Cybersecurity empowers businesses to soar, this is how. The modern day notion that “cybersecurity is a business enabler” is a very popular one. The problem is that most of the people singing that tune are cybersecurity leaders trying to get their message out. The C-Suite and business folks may not agree, or even see this as actually being the case. So, exactly how is it that cybersecurity is a business enabler? This is an exploration of some concepts, with examples.
Cybersecurity teams typically focus on implementing guardrails and protective controls. That is the overt nature of the business. To be an enabler the opposite (opening things up) may need to be a focal area. Reducing and/or eliminating, excessive or unnecessary guardrails and/or controls could prove very effective. The targets of this exercise are those that hinder innovation and new initiatives, but don’t add any tangible value. Sometimes these exist in the form of technical debt because a predecessor thought they made sense.
In modern day business cybersecurity is no longer just about protective mechanisms. Therefore, as technology advances, and adds value to businesses, cybersecurity must be prioritized so that the organizational goal isn’t “business”, but “safe business”. Safe business implies that asset and customer protection are important areas for an organization. Safe business is where cybersecurity empowers businesses to soar, this is how:
Risk Reduction
Any cyber event (attack, incident, etc) can have a significant negative impact both operationally and financially. There is also the potential reputational consequence. However, there are studies that refute this, here is one example. To be objective, the reputational impact of a cybersecurity event cannot be solely measured by its stock price. Irrespective, robust cybersecurity measures are a common way to reduce cyber related risk, in turn providing some protection to organizational reputation and financial health (avoidance of costly legal fees, loss of revenue, etc).
Example
An organization goes through the pain of implementing native, end-to-end encryption (E2EE), at a database level. This protects customer data both while at-rest and in transit. This added layer of protection raises the work factor for any nefarious entity targeting the organization that has custodial responsibilities over the relevant data sets. This move stands to increase confidence in the organization, amongst other benefits, by reducing risk of data leakage and/or exposure.
Asset protection
Cybersecurity controls and protective mechanisms can protect an organization’s assets. The definition of asset is subjective to a given organization, but generally covers data (customer data, PII, intellectual property, etc), people, technology equipment, etc. By protecting assets, and preventing data breaches, a business can maintain a level of integrity related to their assets. Moreover, the organization can avoid potential financial and reputational damage. Once an organization does not have to worry about that potential damage it can operate in a safe, and focused, fashion.
Example
A data discovery exercise reveals that specific columns in a database store personally identifying information. This data is stored in the clear. Cybersecurity works with the respective engineering teams to implement native column level encryption and then appropriately modify all the relevant touch-points (apps, APIs, etc). This strong protective mechanism provides asset protection of sensitive data from nefarious entities. This protection in turn builds trust with customers and partners, enabling the business to grow.
Adherence to regulations
I will never confuse compliance with security. However, there is business value in being compliant with regulations, when appropriate. A number of industries have regulations regarding data privacy and security. These are sometimes encountered in the form of HIPAA, GDPR, & CCCPA. One way cybersecurity can add value to, or enable, a business is by ensuring adherence with the appropriate regulations. A company that can comply with regulations will have a good chance of avoiding fines, penalties and legal issues. This section should be self-explanatory and needs not an example.
Differentiation
Many organizations have been through the unfortunate circumstances that come with some sort of negative security event. The fact that they have is an indicator of some gap, or deficiency, in their security posture. Contrarily, some organizations are not often heard of within the context of negative security events. All organizations have security gaps but these have probably invested more resources in differentiating themselves from the others. Particularly, it is cybersecurity that can provide this competitive advantage to an organization or company. By implementing strong protective measures, an entity can demonstrate to customers, and partners, that they take security seriously. This in turn makes them a more appealing business partner.
Example
An organization engages in honest, objective, and continuous assessments and penetration tests against their customer facing environments. Those reports, untouched by the organization, are then published for the world to consume. This type of transparency shows goodwill and confidence on the part of the organization. Moreover, it differentiates them from the competition if they haven’t been as forthcoming and transparent.
Customer / partner confidence
Customers, and partners, are becoming more aware of cyber risks. These risks are becoming part of normal life. As such, potential partners and customers now prioritize cybersecurity when considering engaging in business. By implementing effective cybersecurity measures, a company can improve the confidence these potential customers and partners have in it. The goal is to use that as a solid basis for business relationships. Over time this will also lead to increased loyalty and trust. Modern day customers, and partners, will trust a company that takes cybersecurity seriously and is committed to protecting their personal data.
Example
A data discovery exercise exposes many years of technical debt by way of dangling backup files. These files are mostly un-encrypted since file encryption wasn’t a big thing a decade ago. Inside of the backup files there is personal data from databases. There is obvious risk here. Moreover, there is needless spending for the necessary storage. The intelligence gathered from discovery leads to engagements with relevant engineering teams to clean this up. Sharing this discovery, and subsequent action, with relevant parties demonstrates a commitment to data protection. This protects the organization from potential/needless data exposure and builds trust with customers and partners, enabling growth.
Enabling innovation
As companies continue to move forward in competitive fashion, innovation is a differentiator. Safe innovation makes cybersecurity involvement even more critical than under normal circumstances. Sound cybersecurity mechanisms can enable a company to innovate with confidence. This could consist of adopting new technologies, such as cloud computing, Internet of Things (IoT), and generative artificial intelligence. By implementing cybersecurity measures that align with business strategies, a company can improve their agility, level of innovation, and competitiveness.
Example
An IoT manufacturing company is building sensors. Those sensors will automatically send telemetry data to a cloud based ecosystem for storage and eventual analytics. The cybersecurity team works with software developers to make sure that data gets transmitted in the safest possible manner, a combination of orthogonal encryption covering both transmission streams and payloads. Given that, self contained executables can be compiled natively for multiple platforms. That protected mode of transmission becomes portable. The hardware design team can then shift gears and change embedded platforms as needed while not worrying about the data transport mechanism. This improves research & development, production efficiency, agility, reduces cost, and enables the business to scale.
Conclusion
In conclusion, cybersecurity is no longer a technology practice, nor is it just a set of defensive measures. It has become a legitimate business enabler that, when done right, can bring significant benefits to a company. From reducing enterprise risk to protecting corporate assets and ensuring adherence to regulations; from creating differentiators to improving customer/partner confidence; from enabling innovation to enhancing competitive advantage, strong cybersecurity measures can help a company thrive in today’s digital age. Hence, cybersecurity empowers businesses to soar, this is how.