When we consider business today it is impossible to avoid considering the many risks to that business that need to be managed. Both current and future risks that may impact business profit or completely remove business value.
The hottest topic on the board agenda over the past few years has been that of Cyber Risk. Frequent headlines featuring unfortunate business disasters that resulted from a failure to recognize the real cyber threats until after a major event only serve to turn up the heat.
Cyber threats are technically and technologically challenging to recognize and to address. As with all complex problems, businesses tend to address these through the development and implementation of business-supporting strategies. Today, it has become common for a business to have a cybersecurity strategy. Cyber Resilience is considered to be a much-needed but achievable objective. Now would in fact be a great time to review your own business cybersecurity strategy!
But a cybersecurity strategy that recognizes cyber threats and vulnerabilities alone is not enough! A cybersecurity strategy can only be built on the framework of an IT strategy, and as the past has also taught us, that IT strategy must be aligned with the achievement and support of the objectives that the business needs to prosper.
Most IT strategies already include a level of IT security. The primary objective of an IT strategy though, is to deliver and maintain the resilient, available, and affordable business system architectures required by business and to effectively handle accidental and environmental threats to business operations.
Hint: An IT strategy should not be seen just as a firewall upgrade and laptop replacement plan J!
A business-aligned IT strategy will include:
- Clearly prioritized objectives: Business objective aligned services, monitoring, management and reporting, technology, processes and service availability and their recovery requirements, processing capacities and growth curves, new service development support, old service retirement, and of course a roadmap for the delivery and maintenance of all of the above.
- A comprehensive risk assessment: What are the threats to the delivery and maintenance of effective, available, and reliable IT systems? What needs to be included in designs, systems, and processes to minimize interruptions to business? What appetite does the business have to pay for lost business, and recovery from service outages and system failures? [Risk Appetite]
- Identification and allocation of resources: What tools, technologies, skills, and other resources will be required to deliver and maintain the IT systems that the business requires? How automated do these need to be? Where will these resources, particularly skills and process delivery, be sourced and funded? Are we at a stage where we can deploy AI-based models to assist with the basics? Where does ownership and allocation of these resources reside, and are they appropriately managed to deliver risk-governed IT and business systems?
You will observe that the exact same details used to scope all of these strategic IT areas are the same as those required to address a cybersecurity strategy that addresses the adversarial threats to this same business. If you are looking to develop a cybersecurity strategy without an IT strategy, you need to develop almost all of the above before you can competently address the cyber risks to your specific business.
The key point I’d like you to take away from this article is to remember that the objective of an IT strategy is the delivery of IT and business systems that sustainably generate profit and shareholder value. This objective alone pretty much occupies all the available bandwidth of a business supporting IT and business departments. Assuming that cyber risk has even been considered is not a logical default perspective.
Just keeping Business as Usual (BAU) up, running, and ready for the next product launch is a full-time activity. Up to 80% of unplanned IT outages result from configuration or change errors, outages that can take businesses offline for minutes or days at a time.
Defining and implementing a resilient business enabling cybersecurity strategy that can both identify the relevant cyber threats to business success and manage and recover from incidents without harm to the business, requires that it be built around a business-aligned IT Strategy. If your cybersecurity strategy was not built around protecting your business and IT objectives, you may find that you are playing a very expensive and unwinnable game of IT security Whack-A-Mole!
Without a defined IT strategy an organization will almost certainly lack the direction, resources, and motivation to effectively address its information technology and business process needs. A lack of strategy inevitably defaults to a reactive response model, where items are only fixed as they break. Cyber Resilience can never be achieved if IT resilience is missing.
In a business world where change is measured in months, every system that enables business needs to be able to evolve and adapt proportionally to that rate of change. Annual review is often referenced, as are three-year and five-year plans. But in an exponentially changing business and technical environment adversarially challenged by an equally exponential evolving cyber threat environment such time slices only favor the competition.
Any business, IT, or cyber strategy needs today to build in the ability for business to evolve, so that they are no longer locked to massive multi-year projects, but can adapt and incrementally adjust their progress based on automatically acquired metrics and measurements that support immediate decisions.
Our business world no longer operates at manual reporting speeds, strategic decisions require access to dynamic and reliable tactical data with enough intelligence to derive and imply trends and changing threat environments.
Simply put, the lack of a business-approved dynamic IT strategy may be your most expensive vulnerability.