Guest article by Tom Köhler, founder & partner of the strategy consulting connecting trust and Advisory Board member of Command Control on the guiding Idea of Command Control 2020 cyber resilience.
With the ever-increasing degree of global networking of our information and communications systems, the digital landscape is becoming more and more complex and opaque. At the same time the number of highly developed attacks in cyberspace is also increasing. It is therefore now an illusion that companies can identify all the risks and predict crises. Cyber attacks can therefore have unforeseeable impacts on business continuity, customer confidence, reputation and in turn also on company competitiveness. So based on this realization, what actions can company management teams take? And why should companies place cyber resilience in the center of their security strategies?
Current pressure for companies to innovate is huge. The associated tasks entail immense budgetary, organizational and operational challenges for responsible Chief Information Officers (CIO) and Chief Digital Officers (CDO). On the one hand they have to permanently optimize the current IT infrastructure and maintain it at the existing level, yet on the other hand they must introduce more efficient IT services and ensure a high level of agility so they can promptly implement new digital business models in the company. The use of cloud computing, the Internet of Things (IoT), machine learning and software as a service (SaaS) has developed into a techno-strategic success factor for companies. However, for CISOs, other security officers and risk managers this often translates into sleepless nights. Why is this? With the increasing networking dynamism, the risk approach hitherto generally applied is repeatedly hitting its boundaries. Cyber risks can no longer be correctly anticipated, since digitization is networking and multiplying more and more risks on many different levels.
This is shown clearly in the never-ending reports of successful cyber attacks on public institutions, companies and critical infrastructure operators. Although these reports have led to a higher awareness of cyber risks at top management level, in many companies and organizations due to false priorities there are still no budgets or even a lack of interest in capacity and competence shortages in the field of cybersecurity and risk management. This problem can also be seen in medium-sized companies who often recklessly accept that operationally and digitally they are flying-blind with their limited risk precautions. There must absolutely be a rethink here as the future success of a business model and of sustainable cybersecurity and risk management are inextricably linked.
So, what actions can be taken? First of all, the recognition is crucial that absolutely any company may be attacked, whether it is (initially) aware of it or not. Therefore, companies must adopt a cyber resilient approach because with cyber resilience it is not the assessment of the individual cyber risks that are in the foreground in the way that we know such risks from traditional Enterprise Risk Management (ERM). Instead it is a question, in the event of a successful cyber attack, of being able to keep the negative consequences as low as possible, to repair any possible interruptions to company operations as quickly as possible, to restore them to normal and to increase the robustness of the company's IT infrastructure.
In order to be able to respond quickly and efficiently to cyber attacks and to minimize damage, companies therefore require a strong combination of cybersecurity and resilience. This encompasses crisis communication and reputational measures, as well as forensic analyses of the attack via evidence collection and the fastest possible restart of IT systems (disaster recovery) through to business continuity management (BCM). BCM is a key component of cyber resilience as it is associated with the task of countering operational interruptions to a company with an efficient restart strategy.
However, cyber resilience goes one step further. Its objective is to investigate and analyze value creation processes as a whole in relation to critical points so they can be maintained in the event of a cyber attack. However, practice shows that in many companies these processes are not sufficiently transparent and are recorded based on their criticality. Many business leaders have become aware of this with the introduction of the General Data Protection Regulation (GDPR) from the European Union. Therefore the lack of robust data governance or of vendor risk management and the associated corrective action would lead to unexpectedly high additional project costs. Gaps in the management of highly-networked processes conceal a particularly high risk in the event of a cyber attack, because in a concentrated attack all organizational, technical and human weak points suddenly become visible, which, taken together, inevitably lead to a crisis situation.
Therefore, successful digital transformation and robust cyber resilience require a clear insight into corporate processes and their value creation. In future company management will need an improved and integrated critical consideration of their operations and system components in order to minimize risks and the associated business risks. Only this way can they meet their governance task and invest purposefully in the resistance of their company. A concentration on the most important components within the categories of people, technology and organization is crucial here to reduce complexity in the development of cyber resilience.
This is where Command Control on March 3-4, 2020 in Munich will have a role to play. For the second time it will bring together decision-makers and experts from the worlds of business and politics for a rethink on how to handle cyber threats. The cybersecurity Summit will focus on questions such as how collaboration between the specialist disciplines of cybersecurity, risk management and digitization as well as innovation can be designed for the future in order to ensure better cyber resilience. “Digital transformation is not only changing our society and our business lives. In order to remain competitive in a networked world, we must also rethink how we handle cyber risks and find innovative ways to increase our resilience to cyber attacks,” explains Katharina Keupp, Project Manager of Command Control. The innovative platform will offer exclusive application and expert knowledge and will have an interdisciplinary matchmaking concept for decision-makers to help them to manage the digital transformation of their company securely.