupied with fighting fires and are unable to devote their full attention to regaining their market position and developing new opportunities for growth.
A motivation to avoid failure led Alpha to perceive security as a roadblock in their mission to expand. In contrast, a motivation to succeed drove Bravo to perceive security as an integral component of innovation and a vital prerequisite to success. In the end, it was business stability that Bravo invested in through their attitude towards cybersecurity. And it was this business stability that allowed them to win.
We need to shift our mindset away from seeing cybersecurity as an insurance against failure and start seeing it as a foundation for success. To paraphrase an old parable; a house built on a rock will withstand floods, winds, and rain, whereas a house built on sand will crumble.