Some years ago, there was much debate about how IT strategy
and business strategy had to be aligned, and this was to be led by the new breed
the CIO at the heart of the development of business strategy, business
ambitions could be aligned with the latest technology, enabled and multiplied
in effect to ensure competitive advantage.
Today, with the accelerated pace of
technological change, multiplied by the trend for digital transformation, which
in itself has been accelerated by the global pandemic, there is a need to
further develop that alignment position to include cyber risk.
In recent years, many businesses have begun
transformation journeys prompted by new opportunities emerging through
technological developments, or to exploit new markets. Some transformations
have been driven by the need to increase competitiveness due to the emergence
of disruptive new entrants to the market. Other transformations have been
driven by changing consumer preferences and the need for sustainability.
Whatever the drive, the effect of fundamental change, in culture, in people, in
process, has the potential to introduce new levels of risk.
The risk assessment of any business change is
now as fundamental as its business case, and the cyber element of risk must be
addressed at the earliest stages.
Digital transformation has affected the cyber
crime world as much as it has the legitimate business world and the creeping
professionalisation of cyber crime has been multiplied by technological
The coping measures employed by organisations
around the world in the face of the pandemic increased cyber vulnerability, and
put pre-pandemic attacks, such as the rash of ransomware that crippled the
likes of Maersk, the UK NHS, and here at home the HSE, in a new context.
The ability of a cyber crime gang to cripple a
major enterprise, public service or other such organisation, was a clarion call
to look differently at risk.
New business models must take into account the
cyber risk exposure due to the increasing reliance on digital systems to
deliver them. The increasing need for demonstrable sustainability, so heavily
reliant on data and data processing, is also increasing digital reliance.
Without understanding and being able to measure, manage and mitigate cyber
risk, digital transformation and sustainability efforts can be jeopardised.
The conversation must be changed from cyber
security to cyber risk if the issue is to be truly understood and woven into
the fabric of the organisation.
In the same way that the CIO became a central part of the
business strategy team, the chief information security (CISO) and chief risk
officers (CRO) must now take their places in that strategy team too.
As CEOs have had to become technologically informed to
responsibly lead their organisations, they must now also ensure that those who
measure and manage the digital risk to the organisation are involved in the strategy,
planning and execution of transformation.
Failure to align cyber risk with transformation efforts will
predictably result in the same kinds of stalls and failures so well documented
previously. Lack of return on investment, underutilisation and increased
exposure to threats were all seen when investments were misplaced or
inappropriate in the early days of transformation.
The oft quoted stat from McKinsey that 70% of transformation
efforts fail to produce expected results has the potential to be multiplied in
the current context, and from a cyber risk perspective.
If an organisation embarks on a transformation initiative,
with digital at its heart, that introduces an entirely new element of risk, it
could represent an existential threat to that organisation. While the business
risk of such a transformation, and even the risk of not transforming, is often
well documented and understood, the cyber risk aspects of such initiatives are
still poorly expressed, explored and factored into strategies.
Just as security is baked into application
development early to make more secure products, cyber risk, properly explored
and understood, must be included at the earliest stages in any transformation
The global pandemic has thrown a new light on many
things, but chief among them is just how interconnected, interdependent and
cooperative our modern world is. Digital technologies have given us a glimpse
of how much more interconnected and interdependent we are likely to become in
the near future, and beyond.
The pace of change, the transition of every
business towards being a digital business and the increasing need for data and
analysis to meet sustainability goals, are all driving new elements of risk
that need to be understood, communicated and managed at the highest level. The
alignment of business strategy with risk management - with cyber risk at its
core - is the only viable means to ensure that resources are properly deployed
to protect the critical assets of the organisation.
Paul Hearns is an author, journalist and presenter of more than two decades experience.