Less than a quarter of all Finnish organizations currently enjoy the benefits of modern cybersecurity management, and roughly fifty percent are still making decisions about cybersecurity at the end of their projects.
The role of cybersecurity partners and advisors in society
The yes/no days of the information security manager are, in many ways, over. Gone are the days when business managers sought permission from information security managers, who – in their omniscience – would then grant or deny it. Modern cybersecurity managers and departments are naturally still responsible for monitoring cybersecurity. Still, the overall responsibility for the cybersecurity of digital operations lies with the owner of the business process or system. That is, in exactly the same way a factory manager cannot outsource occupational safety to an occupational safety manager.
The strategic importance of cybersecurity has also been highlighted amid uncertainty. Organizations that keep our society functioning need a partner they can trust. The part played by the information security team has also shifted towards a more advisory role: what risks are involved in various alternatives, and how will the organization’s partner support risk management? Organizations need information about the current situation. They need to know about changes in the organization’s risk position and what kind of stimuli are in the air. At best, as in the case of the Finnish Social Insurance Institution (Kela), the cybersecurity department’s goal is to be a service department that supports business development.
Modern cybersecurity managers live in a world in which risk management is changing. There is no longer a need to build perfectly safe environments. No one can afford to prevent all risks – and it is no longer even possible. Instead, risk management focuses on the impact that risks would have on business. When starting a new system project, it’s a good idea to analyze all the threats and risks associated with the system in a very early phase. Yet it’s not worthwhile trying to shore up against every single threat – you should instead pour your efforts into those that will have the greatest impact on business continuity.
Cybersecurity is a common issue that should be tackled early on
One major challenge that is often faced in modern cybersecurity management is the fact that business functions would be more than happy to entrust cybersecurity to someone else. Everyone understands that, when it comes to the digital world, trust is capital that forms the value of digital systems and services. Few people deny the importance of cybersecurity. However, when business managers drag their system projects forward by the scruff of the neck under schedule and budget pressures, and 170 other things, cybersecurity is often perceived as a complex and awkward process that slows everything down.
Yet cybersecurity is a design factor that should be handled early on – perhaps even first. Assessing threats and risks at a project’s start is cheaper than gluing cybersecurity on at the end as a necessary evil. The cost of repairing something broken can be ten or even a hundred times more expensive than making a good initial investment. Modern cybersecurity management involves budgeting for cybersecurity in everything we do.
Doing it at the end would most likely delay the project. Too expensive and too late? What should business decision-makers do? Will they just go into production thinking that risks have to be taken? At this point, the security manager may try to thwart these attempts, but will the costs become too high for the business manager? Surely no one wants to end up in this situation. Yet unfortunately, this often happens unless cybersecurity is raised throughout development in the same way as, for example, usability design.
Cybersecurity facilitates progress
It is no longer sensible – or even possible – to treat information security, privacy protection, and business continuity as separate entities. Working on them individually as mandatory controls would put an undue burden on development projects.
Efficient and effective cybersecurity requires all three to be bundled together. The goal is to enable the process owner or business manager to make decisions on all three at the same stage, typically considering models and ISO standards. International regulatory requirements are also fueling this trend. Although meeting standards is not always the goal, we want to tell stakeholders that information security and privacy protection systems are in place and are based on ISO/IEC standards.
Modern cybersecurity management enables effective cybersecurity that provides a competitive edge by lowering the threshold for others’ involvement and raising its own bar in a comprehensive and consultative role. One key measure of success is how easy it is to take cybersecurity into account in projects.
Valuable benchmark data on developments in European cybersecurity
Take part in Nixu’s cybersecurity survey by October 19th. By participating in the survey, you will obtain valuable comparative data about the state of cybersecurity in European organizations. You can also win a half-day workshop with a Nixu cybersecurity expert on a topic of your choice.