Cybersecurity and the associated risk management are purely technical issues, and therefore sit solely with the responsible department. Is that right? Definitely not. Because the challenge is not about “achieving” cybersecurity, but company security. And that means these issues land on the desks of company management. Its job is to mesh cyber-risk management with the other risk management measures.
By now, it should be clear to practically every business manager that cybersecurity is very important. So far, so good? Well, no. Because in the majority of German companies, cyber-protection measures and the underlying risk management is not meshed with the wider risk register. As a result, cyber plays out on an island—generally ruled by the IT department—lacking any bridges to the other risk management measures. That, at least, is the finding from a KPMG study, according to which just 38 per cent of all companies surveyed record cyber-risks in the organisation’s risk register.
So there is no holistic approach. Bringing this about needs to be an undertaking for the company management, or the executive board. That’s because this is the only place where all the key threads come together. Only here can the business goals be correlated with the associated risks and the protective measures that may be necessary. The company’s IT specialists practically never have the necessary overview to be informed about all current and future business goals. As a result, their focus on the technical aspects of cybersecurity is too narrow.
No new tools are required per se to integrate the previously separately-operating risk management domains. Methods that have already proven their worth can also be applied to cyber-risks. But in doing so, company managers need to take account of one highly important and distinctive aspect of the cyber-world: the risk situation can change with breath-taking speed. On the one hand, due to newly-discovered vulnerabilities in the software used by the organisation or successful attacks on the company’s IT infrastructure. And on the other hand, due to changing business priorities within the company: for example, a new project with high relevance from a sales perspective can suddenly generate data needing protection in a department that was not previously a focus for cybersecurity efforts. That latter aspect, at least, can be eliminated via optimised internal communication between the specialist departments concerned and the cybersecurity specialists. By contrast, combating vulnerabilities and attacks requires lean methods for risk management that are matched to the respective organisation and its processes.
And there is another place where progressive digitalisation is making its presence felt when it comes to handling risk—in dealings with suppliers. In the era before digitalisation and networking, external third parties were only relevant if they provided essential services for the customer’s business processes. For instance, as an upstream supplier in manufacturing. But where the companies’ IT systems come directly into contact, new gateways are opened up. These could potentially be very big holes, via which malware finds its way from one network into the other. Or they can be smaller, but no less dangerous vulnerabilities—this being in the form of substandard or defective data. The risk to one’s own organisation increases depending on the relevance of this supplied data.
When it comes to Industry 4.0, too, networking plays a role. This is because under certain circumstances third parties may have access to the production plant network. For example, in order to service robots working there or to monitor production machines and be able to supply new materials as needed in good time. At the very least, having regard to the suppliers or production machines mentioned in these examples, it becomes apparent that integrated risk management is not a job for the IT specialists, but instead needs to start from the company management—so that the island existence of cybersecurity is rapidly brought to an end.