Skip to main content

Cybersecurity is a strategic issue

Hydrocarbon Engineering,

According to Bain & Company, cybersecurity has never been more essential, for four main reasons:

  • Companies have more digital assets than they did 10 years ago, and these assets are worth more than they were before. These include client information, proprietary assets, including source code for products, automated business processes, sensitive communications with suppliers and partners and other data. The security around these assets can vary greatly depending on the perceived (as opposed to actual) financial and strategic value to the business, as well as the effectiveness of the security technologies and processes in place.
  • Organisations are shifting to hybrid cloud architecture as they continue to adopt software, security and other solutions as services. Historically, digital assets were protected within the company’s data centre, where it was easier to guard the perimeter and manage user access, authorisation and authentication from known locations and devices. Today, corporate and customer data resides in the organisation’s own data centres as well as public and private clouds. While hybrid cloud architectures offer significant economic benefits, their adoption requires a more sophisticated approach to cybersecurity, according to Bain & Company.
  • The pervasive use of mobile devices by staff and executives. Corporate IT now has to manage the security of many more platforms and devices, some owned by the company and others that belong to employees who use them under a bring-you-own-device (BYOD) plan. To manage cybersecurity effectively organisations will need to provide ubiquitous security across many devices and comprehensively manage user identity and access to sensitive corporate data.
  • Compliance remains the most important cybersecurity driver, especially for companies in regulated industries or with contractual obligations. In a recent Bain survey, more than 75% of CIOs identified compliance requirements as the main determinant of investment in IT security. Another recent survey of IT staff by ISACA found that outside of compliance obligations IT has insufficient resources and limited business engagement for effective risk management. These findings highlight the operational approach to cybersecurity taken by many organisations. Bain & Company argues that compliance should define the lower bound for security capabilities while the upper bound should aspire to meet the organisation’s strategic priorities, including IP protection, continuous operations and a secure corporate reputation.

Bain & Company suggests that leading organisations take a more strategic rather than an operational approach to security to respond to the new challenges. The key to successfully implementing this approach is to:

Understand the organisation’s key assets

Align business and IT leaders on the prioritisation of digital assets based on value and risk to the organisation to ensure the proper design of technology, processes and supporting resources. For example, customer data, point of sale and order management systems are a higher priority while marketing and promotion systems may be lower.

Identify the security risks and gaps

Assess current security capabilities and determine the likelihood of experiencing known and emerging risks. Business and IT leaders should then align on the gaps and the estimated mitigation costs.

Define the cybersecurity strategy

IT should create comprehensive technology, process and organisation designs and blueprints based on a thorough understanding of the organisation’s security priorities and gaps, with strategic and operational elements that protect digital assets.

Emphasise gaps, priorities and strategy to the CEO and board

Leadership should know the security related risks and gaps they face, so they can understand the importance of the investments required.

Engage recognised security specialists

As the threat landscape expands and attacks become more sophisticated, organisations should work closely with firms that can provide ongoing services to diagnosis, redesign and monitor their cybersecurity.

Adapted from a report by Emma McAleavey.

Read the article online at:


Embed article link: (copy the HTML code below):