Risk Management While Enabling Business Growth
APPLY FOR PARTNERSHIP
Thank you for your interest. Kindly fill out the details below and we will contact you back soon.
Please complete this form to be contacted by one of our experts.
Boards of Directors overseeing many businesses like to stress that they encourage operations that have low-risk levels for the organisation. So that they can reassure investors and others that the risk to their capital investments is minimal. A recent article on Dark Reading titled How Boards Can Set Enforceable Cyber Risk Tolerance Levels discusses the trade-offs many businesses face when balancing risk levels against cybersecurity best practices and business growth.
In the rapidly changing business environment, there are always pressures for IT systems to grow and adapt quickly to support growing revenue-generating services. As we all know from experience, rapidly expanding IT provision to support business growth is not always aligned with robust cybersecurity. How can Boards ensure that their CEO, CFO, CISO, CSO and others in day-to-day leadership positions make decisions that enable good cybersecurity to be maintained when change is rapid?
Organisation Wide Cybersecurity Directives
Hopefully, we are now at the point where everyone in Board or C-Suite positions knows that cybersecurity is core to business operations in the same way as Finance, Human Resources, Facilities, Operations, and more.
The Board needs to set the overall risk tolerance level that the organisation is willing to accept related to change and cybersecurity protection. The C-Suite team needs to deliver the day-to-day running of the business and any changes within the agreed risk landscape. At a high level, the Board should establish the following.
Some Comments on the IO World Asia Article
Specify the Risk Tolerance
To enable a cybersecurity strategy that strikes a suitable balance between risk and business agility, the Board leadership team needs to determine the organisation’s risk tolerance in light of identified risks. These risks could be regulatory fines in the case of a data breach. Reputational damage if a data breach becomes public knowledge. Organisational downtime if IT systems are not available due to an attack like ransomware.
Ensure that C-Suite Cybersecurity Leads have Authority
The CEO and leadership in a business typically get tasked to deliver revenue growth and profits. Often this can be in conflict with the need for good cybersecurity practices, as the latter can act as a brake on business decision-making. If a Board of Directors is serious about minimising risk, then the CISO and CSO in a business need to have the authority to prevent risky activities that undermine security. Even if these temporarily impact the bottom line, the CISO and CSO should be able to delay projects that weaken cybersecurity until they get done in a way that benefits the business without diluting security.
Prioritise Cybersecurity Spending Requests
Ensuring IT systems change in a way that delivers business benefits without weakening cybersecurity can require spending to expand current security provisions or to introduce new security tools or services. Boards need to be able to authorise the C-Suite to make these spending decisions, or the Board needs to have a way to authorise them quickly.
Be Willing to Wait before Implanting New Business Initiatives
Sometimes the requirements to deliver a low-risk and highly secure change to systems to support a new business project will take time to plan and implement. The Board needs to be willing to listen to the arguments from the C-Suite and err on the side of caution if the CISO and CSO are requesting time to implement secure change. This is essential if the Board is genuinely operating a low-risk organisation.
Nothing is Ever That Simple
A Board saying that their organisation is low-risk and then delegating authority to the C-Suite to operate within this low-risk culture is a nice ideal, but things are never that simple in the real world. The business landscape is very dynamic, and C-Suite business leaders have revenue and profit targets to deliver. There will always be pressure on the CEO and CFO to take risks.
Reducing this risk without slowing business decisions too much will always be a trade-off between C-Suite members, irrespective of the Board directives. Often the outcomes will be based on the relationships between business and technology leadership. If the CISO is a trusted part of the team who doesn’t ‘cry wolf’ at every change, then when they do raise concerns, they are more likely to get outcomes that are beneficial for everyone.
As is true for almost everything in business, the low-risk organisation is a theoretical ideal. One that is nice to consider, but for actual businesses, there will always be trade-offs that balance business decisions against their risk. In many cases, the business change that an organisation is considering will have quantifiable risk attached. This risk, or one very similar, will likely have been encountered before by another organisation.
Halodata works with multiple vendors, security partners, and businesses. Experience from work across this landscape will likely include projects very similar to any a modern enterprise is contemplating. By tapping into this experience, solutions to reduce the risk associated with a business change are usually obtainable. A solution that often reduces the time to market for the business project without decreasing security.